eLaws | eCases | United States Code | Federal Courts |
Home » 2019 Issues » 84 FR (11/27/2019) » 2019-25554. Securing the Information and Communications Technology and Services Supply Chain

  2019-25554. Securing the Information and Communications Technology and Services Supply Chain  

  • Start Preamble Start Printed Page 65316

    AGENCY:

    U.S. Department of Commerce.

    ACTION:

    Proposed rule; request for comments.

    SUMMARY:

    Pursuant to an Executive order of May 15, 2019, entitled “Securing the Information and Communications Technology and Services Supply Chain,” the Department of Commerce (the Department) proposes to implement regulations that would govern the process and procedures that the Secretary of Commerce (Secretary) will use to identify, assess, and address certain information and communications technology and services transactions that pose an undue risk to critical infrastructure or the digital economy in the United States, or an unacceptable risk to U.S. national security or the safety of United States persons.

    DATES:

    Written comments must be received on or before December 27, 2019.

    ADDRESSES:

    All comments must be submitted by one of the following methods:

    • By the Federal eRulemaking Portal: http://www.regulations.gov at docket number DOC-2019-0005.
    • By email directly to: ICTsupplychain@doc.gov. Include “RIN 0605-AA51” in the subject line.
    • By mail or hand delivery to: Henry Young, U.S. Department of Commerce, ATTN: RIN 0605-AA51, 1401 Constitution Avenue NW, Washington, DC 20230.
    • Instructions: Comments sent by any other method, to any other address or individual, or received after the end of the comment period, may not be considered. For those seeking to submit confidential business information (CBI), please submit such information by email or mail or hand delivery as instructed above. Each CBI submission must also contain a summary of the CBI in sufficient detail to permit a reasonable understanding of the substance of the information for public consumption. Such summary information will be posted on regulations.gov.
    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    Henry Young, U.S. Department of Commerce, 1401 Constitution Avenue NW, Washington, DC 20230; telephone: 202-482-0224. For media inquiries: Rebecca Glover, Director, Office of Public Affairs, U.S. Department of Commerce, 1401 Constitution Avenue NW, Washington, DC 20230; telephone: (202) 482-4883.

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    I. Background

    The information and communications technology and services (ICTS) supply chain is critical to nearly every aspect of U.S. national security. It underpins our economy; supports critical infrastructure and emergency services; and facilitates the nation's ability to store, process, and transmit vast amounts of data, including sensitive information, that is used for personal, commercial, government, and national security purposes. The ICTS supply chain must be secure to protect our national security, including the economic strength that is an essential element of our national security. However, the ICTS supply chain has become increasingly vulnerable to exploitation and is an attractive target for espionage, sabotage, and foreign interference activity. ICTS that are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary augment our adversaries' ability to create or exploit vulnerabilities in ICTS to potentially catastrophic effect. The President has determined that the unrestricted acquisition or use of such ICTS causes an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.

    Executive Order 13873 of May 15, 2019, “Securing the Information and Communications Technology and Services Supply Chain” (84 FR 22689) (Executive order), was issued pursuant to the President's authority under the Constitution and the laws of the United States, including the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) (IEEPA), the National Emergencies Act (50 U.S.C. 1601 et seq.), and section 301 of Title 3, United States Code. The Executive order grants the Secretary of Commerce (Secretary) the authority to prohibit any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service (a “transaction”) subject to United States' jurisdiction where the Secretary, in consultation with other relevant agency heads, determines that the transaction: (i) Involves property in which a foreign country or national has an interest; (ii) includes information and communications technology or services designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary; and (iii) poses certain undue risks to critical infrastructure or the digital economy in the United States or certain unacceptable risk to U.S. national security or U.S. persons. (84 FR 22689).

    The Department is proposing regulations that would implement the terms of the Executive order by establishing a process by which the Secretary will determine whether a particular transaction should be prohibited. A transaction that meets the following conditions will be subject to review by the Secretary and may require mitigation, prohibition, or an unwinding of the transaction if determined to be prohibited: (1) The transaction is conducted by any person subject to the jurisdiction of the United States or involves property subject to the jurisdiction of the United States; (2) the transaction involves any property in which any foreign country or a national thereof has an interest (including through an interest in a contract for the provision of the technology or service); and (3) the transaction was initiated, pending, or completed after May 15, 2019, regardless of when any contract applicable to the transaction was entered into, dated or signed, or when any license, permit, or authorization applicable to such transaction was Start Printed Page 65317granted. Transactions involving certain ongoing activities, including but not limited to managed services, software updates, or repairs, would constitute transactions that was completed on or after May 15, 2019 even if a contract was entered into prior to May 15, 2019.

