Earlier this year, the Department of Commerce (Commerce) published an interim final rule to address the security of the U.S. supply chain for information technology (the Rule). The Rule, which has now taken effect as of March 22, 2021, created a new regulatory regime under which Commerce could review, place limitations on, or even block many U.S. companies' commercial agreements. Specifically, the Rule gives Commerce these broad authorities with respect to U.S. companies' use of information and communications technology and services (ICTS) that are designed, developed, manufactured, or supplied by "foreign adversaries," most notably China and Russia. As of last week, the Biden administration has begun to leverage its new authorities under the Rule. Companies that procure IT products or services from providers in China, for instance, should pay close attention to the actions of the administration over the next several months—aggressive action by the administration could create significant supply chain challenges for such businesses.
Under the Rule, Commerce may review and then prohibit or restrict any agreement initiated, pending, or completed on or after January 19, 2021, addressing ICTS. Both hardware components and various kinds of services, from managed services to data transmission to software updates, are covered. For purposes of the Rule, covered products and services are those used in various applications in six specific sectors. The sectors are described in detail in the Rule, but can be shorthanded as (i) critical infrastructure, (ii) telecommunications and networking, (iii) data storage and hosting, (iv) surveillance or monitoring equipment, (v) software that enables communication over the internet (e.g., apps, games, etc.), and (vi) advanced technologies (e.g., robotics, artificial intelligence, etc.). Significantly more detail on the Rule and its anticipated implementation can be found in our January alert on point.
While it previously was unclear whether the Biden administration would decide to exercise the new powers granted under the Rule, Commerce has provided its first indications that it is preparing to staff up to use those authorities. On March 17, 2021, Commerce served subpoenas on several Chinese companies that provide ICTS in the United States. The purpose of the subpoenas was reportedly to determine whether transactions involving these companies meet the criteria set forth in the executive order that formed the basis for the Rule. In a press release addressing the subpoenas, the Secretary of Commerce stated that "The Biden-Harris Administration has been clear that the unrestricted use of untrusted ICTS poses a national security risk…[t]he Administration is firmly committed to taking a whole-of-government approach to ensure that untrusted companies cannot misappropriate and misuse data and ensuring that U.S. technology does not support China's or other actors' malign activities."
As discussed in the January alert, Commerce also anticipates extending the Rule to include procedures to permit pre-authorization of covered commercial transactions through a Commerce-run licensing process. Commerce reportedly submitted proposed procedures on point to the Office of Management and Budget for review on March 15, 2021. We continue to anticipate public release no later than May 19, 2021.
At this time, it remains difficult to predict how aggressive Commerce and the Biden administration will be in seeking out and reviewing ICTS transactions. Commerce has not yet indicated that it expects to create a full-time staff dedicated to the use of the new authorities to finding covered ICTS transactions, or to reviewing related license applications. Companies that obtain ICTS parts or services from China, Russia, or other affected nations and use them in one of the six sectors, (i)-(vi), described above, should strongly consider how they might enhance their supplier due diligence programs in advance of a request related to the new Rule.