AGENCY:

Bureau of Industry and Security, Department of Commerce.

ACTION:

Proposed rule; request for comments.

SUMMARY:

The Executive order of January 19, 2021, “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities,” directs the Secretary of Commerce (Secretary) to propose regulations requiring U.S. Infrastructure as a Service (IaaS) providers of IaaS products to verify the identity of their foreign customers, along with procedures for the Secretary to grant exemptions; and authorize special measures to deter foreign malicious cyber actors' use of U.S. IaaS products. The Executive order of October 30, 2023, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence,” further directs the Secretary to propose regulations that require providers of certain IaaS products to submit a report to the Secretary when a foreign person transacts with that provider or reseller to train a large Artificial Intelligence (AI) model with potential capabilities that could be used in malicious cyber-enabled activity. The Department of Commerce (Department) issues this notice of proposed rulemaking (NPRM) to solicit comment on proposed regulations to implement those Executive orders.

DATES:

Comments must be received April 29, 2024.

ADDRESSES:

All comments must be submitted by one of the following methods:

• By the Federal eRulemaking Portal: https://www.regulations.gov at docket number DOC–2021–0007.

• By email directly to: IaaScomments@bis.doc.gov. Include “E.O. 13984/E.O. 14110: NPRM” in the subject line.

• Instructions: Comments sent by any other method or to any other address or individual, or received after the end of the comment period, may not be considered. For those seeking to submit confidential business information (CBI), please clearly mark such submissions as CBI and submit by email or via the Federal eRulemaking Portal, as instructed above. Each CBI submission must also contain a summary of the CBI, clearly marked as public, in sufficient detail to permit a reasonable understanding of the substance of the information for public consumption. Such summary information will be posted on regulations.gov.

FOR FURTHER INFORMATION CONTACT:

Kellen Moriarty, U.S. Department of Commerce, telephone: (202) 482–1329, email: IaaScomments@bis.doc.gov. For media inquiries: Jeremy Horan, Office of Congressional and Public Affairs, Bureau of Industry and Security, U.S. Department of Commerce: OCPA@bis.doc.gov.

SUPPLEMENTARY INFORMATION:

I. Background

IaaS products offer customers the ability to run software and store data on servers offered for rent or lease without having to assume the direct maintenance and operating costs of those servers. Foreign malicious cyber actors have utilized U.S. IaaS products to commit intellectual property and sensitive data theft, to engage in covert espionage activities, and to threaten national security by targeting U.S. critical infrastructure. After carrying out such illicit activity, these actors can quickly move to replacement infrastructure offered by U.S. IaaS providers of U.S. IaaS products (“U.S. IaaS providers”). The temporary registration and ease of replacement for such services makes it more difficult for the government to track malicious actors. Additionally, the ability of malicious actors to use foreign-person resellers of U.S. IaaS products (“foreign resellers”), who might not track identity, hinders law enforcement's ability to obtain identifying information about malicious actors through service of compulsory legal process. This shift in adversary tradecraft also challenges the U.S. Government's ability to identify victims of malicious cyber activity and enable specific network defense and remediation efforts. Furthermore, the emergence of large-scale computing infrastructure—to which U.S. IaaS providers and foreign resellers provide access as a service, and which foreign malicious actors could use to train large AI models that can assist or automate their malicious cyber activity—has raised considerable concern about the identities of entities that transact with providers to engage in certain AI training runs.

To address these threats, the President issued E.O. 13984, “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities,” which provides the Department with authority to require U.S. IaaS providers to verify the identity of foreign users of U.S. IaaS products, to issue standards and procedures that the Department may use to make a finding to exempt IaaS providers from such a requirement, to impose recordkeeping obligations with respect to foreign users of U.S. IaaS products, and to limit certain foreign actors' access to U.S. IaaS products in appropriate circumstances. The President subsequently issued E.O. 14110, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence,” which calls for the Department to require U.S. IaaS providers to ensure that their foreign resellers verify the identity of foreign users. E.O. 14110 also provides the Department with authority to require U.S. IaaS providers submit a report to the Department whenever a foreign person transacts with them to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity.

II. Introduction

E.O. 13984 and E.O. 14110 draw upon the President's authority from the Constitution and laws of the United States, including the International Emergency Economic Powers Act (IEEPA) (50 U.S.C. 1701 et seq.), the National Emergencies Act (NEA) (50 U.S.C. 1601, et seq.), and 3 U.S.C. 301. Section 1 of E.O. 13984 requires the Secretary to propose, for notice and comment, regulations that mandate that U.S. IaaS providers verify the identity of foreign persons that sign up for or maintain accounts that access or utilize U.S. IaaS providers' IaaS products or services (Accounts or Account)—that is, a know-your-customer program or Customer Identification Program (CIP). Under E.O. 13984, such a program must set forth the minimum standards for IaaS providers to verify the identity of a foreign person connected with the opening of an Account or the maintenance of an existing Account. The proposed regulations must include the types of documentation and procedures required to verify the identity of any foreign persons acting as a lessee or sub-lessee of these products or services; the records that IaaS providers must securely maintain regarding a foreign person that obtains an Account; and methods of limiting all third-party access to this collected information, except insofar as such access is otherwise consistent with E.O. 13984 and allowed under applicable law. Moreover, the proposed regulations Start Printed Page 5699 must consider the type of Account, methods of opening an Account, and the types of identifying information already available to IaaS providers that help accomplish the objectives of identifying foreign malicious cyber actors using any such products while also avoiding an undue burden on U.S. IaaS providers. They must also allow the Secretary, after consultation with the heads of various Federal agencies, to exempt any IaaS providers or any specific type of Account or lessee from the requirements of any regulation issued pursuant to this section, including due to a finding that the IaaS provider, Account, or lessee complies with security best practices to otherwise deter abuse of IaaS products.