    To assist the Department in the execution and implementation of the Executive order, Section 5 of the Executive order requires the Office of the Director of National Intelligence (ODNI) and the Department of Homeland Security (DHS) to produce an initial threat assessment and vulnerability assessment, respectively. Pursuant to Section 5(a) of the Executive order, the Director of National Intelligence produced an initial, classified threat assessment setting forth the threats to the United States and its people from ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.

    Pursuant to Section 5(b) of the Executive order, DHS provided to the Department an initial vulnerabilities assessment identifying and assessing ICTS hardware, software, and services that present vulnerabilities in the United States. The Department will use this vulnerability assessment as one of the available sources of information to inform its analysis of risks and will use the categories of ICTS identified in the assessment as an analytical tool to assist in evaluating transactions within the Executive order's scope.

    The Secretary herein adopts a case-by-case, fact-specific approach to determine those transactions that meet the requirements set forth in the Executive order and are therefore prohibited or must be mitigated. A case-by-case process allows for the deliberative application of the authority granted to the Secretary by the President in the Executive order as the Secretary seeks to calibrate properly the application of this new authority. A case-by-case application of this authority would allow the Secretary to target and prohibit transactions that meet the Executive order criteria, without unintentionally prohibiting other transactions involving similar ICTS that may not rise to the level of presenting an undue risk to critical infrastructure or the digital economy in the United States or an unacceptable risk to national security or the safety of U.S. persons. This approach would also ensure that the Department does not inadvertently preclude innovation or access to technology in the United States.

    II. Prohibited Transactions

    The Executive order proscribes transactions, which involve the acquisition, importation, transfer, installation, dealing in or use of ICTS by any person where the transaction (i) involves any property in which a foreign country or a national thereof has any interest, (ii) involves any ICTS “designed, developed, manufactured, or supplied” by entities “owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary,” and (iii) poses “an undue risk” of several specified adverse consequences, or “an unacceptable risk” to national security or the safety of U.S. persons.

    In implementing the Executive order, the Secretary will decide whether the particular circumstances of a potentially prohibited transaction may meet this standard. The Secretary, upon the Secretary's own motion or upon referral of a particular transaction from another Federal agency, will evaluate transactions the Secretary believes may be covered by the Executive order and determine, in consultation with the heads of other agencies as appropriate, whether any such transaction should be prohibited or mitigated.

    Under the procedures set forth in the proposed rule the Secretary would provide, as appropriate, direct notice to the parties of a transaction that an evaluation of a transaction is being conducted and that he has reached a preliminary determination regarding a transaction. In making determinations, the Secretary, in consultation with other Federal agencies, would assess, for example, whether a party to a transaction is owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary, and whether the use of a certain class of ICTS or transactions by particular classes of users present an undue or unacceptable risk. Parties notified of an evaluation and preliminary determination would have an opportunity to submit an opposition and information in support of their opposition, which may include proposed measures for mitigation, prior to the Secretary issuing a final determination.

    Upon completion of the evaluation, the Secretary would issue an unclassified, written final determination to the parties engaged in the transaction, and, as appropriate, to the public, that would summarize the elements of the evaluation and explain how the Secretary's determination is consistent with the terms of the Executive order and its implementing regulations. In the event that classified or any other protected information is used or relied upon by the Secretary in making a determination, such information would not be made available except as required by law. If the Secretary determines that a transaction presents an undue or unacceptable risk, the Secretary may require measures to mitigate the transaction's identified risks or may prohibit the transaction, including by requiring that the parties engaged in the transaction immediately cease the use of the ICTS that poses the undue or unacceptable risk, even if such ICTS has been installed or was in operation prior to the Secretary's determination. The Secretary will not issue an advisory opinion or a declaratory ruling with respect to any particular transaction.

