Federal government assessing public feedback on preliminary ruling for ICTS regulation under the Biden administration

The U.S. Commerce Department has published an interim final rule (IFR) on January 19, 2021, to implement Executive Order 13873, issued in May 2019, on securing the information and communications technology (ICT) and services supply chain.

The IFR aims to establish a pre-clearance licensing mechanism for potentially covered transactions, focusing on six enumerated ICT categories: Critical Infrastructure, Networking, Hosting and Storage of Sensitive Personal Data, Widely Sold Surveillance, Monitoring, or Networking Devices, Widely Used Internet Communications Applications, and Emerging Technologies.

The IFR designates China (including Hong Kong), Cuba, Iran, North Korea, Russia, and Venezuela's Maduro regime as foreign adversaries. However, it's important to note that no government or regime has been officially designated as "foreign adversaries" under the implementation rules of Executive Order 13873 from May 2019. The Biden administration is actively reconsidering the IFR, and any interested parties should consider filing public comment to influence the administration’s decision on how to proceed with the rule's implementation.

The IFR does not impose immediate prohibitions but creates a framework for the Commerce Department to identify, mitigate, prohibit, or unwind covered transactions involving foreign adversaries that pose an undue or unacceptable risk to U.S. national security.

The IFR identifies ICT Transactions as any acquisition, importation, transfer, installation, dealing in, or use of any ICT or service, including ongoing activities such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download.

The IFR does not categorically prohibit or require a license for any specific activity but authorizes the Secretary of Commerce, on a case-by-case basis, to identify, mitigate, prohibit, and/or unwind ICT Transactions that pose an undue or unacceptable risk.

Parties to a transaction under review will have 30 days to respond to the initial written determination. Final determinations regarding ICT Transactions will be published in the Federal Register, omitting any confidential business information.

The IFR does not apply to the acquisition of ICT items by a U.S. person as a party to a transaction authorized under a "U.S. government-industrial security program." The term "U.S. government-industrial security program" is not defined in the IFR, but it likely includes the National Industrial Security Program.

The IFR also exempts ICT Transactions that are currently being reviewed by the Committee on Foreign Investment in the United States (CFIUS). The IFR limits the scope of covered transactions to a stated-albeit expansive-list of ICT products and scenarios, previews the establishment of a "pre-clearance" licensing mechanism, and does not generally capture common carriers transporting ICT goods, unless they know, or should have known, they were providing transportation services related to prohibited transactions.

The IFR creates a new defined term "ICTS Transaction," which means any transaction, the structure of which is designed or intended to evade or circumvent the ICTS Executive Order. The rule is effective March 22, 2021, and seeks industry comments, also due March 22, 2021, which will be used to inform a potential final rule. Interested parties may submit comments on the IFR on or before March 22, 2021.

The IFR includes ICTS in cloud-computing services and defines electronic means as electromagnetic, magnetic, and photonic. The IFR does not generally capture common carriers transporting ICTS goods, unless they know, or should have known, they were providing transportation services related to prohibited transactions.

In summary, the U.S. Commerce Department's interim final rule aims to secure the ICT and services supply chain by creating a pre-clearance licensing mechanism, identifying foreign adversaries, and establishing a framework for managing ICT transactions that pose a risk to U.S. national security. The rule is open for comments from interested parties until March 22, 2021.