On March 22, 2021, the Department of Commerce (“Commerce”) interim final rule to implement provisions of Executive Order 13873 on Securing the Information and Communications Technology and Services (ICTS) Supply Chain became effective. The interim final rule made several changes to the original proposed rule issued in November 2019. The interim final rule clarifies when Commerce will seek other agency consultation and the criteria to be considered when making a determination about whether a transaction is covered. The new rule also provides more details concerning the options available to affected parties, including how to negotiate a mitigation agreement.
A. Scope of Covered Transactions
The interim final rule defines an “ICTS Transaction” as “any acquisition, importation, transfer, installation, dealing in, or use of any [ICTS products] that has been designed, developed, manufactured, or supplied” by persons owned, controlled, subject to, or at the direction of foreign adversaries, which “poses certain undue or unacceptable risks.”
The scope of covered ICTS Transactions is broad and grants Commerce the power to review cross-border transactions in a way that sounds similar to, but is in some ways broader than, the authority of the Committee on Foreign Investment in the United States (CFIUS). The new rule provides an exhaustive list of covered ICTS Transactions, which includes transactions that involve one or more of the following six types of technology:
1. ICTS used in critical infrastructure pursuant to Presidential Directive 21 – Critical Infrastructure Security and Resilience that involves a “clearly specified technology or service” such as financial services, energy, agriculture, etc.
2. Software, hardware, or services integral to wireless local area networks, mobile networks, satellite payloads including telecommunications and remote sensing, satellite operations and control, cable and wireline access points, core networking systems, and long- and short-haul networks such as fiber optic cables.
3. Software, hardware, or services integral to data hosting that process or retain sensitive personal data.
4. ICTS involving, among other things, certain Internet-enabled webcams, routers, modems, or drones.
5. Certain software designed for communicating over the Internet such as mobile, desktop, and gaming applications.
6. ICTS integral to, among other things, artificial intelligence, machine learning, drones, and autonomous systems.
B. Procedure for Reviewing ICTS Transactions
Commerce’s review of an ICTS Transaction can be triggered by “any and all relevant information,” including, among other things, referrals from U.S. government agencies, proprietary or confidential business information, information from parties to the transaction, or Commerce’s own initiative. Commerce may require parties involved in an ICTS Transaction to furnish “under oath . . . complete information relative to any transaction . . . including the production of any books, contracts, letters, papers,” and other documents. The materials may be required before, during, or after an ICTS Transaction. Commerce may also convene hearings to “administer oaths, examine witnesses, receive evidence, take depositions, and require by subpoena the attendance and testimony of witnesses and the production” of any documents related to the covered transaction.
Upon initiating a review, Commerce must make an initial determination whether the ICTS Transaction meets the risk criteria below and, if so, whether to prohibit the Transaction or propose mitigation measures by which it may be permitted. Before rendering the initial determination, Commerce must first consult with other agencies. Commerce and those agencies will consider enumerated factors to determine whether a transaction poses an undue or unacceptable risk, including:
- The nature of the technology and “market share considerations”;
- The foreign adversary’s jurisdiction and control over the design, development, or production of the ICTS products;
- Recent statements and actions of the “foreign adversary at issue” and the parties to the transaction;
- Whether the transaction “poses a discrete or persistent threat” or a particular vulnerability would be presented if the ICTS product is integrated into the U.S. telecommunications infrastructure, and whether risks can be mitigated; and
- The likelihood and severity of harm posed by the Transaction.
Following the consultation, if Commerce initially determines the ICTS Transaction is prohibited or requires mitigation, it will notify the parties. The notified parties will then have 30 days to demonstrate that there is no sufficient basis for the determination, to remediate the basis for the determination, or propose mitigating measures to address Commerce’s concerns. The notified parties may also request a meeting with Commerce, which will be granted at the agency’s discretion.
After the receipt of the parties’ response, Commerce again consults with appropriate agencies and then issues a final determination whether the ICTS Transaction is prohibited, not prohibited, or permitted subject to the adoption of mitigation measures. Commerce has 180 days from the initiation of a review to issue a final determination, unless it determines in writing that additional time is necessary. If an ICTS Transaction is underway and Commerce subsequently prohibits the transaction, the interim final rule indicates that Commerce will work with the U.S. company to unwind and dissolve the subject transaction.
If an agency disagrees with Commerce’s final determination, Commerce must obtain presidential guidance. The final determination will be published in the Federal Register.
C. Narrow Exceptions to the ICTS Review
The interim final rule excludes otherwise covered ICTS Transactions by U.S. persons or companies that are party to ICTS Transactions in support of U.S. government classified programs. The rule also excludes ICTS Transactions reviewed by CFIUS. If CFIUS is actively reviewing, or has reviewed, a covered ICTS transaction as part of a CFIUS-covered transaction, no ICTS review is required or permitted. If CFIUS determines that a certain ICTS Transaction is not a CFIUS-covered transaction, Commerce can exercise its ICTS jurisdiction.