    The Executive order also authorizes the Secretary to exempt certain classes of transactions from the Executive order's restrictions if the Secretary determines (for example, because of the nature or capabilities of the ICTS involved or the characteristics of the purchaser or ultimate user) that such transactions do not present an undue or unacceptable risk or are outside the scope of the Executive order. The Executive order also authorizes the Secretary to prohibit transactions as a class if the Secretary determines that such class of transactions pose an undue or unacceptable risk. The proposed rule does not recognize particular technologies or particular participants in the market for ICTS as categorically included or excluded from the prohibitions established by the Executive order. If, in the future, the Secretary determines that it is appropriate to designate classes of transactions for categorical inclusion or exclusion, further guidance will be issued at that time.

    It is expected that parties engaging in any transaction subject to the Executive order will maintain records related to such transaction in a manner consistent with the recordkeeping practices used in their ordinary course of business for such a transaction. Any parties notified that a transaction is being evaluated will be advised by that notice to immediately take steps to retain any and all records relating to such transaction.

    III. Request for Comment

    The Department invites comment on all aspects of the proposed regulation but notes that the determination of a “foreign adversary” for purposes of implementing the Executive order is a matter of executive branch discretion and will be made by the Secretary in consultation with the Secretary of the Treasury, the Secretary of State, the Secretary of Defense, the Attorney Start Printed Page 65318General, the Secretary of Homeland Security, the United States Trade Representative, the Director of National Intelligence, the Administrator of General Services, the Chairman of the Federal Communications Commission, and, as appropriate, the heads of other executive departments and agencies (agencies).

    • As noted above, the Secretary would initially engage in a case-by-case analysis of specific transactions, as facts become known to the Secretary to determine if they are prohibited by the Executive order. Are there instances where the Secretary should consider categorical exclusions? Are there classes of persons whose use of ICTS can never violate the Executive order? If so, please provide a detailed explanation of why the commenter believes a particular transaction can never meet the requirements of the Executive order.
    • Are there transactions involving types or classes of ICTS where the acquisition or use in the United States or by U.S. parties would fall within the terms of the Executive order's prohibited transactions because the transaction could present an undue or unacceptable risk, but that risk could be reliably and adequately mitigated to prevent the undue or unacceptable risk? If the commenter believes the risks of a prohibited transaction can be mitigated, what form could such mitigation measures take?
    • If mitigation measures are adopted for a transaction otherwise prohibited by the Executive order, how should the Secretary ensure that parties to such transaction consistently execute and comply with the agreed-upon mitigation measures that make an otherwise prohibited transaction permissible? How best could the Secretary be made aware of changes in factual circumstances, including technology developments, that could render mitigation measures obsolete, no longer effective, or newly applicable?
    • Section 1(a) of the Executive order and the definition of “transaction” that the proposed rule would implement refer to “acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service.” How are these terms, in particular “dealing in” and “use of,” best interpreted?
    • As discussed above, the Secretary expects persons engaged in transactions will maintain records of those transactions in the ordinary course of business. Should the Department require additional recordkeeping requirements for information related to transactions? Any non-public oral communication to Department officials regarding the substance of the proposed rule would be considered an ex parte presentation, and a summary of the substance of the ex parte presentation will be placed on the public record and become part of this docket. No later than two (2) business days after an oral communication or meeting, the party which engaged in such communication or meeting must submit a memorandum to the Department summarizing the substance of the communication. The Department reserves the right to supplement the memorandum with additional information as necessary, or to request that the party making the filing do so, if a Department official believes that important information was omitted or characterized incorrectly. Any written presentation provided in support of the oral communication or meeting will also be placed on the public record and become part of this docket. Such ex parte communications must be submitted to this docket as provided in the ADDRESSES section above and clearly labeled as an ex parte presentation. Federal entities are not subject to these procedures.

    IV. Classification

    A. Executive Order 12866 (Regulatory Policies and Procedures)

    This rulemaking has been determined to be a significant action under Executive Order 12866.

    B. Executive Order 13771 (Reducing Regulation and Controlling Regulatory Costs)

    This rulemaking is exempt from the requirements of Executive Order 13771 because it involves a national security matter.

    C. Regulatory Flexibility Act

    In compliance with section 603 of the Regulatory Flexibility Act (RFA), the Department has prepared the below initial regulatory flexibility analysis (IRFA) for this proposed rule. The IRFA describes the economic impacts the proposed action may have on small entities. The Department seeks comment on all aspects of the IRFA, including the categories and numbers of small entities that may be directly impacted by this proposed rule.

