Hogan Lovells 2024 Election Impact and Congressional Outlook Report
On November 26, 2021, the Department of Commerce published a proposed rule to amend its Interim Final Rule on Securing the Information and Communications Technology and Services Supply Chain. The proposed rule adds a definition for “connected software application” and updates the definition of “information and communications technology or services” (ICTS) by explicitly mentioning “connected software applications.” It also includes amendments that permit the Secretary of Commerce to implement controls on the acquisition, importation, transfer, installation, dealing in, or use of any connected software applications from foreign adversaries that pose an unacceptable national security risk to the United States.
On November 26, 2021, the Department of Commerce (Department) published a proposed rule (“Proposed Rule”) to amend its Interim Final Rule on Securing the Information and Communications Technology and Services Supply Chain (ICTS IFR). The Proposed Rule would implement provisions of Executive Order 14034, “Protecting Americans’ Sensitive Data from Foreign Adversaries” (E.O. 14034) using the framework established by the ICTS IFR.
The original ICTS IFR–which implemented Executive Order 13873, “Securing the Information and Communications Technology and Services Supply Chain”–defines “ICTS” and “ICTS Transaction” and lays out procedures by which the Secretary of Commerce (Secretary) would review information and communications technology and services (ICTS) transactions for whether they present an undue or unacceptable risk due to a foreign adversary's involvement.
On June 9, 2021, the President issued E.O. 14034, which finds “that the increased use in the United States of certain connected software applications designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary, which the Secretary of Commerce acting pursuant to E.O. 13873 has defined to include the People's Republic of China, among others, continues to threaten the national security, foreign policy, and economy of the United States.” It then directs the Secretary to “evaluate on a continuing basis transactions involving connected software applications that may pose an undue risk of sabotage or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States; pose an undue risk of catastrophic effects on the security or resiliency of the critical infrastructure or digital economy of the United States; or otherwise pose an unacceptable risk to the national security of the United States or the security and safety of United States persons.”
The Proposed Rule amends the ICTS IFR to add a definition for “connected software application”; updates the definition of ICTS by explicitly mentioning “connected software applications”; and includes additional criteria that the Secretary may consider in the aforementioned review procedures. These amendments permit the Secretary to implement controls on the acquisition, importation, transfer, installation, dealing in, or use of any connected software applications from foreign adversaries that pose an unacceptable national security risk to the United States.
Public comments on the Proposed Rule are due by December 27, 2021.
The proposed definition for “connected software application” is “software, a software program, or a group of software programs, that is designed to be used on an end-point computing device and includes as an integral functionality, the ability to collect, process, or transmit data via the internet.”
With respect to this proposed definition, the Department seeks comments on “whether this definition is sufficient to identify fully this category of ICTS, or whether further clarification or elaboration is needed.” The specific questions that the Department posed as examples are:
Are there technical aspects to the definition that are used in industry or engineering that should be incorporated into the definition?
Should the Department include other devices, such as those that communicate through short message service (SMS) messages, or low-power radio protocols?
Should the definition be extended from “end-point” devices to “end-to-end” technology, and is “end-to-end” a term of art that we should employ?
Are there other means of communication or transmission that are not encompassed by this definition but should be included?
Moreover, the new definition for ICTS is “any hardware, software, including connected software applications, or other product or service, including cloud-computing services, primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means (including electromagnetic, magnetic, and photonic), including through transmission, storage, or display” (emphasis added).
Relatedly, the original ICTS IFR defines ICTS Transaction as “any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service, including ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download. An ICTS Transaction includes any other transaction, the structure of which is designed or intended to evade or circumvent the application of E.O. 13873. The term ICTS Transaction includes a class of ICTS Transactions.”
As mentioned, the Proposed Rule provides for new criteria to be considered in the procedures for determining whether a transaction involving connected software applications poses an undue or unacceptable risk. In making this determination for connected software applications, the Secretary would evaluate both the existing criteria in 7.103(c) and the new criteria. The current paragraph 7.103(d) will be redesignated as paragraph 7.103(e), and the new criteria will be included as paragraph 7.103(d). The new criteria are:
ownership, control, or management by persons that support a foreign adversary's military, intelligence, or proliferation activities;
use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary's access to sensitive or confidential government or business information, or sensitive personal data;
ownership, control, or management of connected software applications by persons subject to coercion or cooption by a foreign adversary;
ownership, control, or management of connected software applications by persons involved in malicious cyber activities;
a lack of thorough and reliable third-party auditing of connected software applications;
the scope and sensitivity of the data collected;
the number and sensitivity of the users of the connected software application; and
the extent to which identified risks have been or can be addressed by independently verifiable measures.
The Department welcomes comments on the following questions with respect to the new criteria:
Are these criteria sufficient? For example, should the Department add a criterion such as whether the software has any embedded out-going network calls or web server references, regardless of the ownership, control, or management of the software?
Should the criteria be more generally applicable to ICTS Transactions?
With regard to the phrase “ownership, control, or management,” should it be understood to include both continuous control/management and sporadic control/management ( e.g., when a third-party must be temporally granted access to apply updates/upgrades/patches/etc.), or should this phrase be further clarified?
Should the Department specifically define the terms “reliable third-party” and “independently verifiable measures,” and, if so, whether there are generally accepted definitions or terms of art that the Department should consider adopting?
Is the reference to “third-party auditing of connected software applications” sufficiently clear? For example, would it be understood to apply to audits by a third party of only the connected software applications, or to audits of the organizations implementing the software applications as well?
Should the requirement to audit applications be revised to make clear that auditing is a continuous process through the development and deployment life cycle of the application?
Would the requirement to audit applications be understood to refer only to source-code examination and verification, or would it also include monitoring of logs or other data that the application collects?
Public comments to the Proposed Rule are due by December 27, 2021.
Hogan Lovells would be pleased to assist in submitting comments to the Proposed Rule and to help with questions about the Proposed Rule and how it could affect your business.
Authored by Hao-Kai Pai.