Section 2 of E.O. 13984 requires the proposed regulations to allow the Secretary to use, as necessary, one of two special measures included in E.O. 13984 to require U.S. IaaS providers to prohibit or limit access to Accounts that foreign malicious cyber actors use to conduct malicious cyber-enabled activity. E.O. 13984 authorizes these measures if the Secretary, in consultation with heads of appropriate Federal agencies, finds that reasonable grounds exist to conclude that either: (i) a foreign jurisdiction has a significant number of foreign persons offering U.S. IaaS products that are, in turn, used for malicious cyber-enabled activities, or a significant number of foreign persons directly obtaining U.S. IaaS products and using them in malicious cyber-enabled activities; or (ii) a foreign person has established a pattern of conduct of offering U.S. IaaS products that are used for malicious cyber-enabled activities or directly obtaining U.S. IaaS products for use in malicious cyber-enabled activities. As further explained below, the Department would conduct an investigation before making any such finding under section 2 of E.O. 13894.

One special measure the Secretary could take would be to prohibit or impose conditions on opening or maintaining an Account with any IaaS provider by: (a) a foreign person located in a foreign jurisdiction that has a significant number of foreign persons offering U.S. IaaS products that are used for malicious cyber-enabled activities; or (b) on behalf of such a foreign person. The second special measure would allow the Secretary to prohibit or impose conditions on opening or maintaining an Account in the United States by any IaaS provider for, or on behalf of, a foreign person found to be offering U.S. IaaS products that are used for malicious cyber-enabled activities or on accounts opened directly by foreign persons who are known to obtain U.S. IaaS products for malicious cyber-enabled activities.

Section 4.2(c) of E.O. 14110 requires the Secretary to propose regulations requiring U.S. IaaS providers to submit to the Department a report when a foreign person transacts with the IaaS provider to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity. The report, at a minimum, must include the identity of the foreign person and the existence of a training run that meets the criteria set forth in this section, as well as any other information specified in regulation. This section of E.O. 14110 also instructs the Secretary to determine the set of technical conditions that a large AI model must possess in order to have the potential capabilities that could be used in malicious cyber-enabled activity and to update that determination as necessary and appropriate.

Section 4.2(c) of this E.O. also requires that U.S. IaaS providers prohibit any foreign reseller of their U.S. IaaS product from providing those products unless such foreign reseller submits to the U.S. IaaS provider a report, which the U.S. IaaS provider must provide to the Department, detailing each instance in which a foreign person transacts with the foreign reseller to use the U.S. IaaS product to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity. In accordance with this requirement, section 4.2(d) requires the proposed regulations to require U.S. IaaS providers to ensure that foreign resellers of U.S. IaaS products verify the identity of any foreign person that obtains an IaaS account from the foreign resellers. The Department is directed to set forth the minimum standards that a U.S. IaaS provider must require of their foreign resellers to verify the identity of a foreign person who opens an account or maintains an existing account with a foreign reseller.

III. Comments on the Advanced Notice of Proposed Rulemaking

On September 24, 2021, the Department published in the Federal Register an advanced notice of proposed rulemaking (ANPRM), 86 FR 53018 (Sep. 24, 2021), soliciting comments on how the Department should implement various provisions of sections 1 and 2 of E.O. 13984, described above, and section 5 of E.O. 13894, which defines several key terms as they relate to the proposed regulations. The Department received twenty-one (21) comments to the ANPRM, which are available on the public rulemaking docket at https://www.regulations.gov.

This section summarizes the comments received in response to the ANPRM and explains the Department's proposed regulations to implement sections 1, 2, and 5 of E.O. 13984. The proposed rule text incorporates many of the suggestions the Department received in response to the ANPRM, as set out in more detail below.

(1) Definitions

The Department sought comments on the terms “United States person” and “United States Infrastructure as a Service Provider.” The commenters who responded to this question argued that the term “United States person” should not be interpreted to include foreign subsidiaries of a U.S. IaaS provider, as this extension would exceed the scope of E.O. 13984. Commenters differed about how broadly to interpret the term “United States Infrastructure as a Service Provider.” Many requested the Department to interpret this term as broadly as possible to capture as much potential foreign malicious cyber activity as possible. Others believed the Department should interpret the definition narrowly to avoid implicating cloud service providers who offer other cloud-based services, such as Platform as a Service (PaaS) and Software as a Service (SaaS) offerings, but do not offer IaaS products. This proposed rule reflects the Department's consideration of all relevant comments.

(2) Customer Identification Program Regulations and Relevant Exemptions

In the ANPRM, the Department sought information about how to implement requirements for companies to verify a foreign person's identity upon the opening of an Account and while maintaining an existing Account. The Department sought comments on verification procedures and recordkeeping requirements the Department should consider including in regulations.

Many commenters expressed support for implementing data retention and recordkeeping requirements, as directed by E.O. 13984, across a broad spectrum of U.S. IaaS providers' products or services to capture a large portion of malicious cyber-enabled activity on these platforms. While commenters generally supported requiring U.S. IaaS providers to verify the identity of all prospective customers, some suggested that any regulation the Department promulgates in response to E.O. 13984 will be ineffective, as malicious cyber actors are savvy enough to avoid identity verification. Start Printed Page 5700

Other commenters requested that the Department's proposed regulations allow U.S. IaaS providers to adopt risk-based approaches to verify the identity of their customers. These approaches, they argued, would allow IaaS providers flexibility to adjust their CIPs to meet new threats and vulnerabilities as they arise. Most commenters agreed that the Department should consider the costs and benefits of these requirements for U.S. IaaS providers and expressed concern that the costs of compliance would be substantial. As discussed further below, the Department has proposed standards and procedures that take into consideration the size, complexity, and risk profile of the IaaS provider and its product offerings.

