Securing the Information and Communications Technology and Services Supply Chain

<RULE> DEPARTMENT OF COMMERCE <CFR>15 CFR Part 791</CFR> <DEPDOC>[Docket No. 241112-0292]</DEPDOC> <RIN>RIN 0605-AA51</RIN> <SUBJECT>Securing the Information and Communications Technology and Services Supply Chain</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> U.S. Department of Commerce <HD SOURCE="HED">ACTION:</HD> Final rule. <SUM> <HD SOURCE="HED">SUMMARY:</HD> On January 19, 2021, the Department of Commerce (Department) issued an interim final rule establishing procedures for its review of transactions involving information and communications technology and services (ICTS) designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary that may pose undue or unacceptable risk to the United States or U.S. persons. In the interim final rule, the Department solicited public comments and committed to promulgating a final rule. This final rule responds to public comments on the interim final rule and finalizes the practices guiding review of ICTS Transactions, amending and, in some cases, removing terms or concepts which experience has shown to be unnecessary, inefficient, or ineffective. </SUM> <DATES> <HD SOURCE="HED">DATES:</HD> This rule is effective February 4, 2025. </DATES> <HD SOURCE="HED">ADDRESSES:</HD> Supporting documents: • The Regulatory Impact Analysis/Final Regulatory Flexibility Analysis (RIA/FRFA) prepared in support of this action is available at <E T="03">https://www.regulations.gov</E> at docket number DOC-2019-0005; • The <E T="04">Federal Register</E> notice on the interim final rule (IFR) and public comments on the IFR are available at docket number DOC-2019-0005; • The National Security Memorandum 22 on Critical Infrastructure Security and Resilience is available at <E T="03">https://www.whitehouse.gov/briefing-room/presidential-actions/2024/04/30/national-security-memorandum-on-critical-infrastructure-security-and-resilience/;</E> • The Presidential Policy Directive—Critical Infrastructure Security and Resilience is available at <E T="03">https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil;</E> • The Federal Continuity Directive 2 is available at <E T="03">https://www.fema.gov/emergency-managers/national-preparedness/continuity/toolkit/resources;</E> • The National Security Strategy of the United States is available at <E T="03">https://www.whitehouse.gov/wp-content/uploads/2022/10/Biden-Harris-Administrations-National-Security-Strategy-10.2022.pdf;</E> • The Director of National Intelligence's Worldwide Threat Assessments of the U.S. Intelligence Community is available at <E T="03">https://www.dni.gov/files/ODNI/documents/assessments/ATA-2024-Unclassified-Report.pdf;</E> • The National Cybersecurity Strategy of the United States is available at: <E T="03">https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf;</E> • The United States Government National Standards Strategy for Critical and Emerging Technology is available at <E T="03">https://www.whitehouse.gov/wp-content/uploads/2023/05/US-Gov-National-Standards-Strategy-2023.pdf;</E> and • The Office of Science and Technology Policy's list of Critical and Emerging Technologies is available at <E T="03">https://www.whitehouse.gov/wp-content/uploads/2024/02/Critical-and-Emerging-Technologies-List-2024-Update.pdf.</E> <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> Katelyn Christ, U.S. Department of Commerce, Telephone: (202) 482-3064, email: <E T="03">ICTsupplychain@doc.gov.</E> For media inquiries: Katherine Schneider, Office of Congressional and Public Affairs, Bureau of Industry and Security, U.S. Department of Commerce: <E T="03">OCPA@bis.doc.gov.</E> </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> <HD SOURCE="HD1">I. Background</HD> <HD SOURCE="HD2">A. Authority</HD> In E.O. 13873, “Securing the Information and Communications Technology and Services Supply Chain,” the President delegated to the Secretary of Commerce (Secretary) pursuant to 3 U.S.C. 301, to the extent necessary to implement the order, the authority granted under the International Emergency Economic Powers Act (IEEPA) (50 U.S.C. 1701, <E T="03">et seq.</E> ), “to deal with any unusual and extraordinary” foreign threat to the United States' national security, foreign policy, or economy, if the President declares a national emergency with respect to such threat. 50 U.S.C. 1701(a). In E.O. 13873, the President declared a national emergency with respect to the “unusual and extraordinary” foreign threat posed to the ICTS supply chain and has, in accordance with the National Emergencies Act (NEA) (50 U.S.C. 1601, <E T="03">et seq.