Round-Up: Proscriptive ICTS Supply Chain Regulation as a Means of Addressing Cyber Risk
Cybersecurity Awareness Month is a good time to highlight one trend in federal efforts to address cyber risk: proscriptive regulation of the information and communications technology and services (“ICTS”) supply chain.
Supply chain risk management is a broad field encompassing, among other things, federal efforts to improve software security, and proposals to revise the FAR to standardize cybersecurity and incident reporting requirements for US government contractors. This Legal Update concerns a different trend toward restricting use of equipment and services with ties to jurisdictions viewed as high-risk by the US government. That regulatory impulse has implications for buyers and sellers alike: it signals the salience of the issue from a cybersecurity standpoint, it leads to limitations on what companies in the United States can purchase, and it may encourage the development of so-called “trusted markets” in other jurisdictions. Here, we outline the origin of those authorities and provide the current status on how they have been deployed so far, according to public information.
Introduction
Over at least the last two presidential administrations, the proliferation of supply chain attacks, combined with growing tensions in major bilateral relationships, has led to heightened concern within the federal government about the “[c]omplex and globally interconnected supply chains [that] produce the information, communications, and operational technology products and services that power the U.S. economy.”1
President Donald Trump issued an executive order in 2019, declaring a “national emergency” stemming from “foreign adversaries [] increasingly creating and exploiting vulnerabilities in information and communications technology and services,”2 which President Joseph Biden followed with an executive order focused specifically on “the increased use in the United States of certain connected software applications designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.”3 For its part, Congress expanded the authority of the federal government to invoke security concerns as a basis for making procurement decisions, and to regulate equipment and services that foreign providers can sell or operate within the United States,4 and has even identified certain foreign companies by name as security threats.5
In the past year, the executive branch has taken steps to implement those authorities through administrative rulemaking, reflected in the US Department of Commerce’s (“Commerce”) ICTS Supply Chain rule,6 the Federal Acquisition Security Council (“FASC”),7 and the Federal Communications Commission’s (“FCC”) Covered List.8
Commerce Department
On June 16, 2023, Commerce promulgated the final rule implementing the two aforementioned executive orders, governing its investigations of ICTS transactions with a nexus to “foreign adversaries.”9
Under its final rule, the Secretary of Commerce is empowered to investigate, mitigate, and outright prohibit transactions involving ICTS if:
- they are designed, developed, manufactured, or supplied by persons controlled by or subject to the jurisdiction or direction of a “foreign adversary,”10
- and the Secretary finds they pose an “undue or unacceptable risk.”
Importantly, because the rule stems from the president’s declaration of an emergency under the International Emergency Economic Powers Act (“IEEPA”),11 the “transaction” (or class of transactions) regulated under this rule must involve property in which a foreign country or foreign national has an interest (including through the provision of services).12 Commerce has also limited the scope of the rule to transactions involving ICTS that will be used in critical infrastructure or in other, identified ways (e.g., within mobile networks or core networking systems).13
Commerce may initiate the review of a transaction on its own initiative, based on a referral from another agency, or “[u]pon receipt” (from any source) of virtually any lawfully acquired information (including public information).14 Despite contemplating the power to unwind transactions,15 the rule does not require notification by a party before completing an ICTS transaction. An ANPRM concerning licensing or preclearance is widely anticipated this fall.
During its investigation of a particular transaction, Commerce may consider “any and all relevant information,” including classified information.16 In assessing whether particular forms of ICTS have a sufficient tie to a “foreign adversary,” Commerce may consider the location of the manufacturer as well as its suppliers, “ties” between the supplier and the foreign government, and the foreign adversary’s laws.17
If the Secretary of Commerce determines, from an initial review, that the transaction meets the threshold set for action,18 a series of interagency consultations, determinations, and engagement with the transaction parties will occur, before the secretary determines whether to prohibit the transaction, allow it to proceed as planned, or allow it to proceed on the condition of negotiated mitigation measures.19 Violations of a final determination carry the civil and criminal penalties of IEEPA.20
Even prior to issuance of the final rule, Commerce issued subpoenas to Chinese companies that provide ICTS in the United States,21 and the Department of Justice’s National Security Division indicated an intent to investigate supply chain vulnerabilities of companies that are Russian or operate in Russia, in response to the SolarWinds supply chain attack.22 In total, NSD has made at least 9 referrals to Commerce under this authority. The status of those (potentially ongoing) investigations is not public.