The Department requested comments on current practices, if any, that U.S. IaaS providers use to verify the identity of their customers and the burden that any new regulations would impose on these IaaS providers. Commenters reported that there is no uniform set of data that U.S. IaaS providers collect before opening an Account for a customer, but email addresses and payment methods are normally required. Most commenters indicated that any requirements in this proposed regulation would impose burdens on U.S. IaaS providers, and that the Department should weigh this burden against the anticipated benefit any regulations mandating identity verification would have on national security. The Department acknowledges that this rulemaking will impose compliance costs for at least some U.S. IaaS providers and has addressed these costs in the regulatory impact analysis included in the preamble of this proposed rule.

The Department asked about the impact any proposed regulations would have on data protection and security, especially considering the European Union General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Many commenters encouraged the Department to propose regulations that would enable U.S. law enforcement officials to gain access to data stored by domain name registries and registrars that has proven more difficult since the enactment of the GDPR. Others focused on ensuring that the processing of customers' data to carry out the provisions of any proposed regulation would be consistent with the GDPR or CCPA. Still others requested that any proposed regulation not frustrate ongoing negotiations to open the flow of data between foreign countries and the United States. The Department acknowledges these comments and has sought to ensure these proposed regulations are consistent with national and international obligations, either because the specific information requested is not protected, or because the need for data collection falls into relevant exemptions.

The Department sought comments on how to implement the authority, granted by section 1(c) of E.O. 13984, to provide exemptions from the requirements of any regulations issued pursuant to E.O. 13894. Many commenters expressed hope that the Department could promulgate best practices for IaaS providers to adopt or strive to meet in order to avoid compliance costs associated with any proposed regulations. Others asked the Department to tailor these regulations to apply only to those products and services most used by foreign malicious cyber actors. The Department is proposing procedures for IaaS providers to obtain exemptions from the CIP requirements. Under these procedures, a U.S. IaaS provider seeking to obtain an exemption for itself, a specific type of account or lessee, or its foreign reseller, would provide a written submission to the Secretary outlining its program to comply with security best practices to deter the abuse of U.S. IaaS products. A finding by the Secretary that the program incorporates such best practices would exempt an IaaS provider from the CIP requirements in section 1(a) of E.O. 13984.

Some commenters urged the Department not to include exemptions, believing this practice to be contrary to the intent of E.O. 13984 to address the use of U.S. IaaS products for malicious cyber-enabled activities. In these proposed regulations, the Department has endeavored to provide a pathway to enable U.S. IaaS providers to apply for an exemption where such exemption is warranted while still accomplishing the policy goals of E.O. 13984. The Department welcomes comments and feedback on its proposed approach, as well as on potential standards and best practices that could deter the abuse of U.S. IaaS products by malicious actors.

(3) Special Measures Restrictions

In the ANPRM, the Department sought comments on procedures the Secretary should use to decide when and how to impose a special measure. The Department asked what sources of information the Secretary should consider, how the Secretary should publish any findings, how long the special measure's effects should last, and how to determine which special measure to invoke.

Commenters encouraged the Department to consider how to leverage existing authorities and procedures, such as the Department's existing authority to prohibit certain Information and Communications Technology and Services (ICTS) transactions or the Department of the Treasury's Office of Foreign Assets Control's (OFAC) sanctions procedures, to minimize the burden of these special measures. Other commenters indicated that the threat of these special measures will result in lost U.S. business, as foreign persons may move to IaaS products and services furnished from companies headquartered in foreign countries. Still others expressed doubt that these special measures would accomplish their intended purpose.

In crafting these proposed regulations regarding special measures, the Department looked to a variety of sources, including OFAC's sanction procedures, and has sought to minimize the costs to U.S. businesses while still meeting the requirements of E.O. 13984.

IV. Proposed Rule and Request for Comments

Following consideration of the comments received in response to the ANPRM, the Department is proposing regulations to implement sections 1, 2, and 5 of E.O. 13984 and the applicable provisions of E.O. 14110. The provisions implementing E.O. 13984 would apply to U.S. IaaS providers that offer U.S. IaaS products, as defined in E.O. 13984 and this proposed rule. “U.S. IaaS providers” includes any U.S. person that offers IaaS products, to include both direct providers of U.S. IaaS products and any of their U.S. resellers.

To implement section 1 of E.O. 13984, the Department proposes to require providers to verify the identity of foreign customers. To implement section 2 of E.O. 13984, the Department proposes procedures for the Secretary's decision-making process regarding whether and how to issue determinations about special measures. Regarding the definitions in section 5 of E.O. 13984, the Department proposes interpretations of terms defined in the E.O. and proposes definitions for several additional key terms.

To implement section 4.2(c) of E.O. 14110, the Department proposes regulations related to foreign resellers of U.S. IaaS products that would apply to U.S. IaaS providers as defined in E.O. 13984 and this proposed rule. The Department uses “foreign reseller” to mean any foreign person who has established an account with a U.S. IaaS provider to provide IaaS products Start Printed Page 5701 subsequently, in whole or in part, to a third party.

To implement section 4.2(c) of this E.O., the Department proposes a process for U.S IaaS providers to report to the Department when they have knowledge they will engage or have engaged in a transaction with a foreign person that could allow that foreign person to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity. To implement section 4.2(d) of this E.O., the Department proposes regulations that would require U.S. IaaS providers to require foreign resellers of their U.S. IaaS products to verify the identity of foreign persons who open or maintain an account with a foreign reseller.

