January 29, 2021

US Commerce Issues Rules for Review of ICTS Transactions for National Security Threats


On January 19, 2021, the US Department of Commerce (“Commerce”) issued a long-awaited interim final rule (“Interim Final Rule”),1 which would enable Commerce to prohibit or otherwise restrict transactions involving the information and communication technology and services (“ICTS”) supply chain, including both hardware and software, that have a nexus to certain designated “foreign adversaries,” including China, for purposes of protecting national security. The Interim Final Rule is scheduled to go into effect on March 22, 2021.2 Covered ICTS transactions that are pending, initiated or completed on or after January 19 may be reviewed (and potentially blocked or subjected to restrictive mitigation requirements). Under this Interim Final Rule, the Secretary of Commerce (“Secretary”) may review whether any ICTS transaction “has been designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries poses certain undue or unacceptable risks . . . (b) issue a determination to prohibit an ICTS Transaction; (c) direct the timing and manner of the cessation of the ICTS Transaction; and (d) consider factors that may mitigate the risks posed by the ICTS Transaction.”

This rule was issued pursuant to Executive Order 13873 on Securing the Information and Communications Technology and Services Supply Chain (“E.O. 13873”), issued by President Trump on May 15, 2019.

I. Background

E.O. 13873 authorizes the Secretary, in consultation with other relevant federal agencies, to prohibit or mitigate transactions that involve ICTS designed, developed, manufactured or supplied by persons owned by, controlled by or subject to the jurisdiction or direction of a “foreign adversary” if such transactions pose an undue or unacceptable national security risk in the United States or to the safety of US persons.

As discussed in our previous Legal Update, Commerce previously issued a proposed rule on November 29, 2019.3 After a comment period, Commerce issued this Interim Final Rule to further clarify the review criteria and process and the Secretary’s broad authority to review such transactions.

II. Key Elements

Expansive Scope of ICTS Transactions Eligible for Review

Commerce proposes an expansive view of “transactions” subject to case-by-case review, including those (1) conducted by a person or involving a party under the jurisdiction of the United States; (2) involving “any property in which any foreign country or a national thereof has an interest (including through an interest in a contract for the provision of the technology or service)”; (3) “initiated, pending, or completed on or after [January 19, 2021], regardless of when any contract applicable to the transaction is entered into, dated, or signed or when any license, permit, or authorization applicable to such transaction was granted,” and (4) within a wide range of ICTS categories, including software and hardware involving greater than one million US persons, related to critical infrastructure, “sensitive personal data,” or artificial intelligence, robotics or machine learning. Subject transactions may include “ongoing activities,” of software updates or hosting, and transactions structured to evade or circumvent the order.

Exempted Transactions: The Interim Final Rule exempts the following categories of transactions: (1) where the Committee on Foreign Investment in the United States (“CFIUS”) has concluded action under section 721 of the Defense Production Act of 1950, although CFIUS review does not provide a “safe harbor” for future transactions involving the same ICTS; or (2) transactions “authorized under a U.S. Government-industrial security program,” subject to continuous security oversight and contractual obligations to US government agencies.

Review Process

Undertaking an Initial Review. The Interim Final Rule provides three ways for the Secretary to undertake an initial review of an ICTS Transaction: (i) receiving “any and all relevant information…that is not otherwise restricted by law for use for this purpose”; (ii) by written request of an “appropriate agency head”; or (iii) at the discretion of the Secretary. The Interim Final Rule does not provide guidance as to the third category.

Initial Review. The Initial Review requires that the Secretary first assess whether a referred transaction “involves ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.” If the Secretary does not accept a referral and begin a review, a subsequent review may be undertaken if additional relevant information becomes available.

  • Foreign Adversaries: A “foreign adversary” is defined as “any foreign government or foreign non-government person engaged in a long‑term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons.” The Interim Final Rule specifically identifies the following, based on US government threat and intelligence sources: the People’s Republic of China (China), the Russian Federation (Russia), the Islamic Republic of Iran (Iran), the Democratic People’s Republic of Korea (North Korea), the Republic of Cuba (Cuba) and Venezuelan politician Nicolás Maduro (Maduro Regime). The Interim Final Rule states that the Secretary has discretion to identify foreign adversaries subject to review and revision and that inclusion on this list does not apply outside the scope of E.O. 13873.

