LawFlash

Securing the ICTS Supply Chain: Commerce Issues Final Rules Pursuant to EO 13873

11 декабря 2024 г.

The US Department of Commerce (Commerce or DOC) on December 6, 2024 issued a final rule codifying its framework for reviewing Information and Communications Technology and Services (ICTS) transactions under Executive Order (EO) 13873, titled Securing the Information and Communications Technology and Services Supply Chain. This final rule, effective February 4, 2025, refines the Interim Final Rule (IFR) published in January 2021 by expanding its scope, improving procedures, and incorporating extensive stakeholder feedback.

EO 13873 grants the Secretary of Commerce the authority to regulate ICTS transactions involving foreign adversaries that could threaten US national security, foreign policy, or economic interests. The final rule, outlined in 15 CFR Part 791, reflects the US government’s response to evolving threats posed by critical and emerging technologies, aligning with national security directives. Over the past five years, Commerce has undertaken a series of rulemaking activities to implement EO 13873 and has also embarked on one enforcement action in addition to two derivative rulemakings that would use EO 13873 as jurisdiction for further specific regulation of (1) connected vehicles and (2) unmanned aerial vehicles (UAVs).

The following timeline summarizes some main developments:

Date

Rulemaking Activity

May 15, 2019

President Donald Trump issued EO 13873, declaring a national emergency and addressing risks to the ICTS supply chain. President Joseph Biden extended the declaration of this national emergency in each year since EO 13873’s issuance.

November 27, 2019

Proposed Rule published in the Federal Register (84 FR 65316), setting forth the scope and review process for ICTS transactions.

January 19, 2021

IFR published (86 FR 4909), incorporating public comments on the Proposed Rule and defining key terms and procedures.

November 26, 2021

Notice of Proposed Rulemaking (NPRM) targeting connected software applications issued (86 FR 67379) and implementing President Biden’s EO 14034 titled Protecting Americans’ Sensitive Data From Foreign Adversaries (86 FR 31423).

June 21, 2023

Final Rule (88 FR 39353) implementing provisions of EO 14034 on connected software applications published.

June 24, 2024

Final Determination prohibiting ICTS transactions supplied by a US subsidiary of a Russia-based cybersecurity company.

July 18, 2024

Final Rule redesignated the relevant ICTS regulations from 15 CFR Part 7 to 15 CFR Part 791 to align with the placement of the Office of Information and Communications Technology and Services (OICTS) within the DOC’s Bureau of Industry and Security (BIS) (89 FR 58263).

March 1, 2024

Advance Notice of Proposed Rulemaking (ANPRM) published, seeking comments on new supply chain regulations, specifically for connected vehicles, using EO 13873 as the underlying jurisdiction.

September 26, 2024

NPRM published, proposing rules and seeking further comments on supply chain regulations for connected vehicles, highlighting concerns over user data collected by connected vehicles and potential for other exploitation.

November 12, 2024

Pre-rule received by BIS suggests that unmanned aircraft systems (UAS) may become the next sector of focus, following connected vehicles.

December 6, 2024

Final Rule published in the Federal Register (89 FR 96872) and effective on February 4, 2025, refining the IFR based on public feedback and implementation experience.

KEY CHANGES FROM THE INTERIM FINAL RULE

The final rule reflects efforts to refine the ICTS review framework, incorporating feedback from industry stakeholders, trade groups, and private individuals. While many updates are procedural or clarifying, several key changes enhance the rule’s scope and implementation. For example, the final rule introduces new definitions and revises existing ones in § 791.2, removes the threshold requiring collection of sensitive personal data from more than one million US persons in § 791.3, reorganizes and clarifies products and services subject to review, adds Macau to the foreign adversary list in § 791.4, and updates procedures for initiating reviews (§ 791.103).

It also amends notification and consultation requirements (§§ 791.104 and 791.108), clarifies parties to ICTS transactions and notifications of Initial Determinations (§ 791.105), refines procedures for party responses (§ 791.107), lists prohibited activities (§ 791.200), and makes additional clarifying changes throughout the regulations.

Below, we discuss some of the more notable updates to these provisions in greater detail.

§ 791.2 (Definitions)

Commerce clarified and expanded the definitions of some key terms, such as “ICTS transaction” and “United States person.” The scope was refined to address stakeholder concerns and ensure alignment with national security directives.