</E> ), extended the declaration of this national emergency in each year since E.O. 13873's publication. <E T="03">See</E> 85 FR 29321 (May 14, 2020); 86 FR 26339 (May 13, 2021); 87 FR 29645 (May 13, 2022); 88 FR 30635 (May 11, 2023); 89 FR 40353 (May 9, 2024). Specifically, the President identified the “unrestricted acquisition or use in the United States of [ICTS] designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries” as “an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States” that “exists both in the case of individual acquisitions or uses of such technology or services, and when acquisitions or uses of such technologies are considered as a class.” E.O. 13873; <E T="03">see also</E> 50 U.S.C. 1701(a) and (b). Once the President declares a national emergency, IEEPA empowers the President to, among other acts, investigate, regulate, prevent, or prohibit, any “acquisition, holding, withholding, use, transfer, withdrawal, transportation, importation or exportation of, or dealing in, or exercising any right, power, or privilege with respect to, or transactions involving, any property in which any foreign country or a national thereof has any interest by any person, or with respect to any property, subject to the jurisdiction of the United States.” 50 U.S.C. 1702(a)(1)(B). To address the identified risks to national security from ICTS transactions, the President in E.O. 13873 imposed a prohibition on transactions determined by the Secretary, in consultation with relevant agency heads, to involve foreign adversary ICTS and to pose certain risks to U.S. national security, technology, or critical infrastructure. Specifically, to fall within the scope of the prohibition, the Secretary, in consultation with relevant agency heads, must determine that any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology and services (an ICTS Transaction): (1) “involves [ICTS] designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary,” defined in E.O. 13873 as “any foreign government or foreign non-government person engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons;” and (2): A. “poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States;” B. “poses an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy of the United States;” or C. “otherwise poses an unacceptable risk to the national security of the United States or the security and safety of United States persons.” These factors are collectively referred to as “undue or unacceptable risks.” Further, E.O. 13873 section 1(b) grants the Secretary the authority to design or negotiate mitigation measures that would allow an otherwise prohibited transaction to proceed. <HD SOURCE="HD2">B. ICTS Transaction Review Regulations</HD> On November 27, 2019, the Department of Commerce (Department) published a proposed rule to implement the terms of E.O. 13873 (84 FR 65316). The proposed rule set forth processes for how: (1) the Secretary would evaluate and assess transactions involving ICTS with a nexus to foreign adversaries to determine whether they pose an undue risk of sabotage to or subversion of the ICTS supply chain, or an unacceptable risk to the national security of the United States or the security and safety of U.S. persons; (2) parties to transactions reviewed by the Secretary could comment on the Secretary's preliminary decisions; and (3) the Secretary would notify parties to transactions of the Secretary's decision regarding ICTS Transactions under review, including whether the Secretary would prohibit the transaction or mitigate the risks posed by the transaction. The proposed rule also provided that the Secretary could act without complying with the proposed procedures where required by national security. Finally, it provided that the Secretary would establish penalties for violations of mitigation agreements, the regulations, or E.O. 13873. After receiving and reviewing comments to the proposed rule, on January 19, 2021, the Department published an interim final rule titled, “Securing the Information and Communications Technology and Services Supply Chain,” (the interim final rule or the IFR; 86 FR 4909). The interim final rule responded to comments to the proposed rule, many of which requested greater specificity about what constitutes ICTS, an ICTS Transaction, or transactions that would be subject to the Department's rev ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Preview showing 10k of 184k characters. Full document text is stored and available for version comparison. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━