On December 5, 2024, the U.S. Department of Commerce, Bureau of Industry and Security (“BIS”) issued a final rule (the “Final Rule”) implementing the procedures BIS will follow when reviewing information and communications technology (“ICTS”) transactions that may pose a risk to U.S. national security pursuant to Executive Order (E.O.) 13873.[1] In particular, the Final Rule authorizes the Secretary of Commerce (the “Secretary”) (or the Secretary’s designee, e.g., the Under Secretary of Commerce for Industry and Security) to review, prohibit, or impose mitigation measures on certain types of transactions (“Covered ICTS Transactions”) that involve ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary and that pose an undue or unacceptable risk to U.S. national security. We consider each of these concepts below, after which we discuss the review, prohibition, and mitigation processes associated with covered transactions.
The Final Rule, which will take effect February 4, 2025, largely is consistent with the interim final rule issued on January 19, 2021 and the proposed rule issued on November 27, 2019.
In 2022, BIS formed the Office of Information and Communications Technology and Services (“OICTS”) to implement the ICTS program. In June 2024, OICTS announced a first-of-its-kind final determination prohibiting Kaspersky Lab, Inc., the U.S. subsidiary of a Russia-based anti-virus software and cybersecurity company, from selling its software within the United States or providing updates to software already in use. In January 2025, OICTS issued (i) a final rule that prohibits the sale or import of connected vehicles integrating specific pieces of hardware and software, or those components sold separately, with a sufficient nexus to China or Russia, and (ii) an advanced notice of proposed rulemaking that contemplates expanding the scope of the ICTS program to cover certain transactions involving ICTS integral to unmanned aircraft systems. We previously wrote about the September 2024 connected vehicles proposed rule here.
I. Covered ICTS Transactions
Covered ICTS Transaction is broadly defined as the acquisition, importation, transfer, installation, dealing in, or use of any ICTS[2] by a person subject to the jurisdiction of the United States or involving property subject to the jurisdiction of the United States that involves any property in which any foreign country or a national thereof has any interest of any nature whatsoever, whether direct or indirect, initiated, pending, or completed on or after January 19, 2021.[3]
A Covered ICTS Transaction, as defined in the Final Rule, is a transaction for which the Secretary may initiate a review. However, as part of the initial review process, the Secretary must also determine whether a Covered ICTS Transaction involves ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary that poses an undue or unacceptable risk to U.S. national security. We break down each of these elements further below.
A. Foreign Adversary
Under the Final Rule, foreign adversary includes:
- The People’s Republic of China, including the Hong Kong Special Administrative Region and the Macau Special Administrative Region;
- The Republic of Cuba;
- The Islamic Republic of Iran;
- The Democratic People’s Republic of Korea;
- The Russian Federation; and
- Venezuelan politician Nicolás Maduro.
The Secretary has discretion to revise the list of foreign adversaries without prior notice or opportunity for public comment.
B. Undue or Unacceptable Risk to U.S. National Security
The Final Rule requires the Secretary to determine whether a Covered ICTS Transaction involving ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary poses an undue or unacceptable risk to U.S. national security using the a number of factors, including:[4]
- The nature and characteristics of the ICTS;
- The nature and degree of the ownership, control, direction, or jurisdiction exercised by the foreign adversary or foreign adversary persons over the design, development, manufacture, or supply of the ICTS;
- The statements and actions of the foreign adversary, the persons involved in the design, development, manufacture, or supply of the ICTS, and the parties to the Covered ICTS Transaction;
- Whether the Covered ICTS Transaction poses a discrete or persistent threat;
- The nature and characteristics of the customer base, business relationships, and operating locations of the parties to the Covered ICTS Transaction;
- Whether there is an ability to otherwise mitigate the risks posed by the Covered ICTS Transaction;
- The severity of the harm posed by the Covered ICTS Transaction on at least one of the following: (i) health, safety, and security; (ii) critical infrastructure; (iii) sensitive data; (iv) the economy; (v) foreign policy; (vi) the natural environment; and (vii) national Essential Functions (as defined by Federal Continuity Directive-2 (FCD-2)); and
- The likelihood that the Covered ICTS Transaction will result in the threatened harm.[5]
II. Stages of Review
The Final Rule sets forth the following review process: initial review, first interagency consultation, initial determination, party response, second interagency consultation, and final determination. We provide a brief summary of each stage below:
- Initial Review: The Secretary may begin the review period by requiring any person to furnish information related to the transaction. The Secretary will use the information to determine whether the three elements above (Covered ICTS Transaction, foreign adversary, and undue or unacceptable risk) are satisfied. If the Secretary determines those three elements are not satisfied, the transaction will no longer be under review, but the Secretary may review the transaction in the future if additional information becomes available.
- First Interagency Consultation: If the Secretary determines the three elements are satisfied, the Secretary must provide a written assessment to the appropriate agency heads[6] and provide 21 days for such agency heads to comment. The Secretary may revise the determination based on any comments received.
- Initial Determination: After the first interagency consultation, the Secretary may determine that the transaction is not a Covered ICTS Transaction and therefore no longer under review. Otherwise, the Secretary must issue an initial determination containing the following elements: (1) an explanation regarding why the transaction satisfies the three elements; (2) a proposal regarding whether to prohibit or impose mitigation measures on the transaction; and (3) the factual basis supporting the decision. The Secretary must notify the parties to the Covered ICTS Transaction of the initial determination.
- Note: We would expect any such mitigation measures to include, inter alia, access restrictions, supply chain oversight, compliance audits, and data storage restrictions.