  • The term “dealing in” within the definition of “ICTS transaction” is defined to mean “activity of buying, selling, reselling, receiving, licensing, or acquiring ICTS, or otherwise doing or engaging in business involving the conveyance of ICTS.”
  • The term “importation” within the definition of “ICTS transaction” is defined to mean “the process or activity of bringing foreign ICTS to or into the United States, regardless of the means of conveyance, including via electronic transmission.”
  • The term “party or parties to a transaction” is amended to clarify the types of activities in which a person would engage to be considered a party to a transaction. The new definition now defines this term as “a person or persons engaged in an ICTS Transaction or class of ICTS Transactions, including but not limited to the following: designer, developer, provider, buyer, purchaser, seller, transferor, licensor, broker, acquiror, intermediary (including consignee), and end user.”
  • The term “person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary” is revised to address public comments expressing that the IFR’s definition was confusing and unclear regarding the individuals or entities that might be “owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.” Specifically, Commerce clarified that (1) individuals who are US citizens or permanent residents are not considered controlled by a foreign adversary solely based on their citizenship or residency in a foreign adversary country; (2) entities may be under the jurisdiction of a foreign adversary if they are headquartered, incorporated, organized under the laws of, or have a principal place of business in a foreign adversary country; and (3) a person can be considered owned or controlled by a foreign adversary if another entity under the adversary's jurisdiction has the power to influence important matters through voting interests, board representation, proxies, special shares, contractual or informal arrangements, or other mechanisms.
  • The term “appropriate agency heads” is revised to clarify which officials may participate in the interagency notification and consultation process.
  • The term “covered ICTS transaction” is defined to distinguish between transactions involving ICTS generally and ICTS transactions that meet the criteria set forth in § 791.3.
  • The term “secretary” is revised to identify the Under Secretary of Commerce for Industry and Security and the Executive Director of the Office of Information and Communications Technology and Services (OICTS) as designees to whom the secretary may delegate authority.
  • The term “United States person” now includes “any person in the United States” to correct an inadvertent omission.

§ 791.3 (Scope of Covered ICTS Transactions)

Commerce retained the broad scope of the rule, emphasizing the necessity of addressing risks posed by foreign adversaries that could exploit vulnerabilities in US critical infrastructure and ICTS supply chains. Despite concerns about overreach, the scope remains designed to encompass critical and emerging technologies to protect against industrial and economic espionage.

  • The final rule refines covered transactions by listing broad technology categories to clarify its focus on ICTS integral to sensitive personal data, critical infrastructure, and critical/emerging technologies. Numerical thresholds requiring ICTS transactions to involve more than one million users, units, or sales were removed, as risks are determined by the nature and type of data rather than transaction volume. This change prevents evasion of review by malicious actors through strategic circumvention of thresholds.
  • Clarifications to definitions were made to maintain consistency with EO 13873 while addressing stakeholder concerns. Terms such as “person subject to U.S. jurisdiction,” “integral,” and “interest” were clarified without narrowing the scope, preserving the rule’s ability to address potential risks effectively.
  • Similarly, critical infrastructure definitions were aligned with National Security Memorandum 22, listing 16 critical sectors explicitly for clarity.
  • The list of critical and emerging technologies was updated to include 11 key categories, such as artificial intelligence, quantum computing, and drones, to reflect technological advancements and evolving risk landscapes. The final rule also simplified the Committee on Foreign Investment in the United States (CFIUS) exception, consolidating provisions to avoid duplicative reviews while ensuring comprehensive risk assessments.
  • The retroactive applicability of the rule was clarified to apply only to ICTS transactions initiated, pending, or completed on or after January 19, 2021. Transactions finalized before this date are excluded, but new activities under existing contracts after the effective date are subject to review. This approach ensures that risks arising from ongoing or new ICTS activities are addressed without disrupting finalized agreements.
  • Commerce declined commenters’ requests for industry-specific exemptions or categorical exclusions of technologies, such as personal devices or telecommunications carriers. However, Commerce explained that the final rule remains open to potential exclusions in the future if certain ICTS transactions are demonstrated not to pose undue or unacceptable risks.

§ 791.103 (Initial Review of ICTS Transactions)

Commerce addressed several comments regarding the review process for ICTS transactions under § 791.103, including concerns about the breadth of provisions and the clarity of procedures for initiating reviews.