    (1) A statement of the need for, objectives, and the legal basis of the proposed rule. The description of the action, why it is being considered, and the legal basis for the proposed rule are contained in the preamble.

    (2) A description of, and where feasible, an estimate of the number of small entities to which the proposed rule will apply. The proposed rule defines “information and communications technology or services” as “any hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including through transmission, storage, or display.” A majority of entities today, large or small, utilize some manner of ICTS, therefore it is extremely difficult to obtain a determination of the kind and number of small entities impacted by the proposed rule. The Department acknowledges that actions taken pursuant to this proposed rule may affect small entities or groups that are not easily categorized at present. We therefore describe here, at the outset, three broad groups of small entities that utilize ICTS that could be directly affected herein. The Department understands that the groups set forth here do not encompass all of the small entities or groups that utilize ICTS and could potentially be impacted by the proposed rule. The Department invites comment on other small entities or groups that should be identified as potentially impacted by the proposed rule.

    1. Telecommunications and Information Technology Equipment and Service Providers

    i. Telecommunications Service Providers

    1. Incumbent Local Exchange Carriers (LECs)

    2. Interchange Carriers (IXCs)

    3. Competitive Access Providers

    4. Operator Service Providers (OSPs)

    5. Local Resellers

    6. Toll Resellers

    7. Wired Telecommunications Carriers

    8. Wireless Telecommunications Carrier (except Satellite)

    9. Common Carrier Paging

    10. Wireless Telephony

    11. Satellite Telecommunications

    12. All Other Telecommunications

    ii. Internet and Digital Service Providers

    1. Internet Service Providers (Broadband)

    2. Internet Service Providers (Non-Broadband)

    3. Cloud Providers

    4. Data Center Service Providers

    5. Managed Security Service Providers

    6. Internet Application Operators/Developers

    7. Software Providers (platform as a service, software as a service, etc.)

    iii. Vendors and Equipment Manufacturers

    1. Vendors of Infrastructure Start Printed Page 65319Development or “Network Buildout”

    2. Telephone Apparatus Manufacturing

    3. Radio and Television Broadcasting and Wireless Communications Equipment

    4. Information Technology Equipment Manufacturers

    5. Connected Device Manufacturers (e.g., connected video cameras, health monitoring devices)

    6. Other Communications Equipment Manufacturing

    (3) A description of the projected reporting, recordkeeping and other compliance requirements of the proposed rule, including an estimate of the classes of small entities that will be subject to the requirement and the type of professional skills necessary for preparation of the report or record. This proposed rule would not mandate any reporting, recordkeeping, or other compliance requirements unless an entity receives direct notice that an evaluation into a transaction to which such entity is a party is being conducted. If a small entity receives such notice, the entity will need to retain and provide requested information. The Department does not anticipate that any specific professional skills will be required to retain and provide such information. As discussed above, the Department anticipates a broad range of small entities or groups involved in ICTS that may be impacted by the proposed rule, thus making it difficult to determine the kind and number of small entities that may be impacted. However, as a part of the initial analysis to determine the kind and number of small entities that may be impacted by the proposed rule, the Department has identified the three broad groups of small entities listed above that utilize ICTS and may be subject under the proposed rule to an evaluation of a transaction to which such small entities may be a party.

    (4) An identification, to the extent practicable, of all relevant Federal rules that may duplicate, overlap or conflict with the proposed rule. This rule does not duplicate or conflict with any Federal rules.

    (5) A description of any significant alternatives to the proposed rule that accomplish the stated objectives of Executive Order 13873 and applicable statutes and that would minimize any significant economic impact of the proposed rule on small entities.

    • No-action alternative: Not implementing a rule under the Executive order is not a viable alternative because of the national security concerns associated with transactions involving information and communications technology or services designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.
    • Alternative that would categorically exclude small entities or groups of small entities: This alternative would also not achieve the objectives of Executive Order 13873 of alleviating the national security concerns associated with certain transactions because, due to the nature of ICTS networks, transactions by small entities or groups of information and communications technology or services designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary may pose an undue risk to critical infrastructure or the digital economy in the United States or an unacceptable risk to national security or U.S. persons, and as such, should be evaluated in order to determine whether they should be mitigated, prohibited, or require an unwinding of the transaction.
    • Preferred alternative: The proposed rule is the preferred alternative. It would achieve the objectives of Executive Order 13873 by implementing a procedure that would allow the Secretary to apply a case-by-case, fact-specific process to identify, assess, and address any and all transactions that pose an undue risk to critical infrastructure or the digital economy in the United States or an unacceptable risk to national security or U.S. persons.

