Understanding the Department of Commerce's New ICTS Regulations
What Are the ICTS Regulations?
The U.S. Department of Commerce has just issued a final rule to formalize the authorities and procedures of the Office of Information and Communications Technology and Services (OICTS). This is a critical step in implementing Executive Order 13873, which aims to address the national security risks posed by vulnerabilities in the information and communications technology and services (ICTS) supply chain.
ICTS encompasses a wide range of technologies, including hardware, software, and services that facilitate data processing, communication, and storage. The regulations aim to mitigate risks posed by foreign influence or control over these critical technologies.
Key Components of the ICTS Regulations
The rule applies broadly to ICTS transactions involving hardware, software, and services related to areas like data processing, communications, critical infrastructure, and emerging technologies. The focus is on transactions where the ICTS is designed, developed, manufactured, or supplied by persons owned, controlled, or directed by foreign adversaries.
Some key countries covered include China, Russia, and any other nations the Commerce Secretary deems to pose long-term threats to U.S. security. The rule is not limited to just one country, but rather takes a comprehensive approach to safeguarding against malicious foreign interference in American technology systems.
What changed in relation to previous interim rule ?
One of the key changes is removal of unit/user threshold requirement.
In the interim rule, the Department of Commerce had included requirements that certain types of ICTS transactions would only be considered in scope for review if they involved over 1 million users or units. Specifically, this threshold applied to:
- Internet-enabled sensors, webcams, or other end-point surveillance/monitoring devices
- Routers, modems, or other home networking devices
- Software designed primarily for connecting to and communicating via the internet
The idea behind these thresholds was that transactions involving a large number of users or units would be more likely to pose a true national security risk, versus smaller-scale transactions. The Department seemingly wanted to focus its limited resources on reviewing the most potentially impactful ICTS deals.
However, in the final rule, the Commerce Department has decided to remove these numerical thresholds entirely. There are a few key reasons why they made this change:
Risk is not always correlated with transaction volume - The Department recognized that an ICTS transaction could still pose significant national security risks even if it involves a relatively small number of users or units. For example, if the technology is being used to collect sensitive personal data on high-profile government officials, the risk could be very high despite the low transaction volume.
Thresholds could enable strategic circumvention - If businesses knew their transactions would only be reviewed if they exceeded 1 million users/units, some might intentionally structure deals to stay under that limit, even if the underlying technology still posed risks.
Threshold limitations conflict with the rule's objectives - By excluding transactions below the numerical limits, the Department felt it would be failing to address the full scope of vulnerabilities in the ICTS supply chain, as envisioned in Executive Order 13873.
So in the final rule, the Commerce Department has taken a more holistic approach. Rather than relying on arbitrary user/unit thresholds, they will focus their reviews on ICTS transactions most likely to pose undue or unacceptable risks, based on a range of factors beyond just the transaction volume.
This change means the final rule has a broader, more comprehensive scope when it comes to the ICTS transactions that are eligible for review. The goal is to give the Department maximum flexibility to identify and address national security vulnerabilities, wherever they may exist in the technology supply chain.
Businesses should consider conducting a thorough review of their supply chains and partnerships to identify any potential risks associated with foreign adversaries. This proactive approach will help ensure compliance while maintaining operational integrity.
Important definitions and processes
Covered Transactions - The final rule applies to a broad range of ICTS transactions, including those involving hardware, software, and services related to information/communications, data hosting and computing, connected applications, critical infrastructure, and critical/emerging technologies. However, transactions already reviewed by the Committee on Foreign Investment in the United States (CFIUS) are generally excluded.
Review Process - The Department can initiate reviews of ICTS transactions on its own or based on referrals from other agencies. It first assesses whether a transaction meets the criteria for a "covered ICTS transaction" and involves ICTS supplied by persons owned/controlled by foreign adversaries. If so, the Department evaluates whether the transaction poses an "undue" or "unacceptable" risk based on factors like the ICTS capabilities, the foreign nexus, the parties involved, and potential impacts on national security.
Initial and Final Determinations - If the Department identifies undue or unacceptable risks, it will issue an initial determination proposing to prohibit the transaction or allow it with mitigation measures. Parties have 30-60 days to respond before the Department issues a final determination. Final determinations to prohibit a transaction will be published in the Federal Register, while notices of final determinations to allow transactions with mitigation may also be published.
Penalties
The rule specifies a range of prohibited activities related to covered ICTS transactions. Violations can result in substantial civil penalties up to $250,000 per incident or criminal penalties up to $1 million and 20 years imprisonment. These penalties apply not just to direct participants, but also to those who aid, abet, or make false statements.
More information here:
https://www.bis.gov/press-release/commerce-issues-final-rule-formalize-icts-program