  • Relevant Parties: The Interim Final Rule applies to “any person, wherever located, who acts as an agent, representative, or employee, or any person who acts in any other capacity at the order, request, or under the direction or control, of a foreign adversary,” whether directly or via intermediaries, including those attempting to evade or circumvent the Executive Order. Common carriers are exempted, unless a common carrier knew or should have known that it was providing transportation services to a prohibited ICTS transaction.
  • Ties to a Foreign Adversary: To determine if a transaction “involves ICTS designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary,” the Secretary will consider ties between parties and a foreign adversary, including physical operational ties, relationships, laws or regulations a party is subject to, and “any other criteria that the Secretary deems appropriate.”

If the Secretary accepts a referral, the Secretary will then assess whether the specific ICTS Transaction poses an undue or unacceptable risk, as specified by E.O. 13873.

The Secretary may: seek relevant information, including under oath, “either before, during, or after an ICTS Transaction under review…conduct investigations, hold hearings, administer oaths, examine witnesses, receive evidence, take depositions, and require by subpoena the attendance and testimony of witnesses and the production of any books, contracts, letters, papers, and other hard copy or electronic documents relating to any matter under investigation.”

Interagency Review. The Interim Final Rule would establish an interagency coordination mechanism by requiring two separate points during the review process where the Secretary is required to consult with appropriate agency heads.4

Initial Determination.If the Secretary determines that the ICTS transaction meets the criteria for a covered ICTS transaction after initial review and interagency consultation, the Secretary will “issue an initial written determination explaining the finding and whether the Secretary has determined to prohibit or propose mitigation measures to the ICTS Transaction at issue.” Parties will then have 30 days to respond to this initial determination.

Final Determination.The Secretary would be required to issue a final determination on a reviewed transaction within 180 days of beginning an initial review, unless the Secretary provides otherwise. This final determination would not be applicable to future, related transactions and would note whether the reviewed transaction is “(1) prohibited; (2) not prohibited; or (3) permitted pursuant to the adoption of agreed-upon mitigation measures.” If a transaction is determined to be prohibited, the final determination will also specify the “least restrictive means” that are “necessary to attenuate or alleviate the undue or unacceptable risk posed by the ICTS Transaction.”

Confidentiality. In issuing a determination on a reviewed transaction, the Secretary may disclose business and other confidential information provided by parties, either by consent of the parties or in accordance with record release requirements of the Freedom of Information Act, 5 U.S.C. 552.

Preclearance Process. The Interim Final Rule would also establish a mechanism for parties to seek preclearance of proposed, pending, or ongoing ICTS transactions. These procedures will be established after a Final Rule is adopted.

Penalties. The proposed regulations would be subject to enforcement under the International Emergency Economic Powers Act (“IEEPA”). Penalties for violations of the regulation (including any final determination or terms of mitigation) include civil fines up to the greater of twice the value of the transaction or approximately $302,000 per violation, as well as criminal fines and imprisonment. Notwithstanding penalties applied under IEEPA, violations of the regulation could also be subject to other civil or criminal penalties under US law.   

III. Conclusion

The proposed rule is broad and sweeping in its potential scope and impact. Parties to ICTS transactions must now give consideration to whether and to what extent the equipment, software and technology involved in their transactions may come under the expansive scope of the rule.

Interested parties can provide input to the Interim Final Rule on or before March 22, 2021. Commerce will also implement procedures for a licensing process by May 19, 2021.

2 Since this Interim Final Rule has not taken effect, it is subject to the Biden administration’s January 20, 2021 announcement of a “regulatory freeze,” which directs agencies to “consider postponing the rules’ effective dates for 60 days from the date of this memorandum…for the purpose of reviewing any questions of fact, law, and policy the rules may raise.” There is a possibility that Commerce may use its discretion to allow for an additional comment period on this Interim Final Rule or to further revise the rule.

3 See https://www.mayerbrown.com/en/perspectives-events/publications/2019/12/us-department-of-commerce-proposes-rule-for-securing-the-nations-information-and-communications-technology-and-services-supply-chain.

4 The Interim Final Rule states that “[a]ppropriate agency heads means the Secretary of the Treasury, the Secretary of State, the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, the United States Trade Representative, the Director of National Intelligence, the Administrator of General Services, the Chairman of the Federal Communications Commission, and the heads of any other executive departments and agencies the Secretary determines is appropriate.”

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.