On November 27, 2019, the Department of Commerce published in the Federal Register proposed regulations for its review and potential blocking of transactions involving the information and communications technology and services supply chain (ICTS Supply Chain). The notice follows President Donald Trump’s Executive Order of May 15, 2019, “Securing the Information and Communications Technology and Services Supply Chain,” which required Commerce to implement regulations governing the process and procedures that will be used to “identify, assess, and address certain information and communications technology and services transactions that pose an undue risk to critical infrastructure or the digital economy in the United States, or an unacceptable risk to U.S. national security or the safety of United States persons.” See Trump and Trade Update of May 16, 2019.
The May 2019 executive order prohibits transactions that involve information and communications technology or services designed, developed, manufactured or supplied by persons owned by, controlled by or subject to the jurisdiction or direction of a foreign adversary whenever the secretary of commerce determines that a transaction would pose a threat to national security. The executive order grants the commerce secretary the authority to prohibit any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service when it is determined that the transaction: (i) involves property in which a foreign country or national has an interest; (ii) includes information and communications technology or services designed, developed, manufactured or supplied by persons owned by, controlled by or subject to the jurisdiction or direction of a foreign adversary; and (iii) poses certain undue risks to critical infrastructure or the digital economy in the United States or certain unacceptable risk to U.S. national security or U.S. persons.
The proposed regulations make clear that the determination of a “foreign adversary” is a matter of executive branch discretion to be made solely by the secretary of commerce in consultation with other agencies. Commerce will also rely on the Office of the Director of National Intelligence (ODNI) and the Department of Homeland Security (DHS) to prepare an initial threat assessment and vulnerability assessment for any transactions of concern. The commerce secretary will then, on a case-by-case basis and in a fact-specific manner, review the transaction and determine whether the ICTS Supply Chain transaction should be prohibited or mitigated. Under the procedures set forth in the proposed regulations, parties to any particular transaction would be informed of the review and the preliminary determination and provided an opportunity to comment and provide supporting information before any final determination. If it is determined that a transaction presents an undue or unacceptable national security risk, Commerce is authorized to require measures to mitigate the transaction’s identified risks or the secretary of commerce may fully prohibit the transaction. An unclassified, written final determination will be provided to the parties that, to the extent possible, explains how the decision is consistent with the terms of the executive order, and a summary of the final determination, as appropriate, will also be made publicly available.
The proposed regulations define “information and communications technology or services” as “any hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including through transmission, storage, or display.” Commerce has opened a public comment period on the proposed regulations and notes that the following entities could potentially be affected: (1) telecommunications service providers; (2) internet and digital service providers; and (3) supporting vendors and equipment manufacturers. Written comments must be submitted no later than December 27, 2019 via the Federal eRulemaking Portal at http://www.regulations.gov with docket number DOC-2019-0005. Comments may also be submitted via email to ICTsupplychain@doc.gov with “RIN 0605-AA51” in the subject line. (UPDATE: On December 23, 2019, the Department of Commerce extended the public comment period for these proposed regulations until January 10, 2020.)