  • Some commenters suggested that the initial risk review should include remediation cost analyses, while others raised concerns about the potential for anticompetitive behavior stemming from private-party information submissions. To mitigate these concerns, the final rule allows parties to respond to Initial Determinations with corrections or challenges to factual inaccuracies, and it clarifies that false or fraudulent submissions could result in penalties under § 791.200.
  • The final rule also enhances procedural clarity, specifying that the secretary has the discretion to initiate reviews based on any information described in § 791.100(a), including referrals from other government agencies. It also outlines the steps for determining whether a transaction is a “Covered ICTS Transaction,” involves foreign adversaries, and poses undue or unacceptable risks, as described in EO 13873.
  • Additional revisions to § 791.103(c) refine the criteria for evaluating risks posed by covered ICTS transactions. The updated language includes considerations of customer bases, business relationships, and operational locations. It also consolidates criteria for assessing connected software applications, which now include factors such as user sensitivity, data scope, espionage risks, third-party auditing, and the feasibility of mitigating identified risks.

§§ 791.104 (First Interagency Consultation) and 791.108 (Second Interagency Consultation)

Commerce revised the interagency consultation process under § 791.104 and § 791.108 to address commenters’ concerns about clarity and procedural specifics. Commenters had expressed uncertainty about the meaning and scope of “interagency consultation,” requesting definitions, formal processes, and a consensus-seeking mechanism to prevent duplicative reviews and ensure a whole-of-government approach to ICTS transaction assessments.

  • The final rule clarifies the consultation process required before Initial and Final Determinations. It outlines that consultation may take various forms, from formal agreements to informal discussions, and specifies that the Secretary will notify appropriate agency heads if a transaction meets the criteria under § 791.103. These agency heads will have 21 days to provide comments, with the presumption of no comments if none are received. The Secretary may use these comments to inform the assessment and the development of the Initial Determination under § 791.105, carefully considering any objections.
  • The amendments retain flexibility in determining which agency heads to consult, as outlined in EO 13873, and avoid imposing a consensus requirement for Initial Determinations. However, they emphasize the importance of interagency input to avoid redundant regulatory efforts and refine procedures for interagency notification and consultation to ensure clarity and efficiency. Further details on interagency consultation for Final Determinations are provided in § 791.108.

§ 791.105 (Initial Determination)

Commerce revised § 791.105 to clarify the process for issuing and handling Initial Determinations, addressing concerns about public disclosure and interagency consultation.

  • Commenters suggested omitting party identities in public notices and sought assurance that Initial and Final Determinations would remain confidential to avoid financial or reputational harm. In response, the rule now allows for the publication of notices, not full texts, of Initial Determinations when warranted, particularly for cases involving national security or public risk. While party names may be included in such notices, publication is discretionary, focusing on cases with broader public impact.
  • Amendments also clarify interagency notification procedures under § 791.104. The Secretary will consider comments from agency heads regarding whether an ICTS transaction meets review criteria, with discretion to end reviews, amend assessments, or proceed with Initial Determinations.
  • The revisions to § 791.105(b)(1) provide parties with detailed factual bases for decisions, enabling more effective responses. § 791.105(b)(3) introduces distinctions in identifying and notifying parties, addressing situations where individual identification or notification is impractical, such as classes of ICTS transactions affecting many US consumers.

§ 791.107 (Procedures Governing Response and Mitigation)

The final rule introduces changes to § 791.107 to address concerns regarding response times and mitigation measures for ICTS transactions. While the DOC declined to impose a maximum time limit for mitigation measures, it emphasized the need for case-specific review to address identified risks effectively and avoid creating national security vulnerabilities.

  • To enhance the response process, the final rule extends the time for parties to address an Initial Determination. Parties now have 30 days to respond, with an option to request an additional 30-day extension for good cause, allowing up to 60 days total. The Secretary may consider factors such as the complexity of the transaction, the severity of identified risks, and the impact an extension may have on review timelines.
  • The rule also introduces a 50-page limit for written responses to an Initial Determination, unless prior approval for additional length is obtained. This change ensures efficient communication between Commerce and the parties involved. Additionally, the rule clarifies that submissions can include confidential business information, which must be clearly identified to protect sensitive data.

§ 791.200 (Penalties)

The final rule revises the penalty provisions under § 791.200 to address concerns regarding the mental state requirement and clarify prohibited conduct.

  • Commenters requested an intentionality standard for violations due to complexities in subcontracting and argued that only parties to a transaction should be liable. However, Commerce maintained that non-parties can also be held accountable if they knowingly assist in violating a Final Determination, such as by importing prohibited ICTS or directing actions that contravene a mitigation agreement.
  • The rule emphasizes that compliance with mitigation agreements published in the Federal Register is mandatory and aims to protect the ICTS supply chain by encouraging due diligence. To address concerns, the rule specifies that liability for assisting violations requires knowledge, as defined in existing regulations, of the mitigation agreement's existence. Prohibited activities for those with such knowledge include aiding and abetting violations, procuring noncompliant products, and providing false information to Commerce.
  • The final rule also provides a detailed list of activities that may lead to penalties, offering clarity on prohibited conduct. It consolidates provisions and removes duplicative language, ensuring consistency while retaining the authority to impose penalties on parties and non-parties that knowingly violate the regulations. These changes aim to reduce confusion and compliance costs while maintaining strong safeguards against risks posed by ICTS transactions.