    D. Paperwork Reduction Act

    The Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.) (PRA) provides that an agency generally cannot conduct or sponsor a collection of information, and no person is required to respond to nor be subject to a penalty for failure to comply with a collection of information, unless that collection has obtained Office of Management and Budget (OMB) approval and displays a currently valid OMB Control Number. This rulemaking does not contain a collection of information requirement subject to review and approval by OMB under the PRA; the rule would require only that parties engaging in any transaction subject to Executive Order 13873 shall maintain records related to such transaction in a manner consistent with the recordkeeping practices used in their ordinary course of business.

    E. Unfunded Mandates Reform Act of 1995

    This proposed rule would not produce a Federal mandate (under the regulatory provisions of Title II of the Unfunded Mandates Reform Act of 1995) for State, local, and tribal governments or the private sector.

    F. Executive Order 13132 (Federalism)

    This proposed rule does not contain policies having federalism implications requiring preparations of a Federalism Summary Impact Statement.

    G. Executive Order 12630 (Governmental Actions and Interference With Constitutionally Protected Property Rights)

    This proposed rule does not contain policies that have takings implications.

    H. Executive Order 13175 (Consultation and Coordination With Indian Tribes)

    The Department has analyzed this proposed rule under Executive Order 13175 and has determined that the action would not have a substantial direct effect on one or more Indian tribes, would not impose substantial direct compliance costs on Indian tribal governments, and would not preempt tribal law.

    I. National Environmental Policy Act

    The Department has reviewed this rulemaking action for the purposes of the National Environmental Policy Act (42 U.S.C. 4321 et seq.). It has determined that this proposed rule would not have a significant impact on the quality of the human environment.

    Start List of Subjects

    List of Subjects in 15 CFR Part 7

    • Administrative practice and procedure
    • Business and industry
    • Communications
    • Computer technology
    • Critical infrastructure
    • Executive orders
    • Foreign persons
    • Investigations
    • National security
    • Penalties
    • Technology
    • Telecommunications
    End List of Subjects

    For the reasons set out in the preamble, 15 CFR part 7 is proposed to be added to read as follows:

    Start Part

    PART 7—SECURING THE INFORMATION AND COMMUNICATIONS TECHNOLOGY AND SERVICES SUPPLY CHAIN

    Subpart A—General
    7.1
    Scope.
    7.2
    Definitions.
    7.3
    Purpose.
    7.4
    Effect on other law.
    7.5
    Amendment, modification, or revocation.
    7.6
    Public disclosure of records.Start Printed Page 65320
    7.7
    No advisory opinions or declaratory rulings.
    7.8
    No categorical inclusions or exclusions.
    Subpart B—Implementation for Evaluations
    7.100
    Commencement of an evaluation of a transaction.
    7.101
    Criteria to assess the effect of a transaction.
    7.102
    Conduct of an evaluation.
    7.103
    Written determinations; adjustment of transactions; signature, date, and public availability.
    7.104
    Emergency action.
    Subpart C—Enforcement
    7.200
    Penalties.
    Start Authority

    Authority: 50 U.S.C. 1701 et seq.; 50 U.S.C. U.S.C. 1601 et seq.; E.O. 13873, 84 FR 22689.

    End Authority

    Subpart A—General

    Scope.

    (a) Except as provided in paragraph (b) of this section, this part applies only to any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service (a “transaction”), that meets each of the following conditions:

    (1) The transaction is conducted by any person subject to the jurisdiction of the United States or involves property subject to the jurisdiction of the United States;

    (2) The transaction involves any property in which any foreign country or a national thereof has an interest (including through an interest in a contract for the provision of the technology or service); and

    (3) The transaction was initiated, is pending, or will be completed after May 15, 2019, regardless of when any contract applicable to the transaction was entered into, dated, or signed or when any license, permit, or authorization applicable to such transaction was granted. Transactions involving certain ongoing activities, including but not limited to managed services, software updates, or repairs, constitute transactions that “will be completed” on or after May 15, 2019 even if a contract was entered into prior to May 15, 2019. Such transactions are subject to review by the Secretary and may require mitigation or an unwinding of the transaction if determined to be prohibited.