Federal Communications Commission
In 2020, Congress passed the Secure and Trusted Communications Networks Act (“STCNA”) to prohibit certain federal subsidies from being used to purchase communications equipment or services posing national security risks, and to provide for reimbursements for the replacement of equipment or services posing those risks.23
The STCNA requires the FCC to maintain a list of “covered” communications or services that are deemed to pose an unacceptable risk to the national security of the United States, or the security and safety of US persons. Upon a determination by the FASC, Commerce (through the process described above), or other “appropriate” national security agency24 that certain equipment or services pose such an unacceptable risk, and—assuming that the equipment or service meets certain technical requirements under the STCNA25 —the FCC “shall” include the equipment or service on its Covered List.26
FCC administered funds may not be used to purchase, rent, lease or otherwise obtain covered communications equipment or services.27 In addition, and as required by the Secure Equipment Act of 202128, the FCC later prohibited equipment on the Covered List from receiving an authorization from the FCC to operate within the United States.29
The Covered List was first populated on March 12, 202130, and later updated March 25, 202231 and September 20, 2022.32 To date, the Covered List consists largely of entities that either Congress directed be added to the Covered List by legislation,33 or whose licenses the FCC denied or revoked following recommendations by Team Telecom.34 Perhaps to encourage the FCC to keep adding to the list, STCNA requires the FCC to notify the public if no updates are made within a twelve-month period.35 The FCC made its first such notification on September 20, 2023,36 though on September 1, 2023, FCC Chairwoman Jessica Rosenworcel asked US government agencies to consider making a determination that Chinese companies Quectel and Fibocom Wireless pose unacceptable national security risks.37
Congress initially appropriated $1.9 billion for the FCC’s STCNA reimbursement program. However, based upon the applications seeking reimbursement, this amount represents a $3.08 billion shortfall, as the total amounts requested in funding equaled approximately $4.98 billion. As a result, on October 10, 2023, the FCC granted a number of six-month extensions to broadband providers, who “due to no fault of such recipient,” did not meet the FCC’s initial one-year deadline.
The FASC
In 2018, Congress passed the Federal Acquisition Supply Chain Security Act (“FASCSA”),38 establishing the FASC to improve executive branch coordination, supply chain information sharing, and actions to address supply chain risks stemming from procurement.
On August 26, 2021, the FASC—composed of twelve named agencies and agency components39 —promulgated the final rule40 (“FASC Rule”) to implement its authority under the FASCSA. The FASC has authority to evaluate41 and make recommendations42 for orders that would require the removal of “covered articles” from executive agency information systems,43 or the exclusion of sources or covered articles from executive agency procurement actions.44 These covered articles may include various forms of ICTS equipment and services.
Under the FASC Rule, the FASC first evaluates sources and covered articles for possible supply chain risks, considering factors that include the security, authenticity, and integrity of covered articles and associated supply chains; ownership, control, or influence by a foreign government or parties owned or controlled by a foreign government; and threats to or vulnerabilities of federal systems. Federal and non-federal entities may also submit supply chain risk information to the FASC for its consideration under the FASC Rule. Upon conducting this supply chain assessment, the FASC submits its recommendation for an exclusion or removal order to the Secretary of Homeland Security, Secretary of Defense, and/or Director of National Intelligence, as well as a notice to the source itself to allow the source to submit information in opposition to the FASC recommendation. Those officials then review the FASC’s recommendation, along with any information submitted by the source, to determine whether to issue an exclusion or removal order. Unlike the Covered List or the Commerce ICTS rule, there is no public information about whether the FASC has taken action under the FASC Rule, although DOJ has made at least two referrals, involving four companies, to the FASC.
The development of these authorities reflects the view across at least two presidential administrations that the trustworthiness of equipment and services depends in part on their country of origin, and through them, the executive branch has reserved the right to preclude them from even private telecommunications networks in the future. Although there has been no rush to exercise these authorities with respect to particular equipment and services (and the procurement process has been impacted more than transactions that do not involve the government), consumers and suppliers alike should consider the potential for future—even retroactive—action under these authorities when considering capital expenditures or service contracts related to ICTS.
1 See The White House, National Cybersecurity Strategy, at 32 (March 1, 2023), National-Cybersecurity-Strategy-2023.pdf (whitehouse.gov).
2 Exec. Order No. 13873, Executive Order on Securing the Information and Communications Technology and Services Supply Chain (May 15, 2019), Executive Order on Securing the Information and Communications Technology and Services Supply Chain – The White House (archives.gov).
3 Exec. Order No. 14034, Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries (June 9, 2021), Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries | The White House.
4 See Secure and Trusted Communications Networks Act of 2019, Pub. L. No. 116-124, 134 Stat. 158 (2020) (codified at 47 U.S.C. § § 1601-1609); Federal Acquisition Supply Chain Security Act of 2018, Pub. L. No. 115-390, tit. II, 132 Stat. 5173 (2018) (codified at 41 U.S.C. §§ 1321-1328).
5 John S. McCain National Defense Authorization Act for Fiscal Year 2019, Pub. L. No. 115-232, § 889, 132 Stat. 1917 (2018); see also Expired: DOD’s Waiver on Section 889 Part B Prohibition on Certain Telecom and Video Surveillance Services or Equipment (Oct. 14, 2022).
7 See Amendments to 41 C.F.R. §§ 201 et seq.; 41 C.F.R. §§ 201 et seq.
8 See Secure and Trusted Communications Networks Act, Pub. L. No. 116-124, 134 Stat. 158 (2020) (codified at 47 U.S.C. §§ 1601-1609); Federal Communications Commission, List of Equipment and Services Covered By Section 2 of The Secure Networks Act (last updated September 20, 2022), List of Equipment and Services Covered By Section 2 of The Secure Networks Act | Federal Communications Commission (fcc.gov).
