Search for:
Cybersecurity, Data and Tech

United States: Commerce Department Issues Proposed Rule to Amend ICTS Supply Chain Regulations to Address Connected Software Applications

By and 2 Mins Read

On November 26, 2021, the Commerce Department of Commerce published a Proposed Rule that would amend its Interim Final Rule on Securing the Information and Communications Technology and Services Supply Chain (“ICTS Regulations”) to specifically address connected software applications. The Proposed Rule would make changes prompted by Executive Order 14034 (“EO 14034”) to the ICTS Regulations.  We previously blogged about the ICTS Regulations herehere, and here.  The Commerce Department is seeking public comments on the Proposed Rule by January 11, 2022.

The basis for the Proposed Rule appears to be a review conducted by the Biden Administration pursuant to EO 14034, which initiated a “rigorous, evidence-based analysis” of the national security risks associated with the transfer of or access to US persons’ data, particularly with regard to access by persons owned, controlled, or subject to the jurisdiction of “foreign adversaries.”  We previously blogged about EO 14034 here.

The Proposed Rule would add “connected software applications” to the definitions and purpose sections of the ICTS Regulations.  It would also confirm that certain transactions involving “connected software applications” would fall within the category of “Covered ICTS Transactions” under the ICTS Regulations.

In addition, the Proposed Rule would incorporate certain factors from EO 14034 into the ICTS Regulations that should be considered in evaluating the risks of a Covered ICTS Transaction. Specifically, EO 14034 lists the following as potential indicators of risk related to connected software applications:

  • ownership, control, or management by persons that support a foreign adversary’s military, intelligence, or proliferation activities;
  • use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary’s access to sensitive or confidential government or business information, or sensitive personal data;
  • ownership, control, or management of connected software applications by persons subject to coercion or cooption by a foreign adversary;
  • ownership, control, or management of connected software applications by persons involved in malicious cyber activities;
  • a lack of thorough and reliable third-party auditing of connected software applications; the scope and sensitivity of the data collected;
  • the number and sensitivity of the users of the connected software application; and
  • the extent to which identified risks have been or can be addressed by independently verifiable measures.

If you wish to submit a comment on the Proposed Rule or have any questions, please contact any member of our Outbound Trade Compliance team.

Categories:
Author

Bart McMillan leads the Chicago Office’s International Trade Compliance Subpractice within the North American International Commercial Practice. He advises US and non-US companies on international trade compliance matters arising under US export controls, trade sanctions, and antiboycott rules, as well as under US customs laws with respect to classification, valuation, country of origin, free trade agreements, and the protection of intellectual property at the US border. His practice also covers antibribery and specialized commercial compliance issues in sales and sales promotion under the US Foreign Corrupt Practices Act (FCPA), non-US antibribery law, and non-US commercial laws. Mr. McMillan has been practicing with Baker McKenzie for the entirety of his legal career, and during 2004 he was located in the Washington, DC office. He is a frequent speaker on international trade compliance matters at seminars, conferences, and company training events. While pursuing his J.D. at NYU School of Law, Mr. McMillan was Staff Editor (1997-98) and Associate Editor (1998-99), New York University Law Review; and he participated in a semester exchange to the Central European University (Budapest) (Legal Studies Dep’t).

Author

Alexandre Lamy joined Baker McKenzie in 2009 and currently works in the Firm's International Trade Practice Group. He assists clients with sanctions and export controls (Export Administration Regulations (EAR); International Traffic in Arms Regulations (ITAR)) and he advises clients on corporate compliance matters. Since August 2011, Alex has served on the steering group for the ABA Section of International Law’s Export Controls & Economic Sanctions Committee and is currently a Vice Chair of the Committee. He has organized several events regarding recent developments in US trade sanctions and export controls for the Committee.

Related Posts