The Department proposes definitions for terms used within E.O. 14110, including a definition for a “large AI model with potential capabilities that could be used in malicious cyber-enabled activity.” Based on this definition, the Secretary will determine, as required by E.O. 14110, the set of technical conditions that a large AI model must possess in order to have the potential capabilities that could be used in malicious cyber-enabled activity. That determination will be a binding interpretation of what constitutes a “large AI model with potential capabilities that could be used in malicious cyber-enabled activity.” As this area of technology is fast developing, and as directed by E.O. 14110, the Secretary will update, as “necessary and appropriate,” the initial determination of which set of technical conditions meet the definition. The Department will publish these binding updates to the technical condition determinations in the Federal Register . The Department requests comments on all aspects of this proposed rule.

(1) Definitions

This proposed rule adopts several definitions found in section 5 of E.O. 13984, including “entity,” “foreign jurisdiction,” “foreign person,” “Infrastructure as a Service Account,” “Infrastructure as a Service product,” “Malicious cyber-enabled activities,” “person,” “Reseller Account,” “United States person,” and “U.S. Infrastructure as a Service product.” In addition, this proposed rule clarifies the definition of “U.S. Infrastructure as a Service provider” found in section 5 of E.O. 13984. The proposed rule also adopts several definitions found in section 3 of E.O. 14110, including “artificial intelligence” or “AI,” “AI model,” “AI system,” “dual-use foundation model,” “foreign reseller,” “generative AI,” “integer operation,” “machine learning,” and “model weight.” Finally, the Department proposes several definitions of key terms in this rule, including “customer” and “beneficial owner,” as well as definitions for terms such as “availability,” “confidentiality,” “Customer Identification Program,” “Department,” “disassociability,” “foreign beneficial owner,” “foreign customer,” “foreign reseller, “individual,” “integrity,” “knowledge,” “large AI model with potential capabilities that could be used in malicious cyber-enabled activity,” “manageability,” “predictability,” “privacy-preserving data sharing and analytics,” “Red Flag,” “reseller,” “risk-based,” “Secretary,” “threat landscape,” “training,” “training run,” and “United States reseller.” Some of the proposed definitions are discussed below, although the Department welcomes comments on all definitions in this proposed rule.

A. Availability

The Department proposes to define “availability” as ensuring timely and reliable access to and use of information and information systems by an authorized person or system, including resources provided as part of a product or service.

B. Beneficial Owner

E.O. 13984 requires verification of the identity of foreign persons that obtain accounts, and it defines “person” as “an individual or entity.” Therefore, the Department proposes to require U.S. IaaS providers to collect the same identifying information and verify the identity of beneficial owners of Accounts owned or maintained by entities. Under the proposed rule, a beneficial owner is defined as an individual who either: (1) exercises substantial control over a Customer, or (2) owns or controls at least 25 percent of the ownership interests of a Customer. The Department seeks comments on these definitions, including the meaning of “substantial control.”

C. Confidentiality

The Department proposes to define “confidentiality” as preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

D. Customer Identification Program

The Department proposes to define “Customer Identification Program” as a program created by a U.S. IaaS provider or foreign reseller that dictates how the IaaS provider will collect identifying information about its customers, how the IaaS provider will verify the identity of its foreign customers, store and maintain identifying information, and notify its customers about the disclosure of identifying information.

E. Department

The Department proposes to define “Department” as the United States Department of Commerce.

F. Disassociability

The Department proposes to define “disassociability” as enabling the processing of data or events without association to individuals or devices beyond the operational requirements of the system.

G. Foreign Beneficial Owner

The Department proposes to define “foreign beneficial owner” as a beneficial owner that is not a United States person.

H. Foreign Customer

The Department proposes to define “foreign customer” as a customer that is not a United States person.

I. Foreign Reseller

The Department proposes to adopt the definition from E.O. 14110 and define “foreign reseller” to mean a foreign person who has established an IaaS Account to provide IaaS subsequently, in whole or in part, to a third party. This is consistent with the definition for foreign reseller included in E.O. 14110.

J. Individual

The Department proposes to define “individual” as any natural person.

K. Infrastructure as a Service Product

This proposed definition adopts the E.O. 13984 definition for “Infrastructure as a Service product”, which is any product or service offered to a consumer, including complimentary or “trial” offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications. The consumer typically does not manage or control most of the underlying hardware but has control over the operating systems, storage, and any deployed applications. The term is inclusive of “managed” products or services, in which the provider is responsible for some aspects of system configuration or maintenance, and “unmanaged” products or services, in which the provider is only responsible for ensuring that the Start Printed Page 5702 product is available to the consumer. The term is also inclusive of “virtualized” products and services, in which the computing resources of a physical machine are split between virtualized computers accessible over the internet ( e.g., “virtual private servers”), and “dedicated” products or services in which the total computing resources of a physical machine are provided to a single person ( e.g., “baremetal” servers).

The Department believes that this expansive definition will allow for regulations to apply to a broad range of IaaS product offerings that can be used by foreign malicious cyber actors to carry out attacks on the United States or United States persons. Note that this definition includes all service offerings for which a consumer does not manage or control the underlying hardware, but rather contracts with a third party to provide access to this hardware. This definition would capture services such as content delivery networks, proxy services, and domain name resolution services. It does not, however, capture domain name registration services for which a consumer registers a specific domain name with a third party, as that third party does not provide any processing, storage, network, or other fundamental computing resource to the consumer. The Department seeks comment on the categories of products or services that fall within this definition.

L. Integrity

The Department proposes to define “integrity” as guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.

M. Knowledge

The Department proposes to define “knowledge” as knowledge of a circumstance (the term may be a variant, such as “know,” “reason to know,” or “reason to believe”) including not only positive knowledge that the circumstance exists or is substantially certain to occur, but also an awareness of a high probability of its existence or future occurrence. Such awareness is inferred from evidence of the conscious disregard of facts known to a person and is also inferred from a person's willful avoidance of facts. This definition is similar to that in the Department's Export Administration Regulations.