    (b) This part does not apply to any other acquisition, importation, transfer, installation, dealing in or use of information communications technology and services or any other goods or services.

    Definitions.

    Entity means a partnership, association, trust, joint venture, corporation, group, subgroup, or other organization.

    Executive order means Executive Order 13873 of May 15, 2019.

    Foreign adversary means any foreign government or foreign non-government person determined by the Secretary to have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons for the purposes of Executive Order 13783.

    Information and communications technology or services means any hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including through transmission, storage, or display.

    Person means an individual or entity.

    Secretary means the Secretary of Commerce or the Secretary's designee.

    Transaction means any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service. Use of the term transaction in this part includes a class of transactions.

    United States person means any United States citizen, permanent resident alien, entity organized under the laws of the United States or any jurisdiction within the United States (including foreign branches), or any person in the United States.

    Purpose.

    The regulations in this part set forth the procedures by which the Secretary shall commence and conduct evaluations to determine the effect that any acquisition, importation, transfer, installation, dealing in, or use of an information and communications technology or service that has been designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries have on the national security, foreign policy, and economy of the United States. The evaluations will address transactions on a case-by-case, fact-specific basis. Based on the evaluation findings, the Secretary, in consultation with relevant agency heads specified in the Executive order and other relevant governmental bodies, as appropriate shall make a decision for action or inaction regarding adjustment of a transaction. Action regarding adjustment of a transaction may include a prohibition or approval of an otherwise prohibited transaction due to adoption of mitigation measures determined by the Secretary to sufficiently mitigate the risks associated with the transaction. The Secretary shall also engage in coordination and information sharing, as appropriate, with international partners on the application of the regulations in this part.

    Effect on other law.

    Nothing in this part shall be construed as altering or affecting any other authority, process, regulation, investigation, enforcement measure, or review provided by or established under any other provision of Federal law, including prohibitions under the National Defense Authorization Act of 2019, the Federal Acquisition Regulations, or the International Emergency Economic Powers Act (IEEPA) (50 U.S.C. 1701 et seq.), or any other authority of the President or the Congress under the Constitution of the United States.

    Amendment, modification, or revocation.

    Except as otherwise provided by law, the provisions of this part and any determinations, orders, or decisions issued thereunder may be amended, modified, or revoked, in whole or in part, at any time.

    Public disclosure of records.

    Public requests for agency records related to this part will be processed in accordance with the Department of Commerce's Freedom of Information Act regulations, 15 CFR part 4, or other applicable law and regulation.

    No advisory opinions or declaratory rulings.

    The Secretary will not issue an advisory opinion or a declaratory ruling with respect to any particular transaction.

    No categorical inclusions or exclusions.

    The Secretary has declined to identify classes of transactions that are subject to prohibition or are excluded from prohibition. Determination of transactions prohibited by the Executive order will be made on a case-by-case basis. Should the Secretary determine based on a particular case that a class of transactions should be prohibited or excluded, the Secretary will publish such determination and further guidance or request for comment (if needed) in the Federal Register.

    Start Printed Page 65321

    Subpart B—Implementation for Evaluations

    Commencement of an evaluation of a transaction.

    The Secretary may commence an evaluation of a transaction in one of three ways:

    (a) At the Secretary's discretion;

    (b) Upon request of the Secretary of the Treasury, the Secretary of State, the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, the United States Trade Representative, the Director of National Intelligence, the Administrator of General Services, or the Chairman of the Federal Communications Commission, or, as appropriate, the head of any other Government department, agency, governmental body, or the Federal Acquisition Security Council (FASC). A request from other Government departments, agencies, governmental body, or FASC for an evaluation shall be in writing provided from the head of the requesting agency, or their designee, to the Secretary; or

    (c) Based on information submitted to the Secretary by private parties that the Secretary determines to be credible. Information from private parties may be submitted to the Secretary via a web portal to be made available on https://www.commerce.gov/​issues/​ict-supply-chain.

    Criteria to assess the effect of a transaction.