9 We discussed the prior, interim final rule in a Legal Update, US Commerce Issues Rules for Review of ICTS Transactions for National Security Threats (Jan. 29, 2021).
10 To-date identified as the People’s Republic of China, including Hong Kong, Cuba, Iran, North Korea, Russia, and the Maduro Regime of Venezuela. 15 C.F.R. § 7.4.
11 See International Emergency Economic Powers Act, Pub. L. No. 110-96, 121 Stat. 1011 (1977) (codified at 50 U.S.C. §§ 1701-1709).
16 15 C.F.R. § 7.100(a), (a)(4).
18 15 C.F.R. §§ 7.104, 7.103(c).
21 See Office of Public Affairs, U.S. Secretary of Commerce Gina Raimondo Statement on Actions Taken Under ICTS Supply Chain Executive Order, U.S. Department of Commerce (March 17, 2021), U.S. Secretary of Commerce Gina Raimondo Statement on Actions Taken Under ICTS Supply Chain Executive Order | U.S. Department of Commerce.
22 See Jason Miller, DoJ, FBI, IC reviewing supply chain threats posed by Russian companies, FEDERAL NEWS NETWORK (May 25, 2021), DoJ, FBI, IC reviewing supply chain threats posed by Russian companies | Federal News Network.
23 See Secure and Trusted Communications Networks Act of 2019, Pub. L. No. 116-124, 134 Stat. 158 (2020) (codified at 47 U.S.C. §§ 1601-1609).
24 Meaning, the Department of Homeland Security, the Department of Defense, the Office of the Director of National Intelligence, the National Security Agency, or the Federal Bureau of Investigation. 47 U.S.C. § 1608(2).
25 The equipment or service must be capable of either routing or redirecting user data traffic or permitting visibility into such data, or causing the network of a provider of advanced communications services to be disrupted remotely, or “otherwise pose an unacceptable risk to the national security of the United States or the security and safety of United States persons.” 47 U.S.C. § 1601(b)(2).
27 See 47 U.S.C. § 1602. On December 11, 2020, the FCC issued Order Number 20-176 to implement this component of the STCNA.
28 See Secure Equipment Act of 2021, Pub. L. No. 117-55, 135 Stat. 423 (2021).
29 See Federal Communications Commission, Protecting Against National Security Threats to the Communications Supply Chain Through the Equipment Authorization Program, 88 Fed. Reg. 7592 (Feb. 6, 2023), available at https://www.govinfo.gov/content/pkg/FR-2023-02-06/pdf/2022-28263.pdf; Legal Update, FCC Bans Approval of New Telecommunications Equipment for Entities on the Covered List (Dec. 21, 2022).
30 See Federal Communications Commission, Public Safety and Homeland Security Bureau Announces Publication of the List of Equipment and Services Covered By Section 2 of the Secure Networks Act (March 12, 2021), DA-21-309A1.pdf (fcc.gov).
31 See Federal Communications Commission, Public Safety and Homeland Security Bureau Announces Additions To the List of Equipment and Services Covered By Section 2 of the Secure Networks Act (March 25, 2022), DA-22-320A1.pdf (fcc.gov).
32 See Federal Communications Commission, Public Safety and Homeland Security Bureau Announces Additions To the List of Equipment and Services Covered By Section 2 of the Secure Networks Act (September 20, 2022), DA-22-979A1.pdf (fcc.gov).
33 See Secure and Trusted Communications Networks Act, Pub. L. No. 116-124, § 2(c)(3), 134 Stat. 158 (2020) (codified at 47 U.S.C. § 1601(c)(3)) (citing the FY2019 NDAA); https://docs.fcc.gov/public/attachments/DA-21-309A1.pdf.
34 Team Telecom, now formally known as the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector, advises the FCC on whether to grant licenses to telecommunications companies having foreign ownership. See Legal Update, President Trump Executive Order Establishes Committee for Assessing Foreign Investment in US Telecom Sector: Summary and Analysis (Apr. 8, 2020). In addition, AO Kaspersky Lab was added based on a Binding Operational Directive by DHS in 2017.
36 See Federal Communications Commission, Public Safety and Homeland Security Bureau Announces Status of the List of Equipment and Services Covered By Section 2 of the Secure and Trusted Communications Network Act (September 20, 2023), DA-23-876A1.pdf (fcc.gov).
37 David Shepardson, US FCC chair says China’s Quectel, Fibocom may pose national security risks, REUTERS (September 6, 2023), US FCC chair says China's Quectel, Fibocom may pose national security risks | Reuters
38 See Federal Acquisition Supply Chain Security Act of 2018, Pub. L. No. 115-390, tit. II, 132 Stat. 5173 (2018) (codified at 41 U.S.C. §§ 1321-1328).
41 See 41 C.F.R. § 201-1.102(b).
42 See 41 C.F.R. § 201-1.301(a).