N. Large AI Model With Potential Capabilities That Could Be Used in Malicious Cyber-Enabled Activity

The Department proposes to define “large AI model with potential capabilities that could be used in malicious cyber-enabled activity” as any AI model with the technical conditions of a dual-use foundation model, or that otherwise has technical parameters of concern, that has capabilities that could be used to aid or automate aspects of malicious cyber-enabled activity, including but not limited to social engineering attacks, vulnerability discovery, denial-of-service attacks, data poisoning, target selection and prioritization, disinformation or misinformation generation and/or propagation, and remote command-and-control, as necessary and appropriate of cyber operations. The Department seeks comment on this proposed definition.

E.O. 14110 also instructs the Secretary to determine and to update, “as necessary and appropriate,” the set of technical conditions for a “large AI model to have potential capabilities that could be used in malicious cyber-enabled activity.” Based on the above definition, the Secretary will make this initial determination and any necessary and appropriate updates to it which the Department will publish in the Federal Register . Such technical conditions may include the compute used to pre-train the model exceeding a specified quantity.

The Department seeks comment on the proposed definition, as well as on the Secretarial process for determining and, because of rapidly advancing technology, updating the set of specific technical conditions necessary for a large AI model to meet the definition and have the potential capabilities that could be used in malicious cyber-enabled activities.

O. Manageability

The Department proposes to define “manageability” as providing the capability for granular administration of data, including alteration, deletion, and selective disclosure.

P. Predictability

The Department proposes to define “predictability” as enabling reliable assumptions by individuals, owners, and operators about data and their processing by a system, product, or service.

Q. Privacy-Preserving Data Sharing and Analytics

The Department proposes to define “privacy-preserving data sharing and analytics” as the use of privacy-enhancing technologies to achieve disassociability, predictability, manageability, and confidentiality when performing analytics on data.

R. Red Flag

The Department proposes to define “Red Flag” as a pattern, practice, or specific activity that indicates the possible existence of malicious cyber-enabled activities.

S. Reseller

The Department proposes to define “reseller” as a person that maintains a Reseller Account.

T. Risk-Based

The Department proposes to define “risk-based” as based on an assessment of the relevant risks, including those presented by the various types of service offerings maintained by an IaaS provider, the methods used to open an Account, the varying types of identifying information available to an IaaS provider, and an IaaS provider's customer base.

U. Secretary

The Department proposes to define “Secretary” as the Secretary of Commerce or the Secretary's designee.

V. Threat Landscape

The Department proposes to define “threat landscape” as the broad environment of geopolitical, economic, and technological factors that must be evaluated when developing risk-based procedures that enable an IaaS provider to form a reasonable belief of the true identity of each Account owner and beneficial owner to deter facilitating significant malicious cyber-enabled activities.

W. Training or Training Run

The Department proposes to define “training” or “training run” as any process by which an AI model learns from data through the use of computing power.

X. United States Infrastructure as a Service Product

The Department proposes to clarify the E.O.'s definition of “United States Infrastructure as a Service product.” The E.O. defines this term as “any Infrastructure as a Service Product owned by any United States person or operated within the territory of the United States of America.” The Department considers Reseller Accounts as IaaS products.

Y. United States Infrastructure as a Service Provider

E.O. 13984 defines “United States Infrastructure as a Service provider” as “any United States Person that offers any Infrastructure as a Service product.” The Department notes that this Start Printed Page 5703 definition of “United States Infrastructure as a Service provider” includes any United States person that is a direct provider of U.S. IaaS products and any of their U.S. resellers. The Department proposes to consider U.S. resellers of U.S. IaaS products as IaaS providers subject to these proposed regulations.

In response to the ANPRM, several commenters suggested that the Department clarify whether this term includes foreign subsidiaries of United States persons. Specifically, these commenters believed including foreign subsidiaries of United States persons in this definition would exceed the scope of the E.O., which focuses on threats to the United States from U.S. IaaS products, not those offered by foreign subsidiaries. The Department proposes to clarify that a foreign subsidiary of a U.S. IaaS provider is not considered to be a “United States Infrastructure as a Service provider.”

E.O. 13984 requires the Secretary to propose regulations to require providers to “verify the identity of a foreign person in connection with the opening of an Account or the maintenance of an existing Account.” It requires that any regulations set out the types of documentation or procedures “required to verify the identity of any foreign person acting as a lessee or sub-lessee of these products or services.” The Department proposes to consider U.S. resellers of U.S. IaaS products as U.S. IaaS providers subject to these proposed regulations.

(2) Customer Identification Program Regulations and Relevant Exemptions

Under this proposed rule, U.S. IaaS providers and their foreign resellers would maintain CIPs, perform effective customer verification, and maintain identifying information about their foreign customers, which is critical to combating malicious cyber-enabled activities. The Department proposes to require that all U.S. IaaS providers implement their own CIPs, require CIPs of their foreign resellers, and report to the Department on these CIPs. The Department will consider allowing U.S. IaaS providers an adjustment period to implement some provisions of this proposed regulation and notify the Department accordingly, and anticipates that compliance would be required within one year of the date of publication of any final rule.

Accordingly, the Department proposes to require IaaS providers develop their own risk-based CIP. Taking into consideration the different types of IaaS Accounts, the different methods used to open the Accounts, and the types of information available to identify foreign malicious cyber actors, while avoiding the imposition of an undue burden on providers, the Department proposes to allow each provider to create a CIP that matches its unique service offerings and customer bases. Provided that IaaS providers meet certain minimum requirements in their CIPs, providers can create CIPs that are flexible and minimally burdensome to their business operations.