No Licensing Procedure

Notably, the final rule does not include the anticipated licensing procedure. While this aspect remains under consideration, Commerce provided the following explanation of its decision to omit the licensing process in the final rule to expedite its release:

Given the complexity of the issues, the Department appreciates commenters’ thoughtful suggestions. The Department is still considering the concepts related to providing licenses, but this final rule does not include a licensing process. Additionally, while the Department anticipates that published Final Determinations will provide guidance to the public about applications of this final rule, the Department understands that additional guidance materials may be useful to those planning compliance with this rule. However, developing procedures to issue guidance or for parties to obtain advisory opinions is outside the scope of this rulemaking, and the Department will seek further comment prior to implementing any rule on that topic.

The decision underscores Commerce’s intent to continue implementing the broader framework for ICTS transaction reviews while deferring the development of licensing procedures to future rulemaking efforts. This omission by Commerce is a significant disappointment for industry, as a licensing process would enable businesses to make purchasing decisions with certainty that the equipment and services would not later be subject to restriction. Especially for ICTS that may have a useful life of many years, to manage regulatory risk, it would be highly beneficial to be able to obtain a safe harbor from future restrictions.

IMPLICATIONS AND KEY TAKEAWAYS

The final rule, rooted in EO 13873, underscores the US government’s continued commitment to securing the ICTS supply chain from national security risks posed by foreign adversaries. US-based multinational companies face additional complexities due to the expanded scope of the rule. For example, the removal of numerical thresholds broadens the scope of transactions under review, compelling ICTS providers and consumers to reassess their supply chains and compliance frameworks. Given the broad definitions adopted by final rules, even minor connections to foreign adversaries can create jurisdiction and trigger regulatory scrutiny, making it essential for companies to proactively evaluate their ICTS transactions and supply chains.

Additionally, transactions involving foreign subsidiaries are now subject to heightened oversight if linked to foreign adversary influence. For companies with a global presence, including those from countries Commerce defines as US “foreign adversaries,” the promulgation of the final rule necessitates a reevaluation of business and operation strategies to ensure alignment with domestic and international regulatory standards. With the government likely to continue adding additional sectors and technologies to the scope—which may involve banning additional suppliers or requiring mitigation measures—companies must be prepared to actively monitor these updates and ensure timely compliance. Internal compliance programs should adapt to address the rule’s broader definitions and criteria, focusing on proactive risk identification and mitigation.

As we discussed in a prior LawFlash, thus far Commerce has only used its EO 13873 authorities in one instance, with respect to Kaspersky Lab Inc. Although we anticipate further actions will follow, we also assess that Commerce will use these authorities relatively surgically, to address only those transactions the government views as particularly high-risk. Therefore, companies that are likely to be considered especially sensitive by the government, such as companies in the critical infrastructure sector and companies that maintain sensitive personal data, should prepare for the possibility of intensified regulatory scrutiny of their ICTS supply chains.

In addition, as we discussed in a prior report, Commerce is embarked on a rulemaking proceeding that would use its EO 13873 authorities to regulate the supply chain for connected vehicles. Commerce issued proposed rules in September 2024, and final rules could be issued either this year or next. In addition, Commerce may soon initiate yet another rulemaking under EO 13873, this time focused on UAVs. Because all of these supply chain regulations are predicated on the legal authority issued by President Trump during the Trump-Pence administration, we anticipate that the new Trump-Vance administration will support the continued expansion of these authorities. We also note that the Biden administration has used other supply chain authorities that are likely to see continued use in the next administration, such as leveraging the relatively new Federal Acquisition Security Council (FASC) to limit government contracting with entities deemed to present national security risk, and using legislation such as the National Defense Authorization Act to name specific companies that are barred from certain government contracting.

In addition to evaluating the potential regulatory risk to their supply chains, business and other stakeholders should thoroughly review the updated rule in 15 CFR Part 791 and assess anticipated ICTS transactions against the expanded definitions and criteria. By adopting proactive measures, companies can mitigate operational and regulatory risks while aligning their practices with the US government’s priorities for ICTS security.

David Plotinsky, one of the authors of this LawFlash, was the initial drafter of EO 13873 while in government and helped oversee its implementation.

Contacts

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: