Commerce proposes ICTS changes for connected software applications | Akin Gump Strauss Hauer & Feld LLP
- On November 26, 2021, the U.S. Department of Commerce issued a Notice of Proposed Rulemaking Related to “Connected Software Applications” (“Apps”) that seeks to expressly bring transactions involving apps within the scope of the regulations of the ICTS supply chain.
- Specifically, the proposed rule would update the ICTS supply chain regulations to explicitly include “connected software applications” in the definition of “information and communications technology or services” and affirm that transactions involving applications fall within the scope of covered ICTS transactions.
- The proposed rule also sets out potential risk indicators for the Secretary of Commerce to consider when assessing whether an ICTS transaction involving connected software applications poses undue or unacceptable risk under ICTS supply chain regulations.
- Comments on the proposed rule are expected on December 27, 2021.
On November 26, 2021, the U.S. Department of Commerce (“Commerce”) released a proposed rule, “Securing the Information and Communications Technology and Services Supply Chain; Connected Software Applications” (the “Proposed Rule”), to amend the Information and Communications Technology and Services (ICTS) Supply Chain Regulations (15 CFR Part 7) that went into effect on March 22 2021. These regulations implement Executive Order 13873: Securing the Information and Communications Technology and Services Supply Chain (“ICTS Supply Chain EO”) issued by former President Trump on May 15, 2019 to make in the face of the national emergency posed by the ability of “foreign adversaries” to create and exploit vulnerabilities in the ICTS supply chain.1 Broadly speaking, the ICTS Supply Chain Regulations provide a general framework for the Secretary of Commerce to identify, mitigate, prohibit or unwind covered “ICTS transactions”.2 involving “foreign adversaries”3 that pose an undue or unacceptable risk to the national security of the United States.
Concurrently and building on the national emergency declared in the ICTS supply chain EO, in the last six months of his administration, President Trump issued three executive orders targeting specific Chinese apps, including TikTok, WeChat and eight other Chinese software applications (EO 13942, 13943 and 13971). Following various legal challenges and a change in administration, President Biden issued Executive Order 14034: “Protecting Sensitive Personal Data of Americans from Foreign Adversaries” (“EO 14034”) on June 9, 2021. In addition to revoking the three Trump-era “app ban” agreements, EO 14034 directed the Secretary of Commerce to undertake any further review of the risks posed by apps under blockchain regulations. ICTS supply and has identified several application-specific risk factors (discussed in more detail in the next section below) for the secretary to assess as part of any review.4
The proposed rule makes largely technical changes to the ICTS supply chain regulations based on EO 14034. The primary impact of the proposed rule is to add express references to “connected software applications” in the regulations of the ICTS supply chain, if applicable. Notably, the proposed rule states that these changes “do not increase the scope of existing regulations” and seek to clarify that transactions involving “connected software applications” fall within the scope of blockchain regulations. ICTS supply.
Specifically, in addition to adding “connected software applications” to the definitions and subject matter sections of the settlement, the proposed rule confirms that certain transactions involving “connected software applications” fall within the category of “covered ICTS transactions”. involving software “designed primarily to connect and communicate over the Internet that is used by more than one million people in the United States.
As noted above, the proposed rule also incorporates the application-specific risk factors set out in EO 14034 that must be considered when assessing whether an ICTS transaction involving connected software applications presents undue or unacceptable risk. These “potential risk indicators” include:
- Ownership, control or management by persons who support the military, intelligence or proliferation activities of a foreign adversary.
- Use of the connected software application to perform surveillance that enables espionage, including access by a foreign adversary to sensitive or confidential government or commercial information, or sensitive personal data.
- Ownership, control, or management of connected software applications by persons coerced or co-opted by a foreign adversary.
- Ownership, control or management of connected software applications by persons involved in malicious cyber activities.
- A lack of thorough and reliable third-party auditing of connected software applications.
- The scope and sensitivity of the data collected.
- The number and sensitivity of users of the connected software application.
- The extent to which the identified risks have been or can be addressed by independently verifiable measures.
The proposed rule invites comment on a number of topics, including:
- The definition of “connected software applications” and whether it is properly extended and incorporates correct industry terminology.
- Whether there are other application-specific factors that should be added to the risk criteria of “connected software applications” and whether these factors should be applied more generally to all reviews of ICTS transactions.
- The scope and meaning of specific terms as used in these application-specific potential risk indicators, including “ownership, control or management”, “reliable third party”, “independently verifiable measures” and “audit by third party”, among others.
Comments on the proposed rule must be received no later than December 27, 2021, via the Federal Electronic Rulemaking Portal or by email ICTsupplychain@doc.gov.
The proposed rule will not become effective until the Department reviews comments received and issues a final rule, although as noted above, the proposed rule does not technically expand the scope of covered ICTS transactions. that are subject to Department review under ICTS supply chain regulations. With this in mind, the industry has the opportunity, before December 27, 2021, to shape the treatment of applications under the ICTS supply chain regulations through public comment.
In the meantime, more generally, the Department of Commerce should still provide greater clarity regarding the ICTS regime, including issuing a proposed rule regarding an ICTS licensing regime and identifying which office within Commerce will administer the ICTS scheme. Yet, as ICTS supply chain regulations remain in effect, we may see parallel enforcement-related actions from Commerce, including requests for information, issuance of additional subpoenas, or perhaps even enforcement actions involving specific, identified ICTS transactions.
1 For more information on OT and ICTS Supply Chain regulations, please see our previous alerts on this topic (May 2019, December 2019 and February 2021).
2 The ICTS Supply Chain Implementing Regulations define “ICTS transaction” as “any acquisition, import, transfer, installation, transaction or use of any information and communications technology or service, including ongoing activities , such as managed services, data transmission, software updates, repairs, or platform or consumer-downloadable application data hosting. »
3ICTS supply chain regulations designate China (including Hong Kong), Cuba, Iran, North Korea, Russia and the Maduro regime of Venezuela as “foreign adversaries”.
4For more information on EO 14034, please see our previous alert on this subject.