On January 14, 2021, the U.S. Department of Commerce (Department) released an interim final rule to implement President Trump’s 2019 Executive Order (EO) on “Securing the Information and Communications Technology and Services Supply Chain” (EO 13873). This rule establishes the processes and procedures that the Secretary of Commerce (Secretary) will use to identify, assess, and address certain transactions between U.S. persons and foreign persons that involve information and communications technology or services (ICTS) designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a “foreign adversary”; and pose an undue or unacceptable risk. The new rule departs from the Department’s proposed rules in several ways.
Notably, the rule identifies six foreign governments or foreign non-government persons as “foreign adversaries”: China, Russia, Iran, North Korea, Cuba, and Venezuelan politician Nicolás Maduro. If an ICTS transaction involving these nations/persons is initiated, pending, or completed on or after the date the rule is published in the Federal Register, that transaction may be reviewed by the Secretary under the new rule. The new review process will apply to transactions involving a wide range of telecommunications technologies, including the software, hardware, products, and services integral to wireless local area networks, mobile networks, satellite operations, cable access points, wireline access points, and core networking systems.
The rule will be effective 60 days from Federal Register publication—scheduled for January 19, 2021—which will make the rule effective on March 22, 2021. Comments on the interim rule are also due 60 days from publication, on March 22, 2021. The Department will issue a subsequent final rule considering and responding to additional comments received and will implement procedures for a transaction licensing process, as discussed below, 120 days from Federal Register publication.
The New Rule Provides New Procedures and Timelines for Secretary’s Review of ICTS Transactions
- The rule sets forth the procedures by which the Secretary may:
- determine whether any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service (ICTS Transaction) that has been designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries poses certain undue or unacceptable risks as identified in the EO;
- issue a determination to prohibit an ICTS Transaction;
- direct the timing and manner of the cessation of the ICTS Transaction; and
- consider factors that may mitigate the risks posed by the ICTS Transaction.
- The Secretary, in consultation with appropriate agency heads and other relevant governmental bodies, as appropriate, shall make an initial determination as to whether to prohibit a given ICTS Transaction or propose mitigation measures.
- After reviewing party responses to the initial determination, the Secretary will issue a final determination (i) prohibiting the transaction, (ii) not prohibiting the transaction, or (iii) permitting the transaction subject to the adoption of measures to mitigate the risks associated with the transaction.
- Unless the Secretary determines in writing that additional time is necessary, the Secretary shall issue the final determination within 180 days of accepting a referral and commencing the initial review of the ICTS Transaction.
The New Rule Clarifies the Scope of Covered ICTS Transactions
- The Department identified six main types of ICTS Transactions that will fall under the scope of this rule:
- ICTS that will be used by a party to a transaction in a sector designated as critical infrastructure by Presidential Policy Directive 21 – Critical Infrastructure Security and Resilience, including any subsectors or subsequently designated sectors;
- software, hardware, or any other product or service integral to wireless local area networks, mobile networks, satellite payloads, satellite operations and control, cable access points, wireline access points, core networking systems, or long- and short-haul systems;
- software, hardware, or any other product or service integral to data hosting or computing services that uses, processes, or retains, or is expected to use, process, or retain, sensitive personal data on greater than one million U.S. persons at any point over the 12 months preceding an ICTS Transaction;
- certain ICTS products which greater than one million units have been sold to U.S. persons at any point over the 12 months prior to an ICTS Transaction;
- software designed primarily for connecting with and communicating via the Internet that is in use by greater than one million U.S. persons at any point over the 12 months preceding an ICTS Transaction;
- ICTS integral to artificial intelligence and machine learning, quantum key distribution, quantum computing, drones, autonomous systems, or advanced robotics.
- Transactions involving certain sensitive personal data, regardless of whether they involve a critical infrastructure sector, will be considered ICTS Transactions for the purposes of the rule.
- The rule applies to ICTS Transactions that are initiated, pending, or completed on or after the date the rule is published in the Federal Register.
- However, any act or service with respect to an ICTS Transaction, such as execution of any provision of a managed services contract or installation of software updates, is an ICTS Transaction on the date that the service or update is provided, even if the service was provided pursuant to a contract initially entered into prior to the date the rule is published in the Federal Register.
The Department Establishes a New Transaction Licensing Process
- In response to commenter requests, the Department will establish a process for entities to seek pre-approval of their ICTS Transactions and obtain a license.
- The Department intends to publish procedures for a party to ICTS Transaction to seek a license within 60 days of the publication date of this rule. Within 120 days of the publication date of this rule, the Department intends to implement this licensing process.
- License application reviews will be conducted on a fixed timeline, not to exceed 120 days from accepting a license application. If the Department does not issue a license decision within 120 days from accepting a license application, the application will be deemed granted.
The New Rule Identifies Six Foreign Adversaries and Provides Guidance on the Secretary’s Determination of Foreign Adversaries
- The Secretary shall determine foreign adversaries for purposes of this rule, and the rule sets forth factors the Secretary shall consider in making a determination.
- Pursuant to the Secretary’s discretion, the list of foreign adversaries will be revised as determined to be necessary. Such revisions will be effective immediately upon publication in the Federal Register without prior notice or opportunity for public comment.
The Department will consider comments to this interim rule, due on March 22, 2021, and issue a final rule. The Department will also be publishing procedures regarding its new transaction licensing process.
Technology companies should evaluate their current and planned transactions to determine the applicability of the new rule and the likelihood of transaction review by the Secretary. Companies may wish to take advantage of the new licensing process to help ease business uncertainty. Parties engaged in transactions with the defined “foreign adversaries” should carefully consider how to proceed and be prepared to develop appropriate mitigations for reducing risk.
Wiley continues to closely monitor regulatory developments affecting the communications supply chain.