Code of Federal Regulations (Last Updated: November 8, 2024) |
Title 15 - Commerce and Foreign Trade |
Subtitle B—Regulations Relating to Commerce and Foreign Trade |
Chapter VII—Bureau of Industry and Security, Department of Commerce |
SubChapter E—Information and Communications Technology and Services Regulations |
Part 791 - Securing the Information and Communications Technology and Services Supply Chain |
Subpart B - Review of ICTS Transactions |
§ 791.103 - Initial review of ICTS Transactions.
-
§ 791.103 Initial review of ICTS Transactions.
(a) Upon receipt of any information identified in § 791.100(a), upon written request of an appropriate agency head, or at the Secretary's discretion, the Secretary may consider any referral for review of a transaction (referral).
(b) In considering a referral pursuant to paragraph (a), the Secretary shall assess whether the referral falls within the scope of § 791.3(a) and involves ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary, and determine whether to:
(1) Accept the referral and commence an initial review of the transaction;
(2) Request additional information, as identified in § 791.100(a), from the referring entity regarding the referral; or
(3) Reject the referral.
(c) Upon accepting a referral pursuant to paragraph (b) of this section, the Secretary shall conduct an initial review of the ICTS Transaction and assess whether the ICTS Transaction poses an undue or unacceptable risk, which may be determined by evaluating the following criteria:
(1) The nature and characteristics of the information and communications technology or services at issue in the ICTS Transaction, including technical capabilities, applications, and market share considerations;
(2) The nature and degree of the ownership, control, direction, or jurisdiction exercised by the foreign adversary over the design, development, manufacture, or supply at issue in the ICTS Transaction;
(3) The statements and actions of the foreign adversary at issue in the ICTS Transaction;
(4) The statements and actions of the persons involved in the design, development, manufacture, or supply at issue in the ICTS Transaction;
(5) The statements and actions of the parties to the ICTS Transaction;
(6) Whether the ICTS Transaction poses a discrete or persistent threat;
(7) The nature of the vulnerability implicated by the ICTS Transaction;
(8) Whether there is an ability to otherwise mitigate the risks posed by the ICTS Transaction;
(9) The severity of the harm posed by the ICTS Transaction on at least one of the following:
(i) Health, safety, and security;
(ii) Critical infrastructure;
(iii) Sensitive data;
(iv) The economy;
(v) Foreign policy;
(vi) The natural environment; and
(vii) National Essential Functions (as defined by Federal Continuity Directive-2 (FCD-2)); and
(10) The likelihood that the ICTS Transaction will in fact cause threatened harm.
(d) For ICTS Transactions involving connected software applications that are accepted for review, the Secretary's assessment of whether the ICTS Transaction poses an undue or unacceptable risk may be determined by evaluating the criteria in paragraph (c) as well as the following additional criteria:
(1) Ownership, control, or management by persons that support a foreign adversary's military, intelligence, or proliferation activities;
(2) Use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary's access to sensitive or confidential government or business information, or sensitive personal data;
(3) Ownership, control, or management of connected software applications by persons subject to the jurisdiction or direction of a foreign adversary;
(4) Ownership, control, or management of connected software applications by persons involved in malicious cyber activities;
(5) Whether there is regular, thorough, and reliable third-party auditing of connected software applications;
(6) The scope and sensitivity of the data collected;
(7) The number and sensitivity of the users with access to the connected software application; and
(8) The extent to which identified risks have been or can be mitigated using measures that can be verified by independent third parties.
(e) If the Secretary finds that an ICTS Transaction does not meet the criteria of paragraph (b) of this section:
(1) The transaction shall no longer be under review; and
(2) Future review of the transaction shall not be precluded, where additional information becomes available to the Secretary.
[86 FR 4923, Jan. 19, 2021, as amended at 88 FR 39358, June 16, 2023. Redesignated and amended at 89 FR 58265, July 18, 2024]