The Department proposes to require U.S. resellers of U.S. IaaS Accounts to establish CIPs and identity verification procedures to be used any time they act as a reseller for U.S. IaaS products. The CIPs of such U.S. resellers would be subject to the minimum standards in this proposed rule. U.S. resellers would be responsible for establishing the identity of their potential customers, including all prospective beneficial owners of these Accounts, and determining whether they are U.S. persons. U.S. resellers would also be responsible for verifying the identity of their foreign customers under this proposed rule. The Department requests comments on whether resellers that are small businesses might find it more difficult to develop a CIP. The Department proposes to allow U.S. resellers, by agreement with a U.S. IaaS provider, to reference, use, rely on, or adopt the CIPs created by the U.S. IaaS provider to help minimize any compliance burdens on the reseller. The Department further seeks comments on whether resellers currently request identifying information from their customers and how these resellers verify the identity of their prospective foreign customers.

The Department seeks comments on whether to require IaaS providers to conduct third-party or internal audits to confirm their compliance with CIP requirements in the proposed rule. The Department also seeks comments on whether the Department should receive and approve all CIPs. The Department additionally seeks comments on whether the rulemaking should require U.S. IaaS providers to submit Red Flags either to the Department or to another relevant department or agency. Below, the Department explains additional specific requirements for CIPs.

A. Data Collection Requirements

Under the proposed rule, each CIP must include procedures that U.S. IaaS providers and their foreign resellers will use to collect information from all covered existing and prospective customers, that is, those who have applied for an account. At a minimum, the following data would be collected: a customer's name, address, the means and source of payment for each customer's Account, email addresses and telephone numbers, and internet protocol (IP) addresses used for access or administration of the Account. IaaS providers may alter their CIPs to require additional information from prospective customers that is necessary to verify the identity of any foreign person, but all CIPs must, at a minimum, collect the previously listed data. The Department proposes omitting a requirement for collecting and verifying national identification numbers because, based on public feedback, the Department believes that national identification number verification would be unduly burdensome and would not be necessary to verify identity. The Department seeks comments on whether other forms of identification, such as digital or technology-based identification, should be included as an acceptable means by which IaaS providers may verify customers' identities, and if companies have privacy-protecting or privacy-enhancing technologies to verify this same information or other alternatives that can effectively achieve identity verification.

The Department believes that many U.S. IaaS providers and their foreign resellers already collect this information from their customers, and that the proposed rule would set a baseline for data collection that would help all providers effectively verify and document the identities of their customers. The Department seeks comments on the costs and burdens associated with this proposed requirement and whether the Department should include additional data collection in a baseline requirement for CIPs. The Department proposes a requirement that providers make a written description of their CIPs available for inspection by the Department, which may identify specific shortcomings for providers to resolve. The Department seeks comment on this proposal.

The Department is proposing to require that CIPs account for the collection of identifying information about the actual Account owner and all beneficial owners of the Account. Specifically, the proposed required description of the CIP would specify how providers would ensure that all beneficial owners of an Account at its inception and any new beneficial owner added to the Account undergo the same identification procedures as the person opening the Account. The Department seeks comment on this approach. Start Printed Page 5704

B. Prospective Customers From the United States

E.O. 13984 addresses threats to U.S. IaaS products and services by foreign malicious cyber actors. Section 1 of the E.O. therefore requires the Department to propose regulations to require U.S. IaaS providers to verify the identity of “a foreign person that obtains an Account.”

Therefore, the Department proposes to require U.S. IaaS providers to verify the identity of foreign persons who obtain an Account from providers and to require the same of their foreign resellers. Although providers would be required to create a CIP that includes the minimum data collection requirements for all prospective customers, they would not be required to verify the identity of customers with Accounts opened by or on behalf of a U.S. person, unless a foreign beneficial owner is added to the Account or the Account or a portion of the Account is resold to a foreign person.

The Department seeks comments about whether the proposed data collection requirements above would enable providers to accurately distinguish foreign current and prospective customers from others. If these proposed requirements are inadequate, what additional required information should be included in the CIPs to aid in these efforts? The Department also seeks comments on the availability of secure data deletion standards and whether to require their implementation for Accounts determined to be opened, owned, and accessible exclusively by U.S. persons.

C. Identity Verification

The Department proposes to require that CIPs include procedures to ensure that U.S. IaaS providers and their foreign resellers verify the identity of all foreign Account owners and foreign beneficial owners. Under the proposed rule, providers may craft their own procedures and methods to verify the identity of their prospective foreign customers and beneficial owners, provided that their CIPs include risk-based procedures that enable the provider to form a reasonable belief about the true identity of each customer and beneficial owner. These procedures must be based on a provider's assessment of the relevant risks, including those presented by the various types of service offerings maintained by the provider, the methods used to open an Account, the varying types of identifying information available to the provider, and the provider's customer base. Under the proposed rule, the CIP must establish whether a provider will use documentary or non-documentary verification or a combination of both. It must establish how a provider will verify the identity of its customers when the customer is unable to produce the requested documents. The Department believes this flexibility would minimize the burden placed on providers by these regulations. The Department seeks comments on this risk-based approach to allow providers to form reasonable beliefs of the true identity of each customer and beneficial owner and on what information they would need to collect to accomplish this.

Under the proposed rule, the CIP must include steps a provider would take if it is unable to verify the identity of any customer, including refusing to open an Account and/or additional monitoring pending attempts at verification. It must further set out the terms under which a customer may continue to have access to an Account while the provider attempts to verify the identity of the customer, and when a provider would close an Account after attempts to verify a customer's identity have failed. Additionally, it must describe measures for redress and issue management to address situations in which legitimate customers may fail identity verification, or in which their information was compromised and a fraudulent account established. The Department seeks comments on whether to require specific verification methods, such as email or payment verification, for all prospective customers. The Department seeks comments on whether the Department should allow providers to grant potential customers access to Accounts prior to successful identity verification. The Department seeks comments on whether including reference to National Institute of Standards and Technology (NIST) Special Publication (SP) 800–63 regarding digital identity guidelines would help IaaS providers meet requirements for identity verification.