    (a) To determine the effect of a transaction subject to evaluation, the Secretary, in consultation with the Secretary of the Treasury, the Secretary of State, the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, the United States Trade Representative, the Director of National Intelligence, the Administrator of General Services, the Chairman of the Federal Communications Commission, and, as appropriate, the heads of other executive departments and agencies, shall consider whether:

    (1) The transaction is subject to the jurisdiction of the United States;

    (2) The transaction involves any property in which any foreign country or a national thereof has an interest (including through an interest in a contract for the provision of the technology or service);

    (3) The transaction was initiated, is pending, or will be completed after May 15, 2019, regardless of when any contract applicable to the transaction was entered into, dated, or signed or when any license, permit, or authorization applicable to such transaction was granted;

    (4) The transaction involves information and communications technology or services designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary; and

    (5) The transaction:

    (i) Poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States;

    (ii) Poses an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy of the United States; or

    (iii) Otherwise poses an unacceptable risk to the national security of the United States or the security and safety of United States persons.

    (b) In determining whether a transaction involves an information and communications technology or service designed, developed, manufactured, or supplied, by persons “owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary,” the Department will consider a number of factors, including, but not limited to the laws and practices of the foreign adversary; equity interest, access rights, seats on a board of directors or other governing body, contractual arrangements, voting rights, and control over design plans, operations, hiring decisions, or business plan development.

    Conduct of an evaluation.

    In conducting an evaluation of whether a transaction meets the criteria described in § 7.101, the Secretary:

    (a) Shall, as appropriate, seek information and advice from, and consult with, appropriate officers of the United States or their designees. Information received from agencies of the U.S. Government, state, local, tribal, or territorial governments, or business confidential or other trade secret information will not be made available for public inspection except as otherwise required by law;

    (b) May use all appropriate tools available to collect information, including but not limited to the following:

    (1) Relevant publicly available, business confidential or proprietary information, and classified information as part of an evaluation;

    (2) Information from foreign governments as a part of an evaluation; and

    (3) Information from parties to a transaction as part of an evaluation, including records related to such transaction that any party keeps or uses, or would be expected to keep or use, in their ordinary course of business for such a transaction. Parties notified that one of their transactions is being evaluated must immediately take steps to retain any and all records relating to such transaction, regardless of whether those records would normally be retained prior to receiving such notice; and

    (c) May consolidate any referral, or materials that are filed while an evaluation is in progress, concerning transactions of the same or related class and raising similar issues.

    Written determinations; adjustment of transactions; signature, date, and public availability.

    (a) Upon a preliminary determination by the Secretary that a transaction meets the criteria set forth in § 7.101, the Secretary shall, when consistent with national security, provide written notice to the parties of the transaction advising that:

    (1) The Secretary has reached a preliminary determination;

    (2) An explanation of the basis for such preliminary determination to the extent such explanation can be provided consistent with national security; and

    (3) Within 30 days after receipt of the notice, the specific party may submit an opposition and information in support of such opposition to the preliminary determination or information on proposed measures for mitigation.

    (b) The Secretary shall take into consideration any comments received pursuant to the process set forth in paragraph (a) of this section in making a final determination. Within 30 days of receipt of any information received pursuant to paragraph (a)(3) of this section, the Secretary will issue a final determination.

    (c) In making a final determination, the Secretary may:

    (1) Determine the transaction is prohibited;

    (2) Determine the transaction is not prohibited; or

    (3) At the Secretary's discretion and in consultation with the heads of other agencies as appropriate, require measures and specific timeframes to mitigate risks identified during an evaluation as a precondition of approving a transaction that may otherwise be prohibited.

    (d) A final determination shall be in writing and shall describe whether the transaction is prohibited; the transaction is not prohibited; or an otherwise Start Printed Page 65322prohibited transaction is permitted pursuant to the adoption of mitigation measures. Any determination to permit an otherwise prohibited transaction based on mitigation measures shall also provide a description of the mitigation measures adopted. A final determination shall be sent to the parties of the transaction by registered U.S. mail.

    (e) Any determination to either prohibit a transaction or permit an otherwise prohibited transaction based on mitigation measures shall also provide a clear statement of the penalties set forth in § 7.200 that parties will face if they fail to comply fully with either the prohibition or those mitigation measures.

    (f) The Secretary may commence an evaluation and make a new determination of any transaction, subject to this part, if circumstances, technology, or available information has materially changed.

    (g) All determinations by the Secretary shall be signed and dated.

    (h) Such final determination with respect to a transaction shall constitute final agency action.

    (i) A summary of the Secretary's final determination will be made public through posting on https://www.commerce.gov/​issues/​ict-supply-chain and publication in the Federal Register.

    (j) Deadlines set forth in this section may be extended at the Secretary discretion.