D. Still to Come – Safe Harbor Licensing Procedures
In response to business community concerns that companies will be left to wonder in perpetuity whether their transactions will be scrutinized and potentially prohibited, Commerce agreed to publish procedures for a voluntary licensing or pre-clearance process within 60 days of the effective date of the interim final rule. This process will detail how a party to a transaction, whether proposed, pending, or ongoing, may seek a license from Commerce approving the transaction. Commerce has stated that the license review time will not exceed 120 days, or else the license application will be deemed to be approved.
On March 29, 2021, Commerce published an advance notice of proposed rulemaking seeking public comment on several aspects of a potential voluntary licensing or pre-clearance process, with comments due by April 28, 2021. Commerce indicated that, because of the need for public comment, Commerce does not expect to have this process in place by 60 days after the effective date of the interim final rule.
Like parties to most CFIUS-covered transactions, parties are not required to submit a request for approval for a covered ICTS Transaction. Indeed, Commerce provides assurance that a party that is not seeking a license for a covered transaction will not “create a negative inference or unfavorable presumption.”
Be Prepared for More Surprises
It is entirely possible that parties to an ICTS Transaction may not be aware that their transaction is under review until the parties receive an initial prohibition determination from Commerce (though it is possible such parties would have been asked to provide information during the review). At that point, the parties would only have 30 days to attempt to respond, challenge the initial determination, or remediate or mitigate any issues identified by Commerce.
The Vast and (Nearly) Infinite Universe of Transactions
Recent executive orders targeting entities from China, coupled with this new interim final rule, ensure that almost any ICTS-related activity in the United States connected to China is now subject to regulatory review by the U.S. government. For example, a well-established U.S. corporation importing over a million routers or modems from China would be beyond CFIUS scrutiny, but could trigger an ICTS review. Another example would be a U.S. business contracting to use cloud computing services of a foreign adversary.
Commerce is not wasting any time implementing this procedure. In a press release on March 17, 2021 – prior to the effective date of the interim rule – Commerce Secretary Gina Raimondo announced the issuance of subpoenas to multiple companies from China to support review of transactions pursuant to EO 13873 and to collect “information that will allow us to make a determination for possible action that best protects the security of American companies.”
Apply Know Your Customer Processes to Supply Chains
Any ICTS product “designed, developed, manufactured, or supplied by persons” owned, controlled, subject to, or at the direction of foreign adversaries could constitute a covered transaction. Commerce’s Bureau of Industry and Security (BIS) has for years promulgated guidance for U.S. companies to mitigate the risk of export control violations – known as “Know Your Customer” guidance. These processes and practices should now be adapted and applied to international partners, vendors, and suppliers.
Situational Awareness for Government Contractors
While the new interim final rule makes an exception for classified programs, there is no exception for unclassified programs or contracts. This raises possible overlap in the interplay between Section 889, the Prohibition on Certain Telecommunications and Video Surveillance Services or Equipment, of the FY 2019 National Defense Authorization Act (NDAA), and this new rule.
Implemented by the Federal Acquisition Regulations, Section 889 prohibits U.S. government agencies from procuring equipment or services that use covered telecommunications or surveillance equipment or services from five specified Chinese companies, and from entering into, renewing, or extending a contract with any company that uses telecommunications or surveillance equipment or services from these companies. The companies from China specified in Section 889 include Huawei and others that were the likely targets of EO 13873.
It seems this new interim final rule could cover ICTS that may not be covered by Section 889, as well as ICTS that is covered. In other words, because this new rule has broader implications and considers China and its telecommunications industry as a foreign adversary, government contractors will need to be aware of the overlap where Commerce investigation and enforcement authority bleed over to monitor compliance with Section 889 and what the ICTS rule may cover beyond Section 889.
The contract clauses implementing Section 889 require contractors to disclose, after a “reasonable inquiry,” whether they use covered telecommunications equipment. Additionally, during the course of a government contract, the contractor must report to the government if there are any changes in its prior representations. The additional scrutiny that telecommunications products and services from China will receive because of the new interim final rule reinforces how crucial it will be for government contractors to conduct a thorough review of their supply chains and remediate any potential issues.
 Although Commerce reserves the right to add, take away, or otherwise modify this list, the interim final rule identifies the following entities as foreign adversaries solely for purposes of EO 13873 and this rule: “[t]he People’s Republic of China, including the Hong Kong Special Administrative Region, the Republic of Cuba, the Islamic Republic of Iran, the Democratic People’s Republic of Korea, the Russian Federation, and Venezuelan politician Nicolas Maduro.”
 The 180-day clock includes the initial determination.
 Also, under section 7.2 where the rule defines a “party or parties to a transaction,” it excludes from the definition common carriers, or freight forwarders, that transport goods “on behalf of the general public.” However, this exception does not apply to those forwarders that know, or should know, they are providing shipping services to or for a foreign adversary to the United States.
 However, Commerce may still conduct a review of a CFIUS-covered transaction, if CFIUS did not review the specifics of the ICTS portion of the transaction. Additionally, if CFIUS had previously reviewed a transaction, but a distinct ICTS Transaction arises from the same CFIUS-reviewed transaction, Commerce may review that new covered transaction.
 See the January 5, 2021 Executive Order which targets specific manufacturers from China of mobile and desktop applications, citing “additional steps to address the national emergency with respect to the information and communication technology and services supply chain.”