D. Recordkeeping

The Department proposes to require U.S. IaaS provider and foreign reseller of U.S. IaaS product CIPs to include procedures for maintaining, protecting, and obtaining access to records of relevant customer information accessed in the process of verifying customer identities. At a minimum, this record must include a description of the identity evidence and attributes provided by the customer when the customer first attempted to open an Account, a description of the methods and results of any measures undertaken to verify customer identity, and a description of the resolution of any substantive discrepancy discovered when verifying the identifying information. The proposed rule leaves to IaaS providers the discretion to design their own recordkeeping procedures, so long as these procedures obtain this minimum information.

The Department proposes to require that CIPs of U.S. IaaS providers and their foreign reseller include requirements to securely maintain these records and describe measures taken to ensure that the information is secure. The proposed regulations would require that IaaS providers limit access to any records or documents created, retained, or accessed pursuant to these regulations by any third parties or IaaS provider employees without a need-to-know basis for obtaining this access. However, no such requirement should be read to limit IaaS providers' ability to share security best practices and threat information with other IaaS providers, relevant consortia, or the U.S. Government as needed and consistent with applicable law. The Department seeks comments on the feasibility of this approach and the costs of doing so. The Department further seeks comments on whether there currently exist best practices for the maintenance, storage, and security of customer identifying information.

The Department proposes to require that U.S. IaaS providers retain these records for a period of two years after the date upon which an Account was last accessed or closed. The Department preliminarily determines that a two-year period is necessary to allow law enforcement the ability to gain access to this information should an Account be suspected of hosting malicious cyber-enabled activity. The Department seeks comments on the burdens to IaaS providers of maintaining these records for two years, and whether there are alternative ways to allow for both immediate and long-term access to customer information should an Account be used for malicious cyber-enabled activity. The Department seeks comments on whether to require that CIPs include procedures to address situations where an Account that has been inactive for more than two years is subsequently accessed by a foreign person, and whether to require that IaaS providers request that the foreign person provide the enumerated identifying information again in these circumstances. Start Printed Page 5705

E. Ensuring Verification for Foreign Resellers

As directed in E.O. 14110, the Department proposes to require that U.S IaaS providers only initiate or continue a reseller relationship with foreign resellers of U.S. IaaS products that maintain and implement a CIP that meets the requirements for CIPs of U.S. IaaS providers in this proposed rule. The Department recognizes that it will take U.S. IaaS providers time to educate, coordinate, and collect information from their foreign resellers on CIP requirements and therefore anticipates allowing U.S. IaaS providers up to one year to implement such final provisions and notify the Department accordingly. Under this proposed rule, U.S. IaaS providers would be required to furnish a copy of any foreign reseller's CIP to the Department within ten calendar days following a request for the same from the Department. The Department seeks comments on the potential challenges that U.S. IaaS providers would face when collecting this information from their foreign resellers of U.S. IaaS products. The proposed rule would also require that, upon receipt of evidence that indicates the failure of a foreign reseller to maintain or implement a CIP or that indicates malicious cyber-enabled activity, U.S. IaaS providers must report malicious cyber-enabled activity and close accounts associated with the activity and must terminate the reseller relationship within 30 calendar days. The Department seeks comments on the challenges U.S. IaaS providers would face in investigating and remediating malicious cyber activity by foreign resellers, as well as the contractual difficulties posed by terminating the relationship with a non-compliant foreign reseller. The Department further seeks comments on the extent to which there currently exist customer identification and verification practices which U.S. IaaS providers require their foreign resellers to use.

F. Customer Identification Program Updates and Certifications

The Department proposes to require that U.S. IaaS providers submit to the Department certain information about their CIPs and their foreign resellers' CIPs, to include procedures on verifying customer identity and detecting malicious cyber activity, as well as information and data on their provision of IaaS products. The Department further proposes to require that U.S. IaaS providers and their foreign resellers update their CIPs annually to protect against new cyber threats and vulnerabilities, as well as to increase efficiency and data security, and to certify to the Department that such annual updates have occurred. The Department proposes that U.S. IaaS providers must notify the Department of any updates to their CIP or any CIP of their foreign resellers. In these annual certifications, providers would also attest to the Department that, since the date of last certification, they have reviewed their CIPs and updated their CIPs to account for any changes in their service offerings and for changes to the threat landscape. The certification would include an attestation that the current CIP complies with the provisions of the proposed rule. This attestation would require the provider to indicate the frequency with which it was unable to verify the identity of a foreign customer in the prior calendar year and record the resolution for each of those situations. The Department seeks comments on the usefulness and feasibility of such attestation and whether the Department should require additional information in these certifications, the procedures for submission of such certifications, and whether the Department should require these certifications more or less frequently than annually. The Department seeks comments on whether there currently exist best practices for customer identification and verification that providers can use as a model for their CIPs.

G. Exemptions

Section 1(c) of E.O. 13984 permits the Secretary, in accordance with such standards and procedures as the Secretary may delineate and, in consultation with the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, to exempt any U.S. IaaS provider, or any specific type of Account or lessee, from the requirements of any regulation issued pursuant to the section. Such standards and procedures may include a finding by the Secretary that a provider, Account, or lessee complies with security best practices to otherwise deter abuse of IaaS products. Section 4.2(d)(iii) of E.O. 14110 also provides that the Secretary may “exempt a United States IaaS Provider with respect to any specific foreign reseller of their United States IaaS Products, or with respect to any specific type of account or lessee, from the requirements of any regulation issued pursuant to this subsection,” that section being related to CIP requirements for foreign resellers of U.S. IaaS products.