    Emergency action.

    It is the intent of the Secretary to follow the procedures set forth in this part unless, when public harm is likely to occur if the procedures are followed or national security interests require it, then the Secretary may vary or dispense with any or all of the procedures set forth in this part. In such an instance, in a manner consistent with national security interests, the Secretary shall provide as part of the final written determination the basis for the decision to engage in emergency action under this section.

    Subpart C—Enforcement

    Penalties.

    (a) Subject to IEEPA, 50 U.S.C. 1705, any person who, after [effective date of final rule], violates, attempts to violate, conspires to violate, or causes a violation of any determination, regulation, prohibition, or other action issued under this part, or makes any false or misleading representation, statement, or certification, or falsifies or conceals any material fact, either directly to the Department of Commerce, the Bureau of Industry and Security, United States Customs and Border Protection, or an official of any other United States agency, or indirectly through any other person in the course of any action under this part may be liable to the United States for a civil penalty up to $302,584, as adjusted annually for inflation under 15 CFR 6.5, or an amount that is twice the amount of the transaction that is the basis of the violation with respect to which the penalty is imposed. The amount of the penalty assessed for a violation shall be based on the nature of the violation.

    (b) Any person who, after [effective date of final rule], violates a material provision of a mitigation measure or a material condition imposed by the United States under § 7.103 or § 7.104 may be liable to the United States for a civil penalty under 50 U.S.C. 1705, not to exceed $302,584, as adjusted annually for inflation under 15 CFR 6.5, per violation or the value of the transaction. Any penalty assessed under this paragraph (b) shall be based on the nature of the violation and shall be separate and apart from any damages sought pursuant to a mitigation measure or any action taken under § 7.103.

    (c) A determination to impose penalties under paragraph (a) or (b) of this section will be made by the Secretary. Notice of the penalty, including a written explanation of the penalized conduct and the amount of the penalty, shall be sent to the penalized party by registered U.S. mail.

    (d) Upon receiving notice of the imposition of a penalty under paragraph (a) or (b) of this section, the penalized party may, within 15 days of receipt of the notice of the penalty, submit a petition for reconsideration to the Secretary, including a defense, justification, or explanation for the penalized conduct. The Secretary will review the petition and issue a final decision within 30 days of receipt of the petition.

    (e) The penalties authorized in paragraphs (a) and (b) of this section may be recovered in a civil action brought by the United States in Federal district court.

    (f) The penalties available under this section are without prejudice to other penalties, civil or criminal, available under law.

    (g) Section 1001 of title 18, United States Code, shall apply to all information provided to the Secretary under this part by any party to a transaction.

    Start Signature

    Dated: November 19, 2019.

    Wilbur L. Ross,

    Secretary of Commerce.

    End Signature End Part End Supplemental Information

    [FR Doc. 2019-25554 Filed 11-26-19; 8:45 am]

    BILLING CODE 3510-20-P

Visit the Official Version
Leave a Comment

Document Information

Published:
11/27/2019
Department:
Commerce Department
Entry Type:
Proposed Rule
Action:
Proposed rule; request for comments.
Document Number:
2019-25554
Dates:
Written comments must be received on or before December 27, 2019.
Pages:
65316-65322 (7 pages)
Docket Numbers:
Docket No. 191119-0084
RINs:
0605-AA51: Securing the Information and Communications Technology and Services Supply Chain
RIN Links:
https://www.federalregister.gov/regulations/0605-AA51/securing-the-information-and-communications-technology-and-services-supply-chain
Topics:
Administrative practice and procedure, Aliens, Business and industry, Communications, Computer technology, Critical infrastructure, Executive orders, Investigations, Penalties, Telecommunications
PDF File:
2019-25554.pdf
Supporting Documents:
» 0605-aa51 RIA and FRFA
» Securing the Information and Communications Technology and Services Supply Chain
» RIN 0605-AA51 Ex Parte Memo - ITI
» RIN 0605-AA51 Ex Parte Memo - ROK
» RIN 0605-AA51 Ex Parte Memo - UK
» Securing the Information and Communications Technology and Services Supply Chain
» Doc 7
» Doc 6a
» Doc 5
» Doc 4
CFR: (14)
15 CFR 7.1
15 CFR 7.2
15 CFR 7.3
15 CFR 7.4
15 CFR 7.5
More ...