Today, the U.S. Department of Commerce issued a notice of proposed rulemaking and requested comment on the implementation of Executive Order 13873, Securing the Information and Communications Technology and Services (ICTS) Supply Chain. The proposed rule sets out the procedures the Secretary of Commerce plans to use to identify, assess, and address ICTS transactions that pose an undue risk to ICTS in the United States, to the critical infrastructure or the digital economy in the United States, or an unacceptable risk to national security or to the security and safety of U.S. persons. The public will have a 30-day period to submit comments.
“These actions will safeguard the Information and Communications Technology Supply Chain,” said Secretary of Commerce Wilbur Ross. “These rules demonstrate our commitment to securing the digital economy, while also delivering on President Trump’s commitment to our digital infrastructure.”
The President issued EO 13873 on May 15, 2019 pursuant to statutory authorities, including the International Emergency Economic Powers Act and the National Emergencies Act, in light of the finding that foreign adversaries are increasingly exploiting ICTS to commit cyber actions, including economic and industrial espionage against the United States. The EO gives the Secretary of Commerce, in consultation with other relevant Federal agencies, authority to prohibit or mitigate transactions initiated, pending, or completed after May 15, 2019, that involve ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary, if such transactions pose: an undue risk of sabotage or subversion of ICTS in the United States; an undue risk of catastrophic effects on the security and resiliency of critical infrastructure or the digital economy in the United States; or an unacceptable risk to national security or to the security and safety of U.S. persons.
The Secretary has chosen to adopt a case-by-case, fact-specific approach to determine which transactions must be prohibited, or which can be mitigated, according to the requirements in the Executive Order. The Secretary will use assessments developed by the Secretary of Homeland Security and the Director of National Intelligence pursuant to the Executive Order, among other things, to inform his evaluation of ICTS transactions.
While Executive Order 13873 empowers the Secretary immediately to prohibit or mitigate ICTS transactions that pose the risks identified in the Executive Order, the proposed rule sets forth procedures the Secretary will follow, except in instances where the risk of public harm or national security interests require a deviation from such procedures. Under the proposed rule, if the Secretary makes a preliminary determination, in consultation with other Federal agencies, to prohibit or mitigate a transaction, the Secretary will provide notice to the parties engaged in the transaction. Notified parties will have an opportunity to submit a position, which may include proposed measures for mitigation, prior to any final determination issued by the Secretary. The Secretary will provide an unclassified, written final determination provided to the parties that, to the extent possible, explains how the decision is consistent with the terms of the Executive Order, and, as appropriate, a summary of the final determination will also be made publicly available.
Request for Comment
The Department invites comment on all aspects of the proposed rule, but notes that the determination of “foreign adversaries” for the purpose of the Executive Order is solely within the Secretary’s discretion. Any non-public oral presentation to Department officials will be considered an ex parte presentation, and a summary of the meeting will be placed in the public record of this docket. Federal departments and agencies are not subject to the ex parte procedures.