0 votes
asked ago by (58.3k points)
Nov 26 -- The Department of Commerce is proposing to amend its Interim Final Rule on Securing the Information and Communications Technology and Services Supply Chain (Supply Chain Rule), which was published on January 19, 2021, 86 FR 4909. Specifically, this proposed rule would amend the Supply Chain Rule to provide for additional criteria that the Secretary of Commerce (the Secretary) may consider specifically when determining whether ICTS Transactions (as defined in the Supply Chain Rule) that involve connected software applications present an undue or unacceptable risk.  
 
The rule also makes conforming changes by revising the definition of ICTS to expressly include “connected software applications” and adding a definition of “connected software application” that is consistent with that used in E.O. 14034. The Department is interested in the public's views on the additional criteria for connected software applications, including whether they should be applied to all ICTS Transaction reviews, whether there are other criteria that should be applied, and how the Secretary should apply the criteria to ICTS Transactions involving connected software applications.
 
Comments to this proposed rule must be received on or before December 27, 2021.
 
On June 9, 2021, the President issued E.O. 14034 to “elaborate upon measures to address the national emergency with respect to the information and communications technology and services supply chain that was declared in Executive Order 13873 of May 15, 2019, `Securing the Information and Communications Technology and Services Supply Chain.' ” E.O. 14034 sets out the finding “that the increased use in the United States of certain connected software applications designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary, which the Secretary of Commerce acting pursuant to E.O. 13873 has defined to include the People's Republic of China, among others, continues to threaten the national security, foreign policy, and economy of the United States.” This rule would implement E.O. 14034 by specifically adding the term “connected software applications” and the accompanying criteria, which do not appear in E.O. 13873, to the Supply Chain Rule to ensure the rule clearly and consistently identifies the ICTS that is threatened.  
 
E.O. 14034 orders the Secretary to “evaluate on a continuing basis transactions involving connected software applications that may pose an undue risk of sabotage or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States; pose an undue risk of catastrophic effects on the security or resiliency of the critical infrastructure or digital economy of the United States; or otherwise pose an unacceptable risk to the national security of the United States or the security and safety of United States persons.”

E.O. 14034 further sets out certain factors, consistent with the criteria established in E.O. 13873 and in addition to those set forth in the Supply Chain Rule, that should be considered in evaluating the risks of a transaction involving connected software applications. Specifically, E.O. 14034 lists the following as potential indicators of risk related to connected software applications: “ownership, control, or management by persons that support a foreign adversary's military, intelligence, or proliferation activities; use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary's access to sensitive or confidential government or business information, or sensitive personal data; ownership, control, or management of connected software applications by persons subject to coercion or cooption by a foreign adversary; ownership, control, or management of connected software applications by persons involved in malicious cyber activities; a lack of thorough and reliable third-party auditing of connected software applications; the scope and sensitivity of the data collected; the number and sensitivity of the users of the connected software application; and the extent to which identified risks have been or can be addressed by independently verifiable measures.”

This proposed rule incorporates these potential indicators of risk as criteria to be considered by the Secretary when assessing whether an ICTS Transaction involving connected software applications poses an undue or unacceptable risk. The Department seeks public comments on these criteria, including how the Secretary should apply these to ICTS Transactions involving connected software applications, and whether there are additional criteria that should be considered by the Secretary with respect to connected software applications. The Department is also interested in the public's views as to whether these criteria should be applied to all ICTS Transaction reviews or just those that involve connected software applications. In addition, the Department seeks comment on any other considerations the Secretary should take into account when determining whether an ICTS Transaction involving connected software applications should, consistent with the authority and procedures of E.O. 13873 and the Supply Chain Rule, be allowed, mitigated, or prohibited.

Additionally, consistent with E.O. 14034's recognition of the ongoing threat, identified in E.O. 13873, by foreign adversaries to steal or otherwise obtain data through connected software applications, the Department notes that the term “information and communications technology and services” encompasses “connected software applications” and is proposing to revise the definition of ICTS accordingly to expressly so specify. This rule would also make a conforming revision to the term “ICTS Transaction,” and would define “connected software applications” as “software, a software program, or a group of software programs, that is designed to be used on an end-point computing device and includes as an integral functionality, the ability to collect, process, or transmit data via the internet.”  
 
FR notice inviting comment on proposed amended interim final rule: https://www.federalregister.gov/documents/2021/11/26/2021-25329/securing-the-information-and-communications-technology-and-services-supply-chain-connected-software  
E.O. 14034, Protecting Americans' Sensitive Data From Foreign Adversaries (6/9/21): https://www.federalregister.gov/documents/2021/06/11/2021-12506/protecting-americans-sensitive-data-from-foreign-adversaries
E.O. 13873, Securing the Information and Communications Technology and Services Supply Chain (5/15/19): https://www.federalregister.gov/documents/2019/05/17/2019-10538/securing-the-information-and-communications-technology-and-services-supply-chain

Please log in or register to answer this question.

...