- Party Response: Within 30 days of receiving the initial determination, the parties may provide a substantive response that, among other things, disputes the basis for the initial determination or proposes remedial steps on the party’s part that would negate the basis for the initial determination.
- Second Interagency Consultation: Based on the party response, the Secretary must prepare a proposed final determination as to whether the Covered ICTS Transaction shall be prohibited, not prohibited, or permitted pursuant to negotiated mitigation measures. The Secretary must provide 14 days for the appropriate agency heads to comment on the proposed final determination.
- Final Determination: After the second interagency consultation concludes, the Secretary must issue a final determination. The final determination must be issued within 180 days of serving the parties with notice of the initial determination.
III. Enforcement and Penalties
Examples of activities that constitute violations of the Final Rule include remaining party to a Covered ICTS transaction prohibited by a final determination or being party to a transaction in any manner that is contrary to any direction, regulation, or condition published in the Final Rule.
Violations of the Final Rule are subject to the penalties for violation of other programs implemented under the International Emergency Economic Powers Act (IEEPA). For example, any person who violates the Final Rule faces a maximum civil penalty of $250,000 (adjusted annually for inflation) per violation or twice the value of the transaction, whichever is greater. A criminal (willful) violation is subject to a fine of up to $1,000,000 or up to 20 years in prison, or both.
[1] The Final Rule amends existing 15 C.F.R. Part 791.
[2] ICTS means software, hardware, or any other product or service integral to one of the following:
(i) Information and communications hardware and software, including
(A) Wireless local area networks;
(B) Mobile networks;
(C) Satellite payloads;
(D) Satellite operations and control;
(E) Internet-enabled sensors, cameras, and any other end-point surveillance or monitoring device, or any device that includes these components such as drones;
(F) Routers, modems, and any other networking devices;
(G) Cable access points;
(H) Wireline access points;
(I) Core networking systems;
(J) Long- and short-haul networks;
(ii) Data hosting, computing or storage, including software, hardware, or any other product or service integral to data hosting or computing services, including software-defined services such as virtual private servers, that uses, processes, or retains, or is expected to use, process, or retain, sensitive personal data of United States persons, including:
(A) Internet hosting services;
(B) Cloud-based or distributed computing and data storage;
(C) Managed services; and
(D) Content delivery services;
(iii) Connected software applications, including software designed primarily to enable connecting with and communicating via the internet, which is accessible through cable, telephone line, wireless, or satellite or other means, that is in use by United States persons at any point over the twelve (12) months preceding a Covered ICTS Transaction, including connected software applications, such as but not limited to, desktop applications, mobile applications, gaming applications, and web-based applications;
(iv) Critical infrastructure, including any subsectors of the chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government services and facilities, health care and public health, information technology, nuclear reactors, materials, and waste, transportation systems, and water and wastewater systems sectors, and
(v) Critical and emerging technologies, including advanced network sensing and signature management; advanced computing; artificial intelligence; clean energy generation and storage; data privacy, data security, and cybersecurity technologies; highly automated, autonomous, and uncrewed systems and robotics; integrated communication and networking technologies; positioning, navigation, and timing technologies; quantum information and enabling technologies; semiconductors and microelectronics; and biotechnology.
[3] There are two exceptions to the definition of Covered ICTS Transaction:
- A Covered ICTS Transaction that involves the acquisition of ICTS items by a U.S. person as a party to a transaction authorized under a U.S. government industrial security program.
- A Covered ICTS Transaction for which the Committee on Foreign Investment in the United States (CFIUS) is conducting a review, investigation, or assessment, or has concluded action, unless the Covered ICTS Transaction was not part of the transaction reviewed by CFIUS.
[4] To make this determination, the Secretary must consider the following: (1) threat assessments and reports prepared by the Director of National Intelligence pursuant to section 5(a) of Executive Order (E.O.) 13873; (2) removal or exclusion orders issued by the Secretary of Homeland Security, the Secretary of Defense, or the Director of National Intelligence (or their designee) pursuant to recommendations of the Federal Acquisition Security Council, under 41 U.S.C. 1323; (3) relevant provisions of the Defense Federal Acquisition Regulation and the Federal Acquisition Regulation, and their respective supplements; (4) the written assessment produced pursuant to section 5(b) of Executive Order (E.O.) 13873, as well as the entities, hardware, software, and services that present vulnerabilities in the United States as determined by the Secretary of Homeland Security pursuant to that section; (5) actual or potential threats to execution of a “National Critical Function” identified by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency; (6) the nature, degree, and likelihood of consequence to the United States public and private sectors that could occur if ICTS vulnerabilities were to be exploited; and (7) any other source or information that the Secretary deems appropriate.
[5] For Covered ICTS Transactions involving connected software applications, the Secretary must also consider:
(i) the number and sensitivity of the users with access to the connected software application;
(ii) the scope and sensitivity of any data collected by the connected software application;
(iii) any use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary’s access to sensitive or confidential government or business information, or sensitive personal data;
(iv) whether there is regular, thorough, and reliable third-party auditing of the connected software application; and
(v) the extent to which identified risks have been or can be mitigated using measures that can be verified by independent third parties.
[6] Under the Final Rule, “appropriate agency heads” means the Secretary of the Treasury, the Secretary of State, the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, the United States Trade Representative, the Director of National Intelligence, the Administrator of General Services, the Chairman of the Federal Communications Commission, and the heads of any other executive departments and agencies the Secretary determines is appropriate, or their designees.