This NPRM proposes standards and procedures for exemptions from CIP requirements in §§ 7.302 through 7.305 for U.S. IaaS providers and with regard to any of their specific foreign resellers. The regulations propose that providers seeking an exemption submit a written request electronically. The Department anticipates that the final rule would designate an email address to receive such requests. The Department seeks comments on these standards and procedures in proposed § 7.306. The Department seeks comment on whether there exist security best practices to deter abuse of U.S. IaaS products that the Secretary may reference in the future to authorize exemptions from these regulations, including but not limited to improving event log management to generate, safeguard, and retain logs of IaaS providers' system and network events, both to improve incident detection and to aid in incident response and recovery activities. The Department also seeks comments on whether there are appropriate safe harbor activities that might form the basis of an exemption program.

(3) Special Measures Regulations

A. Special Measures Requirements

The Department proposes regulations to implement the authority provided to the Secretary to take either of the special measures enumerated in E.O. 13984, should the Secretary determine that reasonable grounds exist for concluding that a jurisdiction or person outside of the U.S. “has any significant number of foreign persons offering U.S. IaaS products that are used for malicious cyber-enabled activities or any significant number of foreign persons directly obtaining U.S. IaaS products for use in malicious cyber-enabled activities.” The Department proposes to allow the Department to initiate investigations of its own accord or accept referrals from other executive branch agencies or providers to evaluate evidence about a particular foreign jurisdiction or person to determine whether to impose a special measure. The Department would then assess the information in its possession and information available from public and other sources about a foreign person or foreign jurisdiction to determine whether imposing a special measure would be appropriate. Should the Secretary determine that the evidence warrants the imposition of a special measure, the Secretary would issue a determination in the Federal Register , to take effect 30 days after publication, that would set out the reasonable grounds for this determination and Start Printed Page 5706 would indicate which special measure the Secretary would intend to use.

B. Reasonable Grounds Determination

E.O. 13984 provides that, when determining whether a particular foreign jurisdiction “has any significant number of foreign persons offering U.S. IaaS products that are used for malicious cyber-enabled activities or any significant number of foreign persons directly obtaining U.S. IaaS products for use in malicious cyber-enabled activities,” the Secretary must consider, among other relevant information: (1) evidence that foreign malicious cyber actors have obtained U.S. IaaS products in that foreign jurisdiction, including whether such actors obtained such U.S. IaaS products through reseller accounts; (2) the extent to which that foreign jurisdiction is a source of malicious cyber-enabled activities; and (3) whether the U.S. has a mutual legal assistance treaty with that foreign jurisdiction, and the experience of U.S. law enforcement officials in obtaining information about activities involving U.S. IaaS products originating in or routed through such foreign jurisdiction.

With respect to foreign persons, the Secretary must assess: (1) the extent to which a foreign person uses U.S. IaaS products to conduct, facilitate, or promote malicious cyber-enabled activities; (2) the extent to which U.S. IaaS products offered by a foreign person are used to facilitate or promote malicious cyber-enabled activities; (3) the extent to which U.S. IaaS products offered by a foreign person are used for legitimate business purposes in the jurisdiction; and (4) the extent to which actions short of the imposition on special measures are sufficient, with respect to transactions involving the foreign person offering U.S. IaaS products, to guard against malicious cyber-enabled activities. Finally, the Secretary may analyze any information gleaned through the Department's existing authority to review ICTS transactions pursuant to its authority derived from Executive Order 13873 of May 17, 2019, “Securing the Information and Communications Technology and Services Supply Chains” (84 FR 22689). The Department seeks comments on any additional relevant factors the Secretary should consider.

C. Choosing a Special Measure

The Department proposes to require that the Secretary's investigation process include consultation with the agencies referenced in E.O. 13984, namely the Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, the Director of National Intelligence, and other heads of other executive departments and agencies as the Secretary deems appropriate, to determine which special measure to impose. This consultation would include a review of the available evidence to determine whether to impose a special measure against a foreign jurisdiction or against a foreign person; a consideration of whether the imposition of the special measure would create a significant competitive disadvantage, including any undue cost or burden associated with compliance, for providers; and a determination of the extent to which the imposition of a special measure or the timing of the special measure would have a significant adverse effect on legitimate business activities involving the foreign jurisdiction or foreign person. Finally, the determination would include an assessment of the effect of any special measure on U.S. supply chains, public health or safety, national security, law enforcement investigations, or foreign policy. The Department seeks comments on whether additional considerations should be included before the Secretary would choose a special measure.

(3) AI Training Reporting Requirements

Section 4.2 (c)(i) of E.O. 14110 instructs the Secretary to “propose regulations that require United States IaaS Providers to submit a report to the Secretary of Commerce when a foreign person transacts with that United States IaaS provider to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity.” Such report shall include, at a minimum, the identity of the foreign person and the existence of any training run of an AI model meeting the criteria set forth in E.O. 14110 or otherwise determined by the Secretary, and other information as identified by the Secretary. In addition, section 4.2(c)(ii) of E.O. 14110 directs that U.S. IaaS providers must be required to prohibit foreign resellers of their U.S. IaaS products from providing those products unless the foreign resellers submit such reports to the provider, which the provider must provide to the Secretary.

This proposed rule would require such providers to report to the Department information on instances of training runs by foreign persons for large AI models with potential capabilities that could be used in malicious cyber-enabled activity. Reportable information includes the identifying information about the training run ( i.e., the customer's name, address, the means and source of payment for the customer's Account, email addresses, telephone numbers, and IP addresses) and the existence of the training run. The Department requests comment on what additional information, if any, the Department should require providers report.

Section 4.2(c)(iii) instructs the Secretary to “determine the set of technical conditions for a large AI model to have potential capabilities that could be used in malicious cyber-enabled activity, and revise that determination as necessary.”

The Department has proposed that a model meets the definition of a “large AI model with potential capabilities that could be used in malicious cyber-enabled activity” if it meets technical conditions issued by the Department in interpretive rules published in the Federal Register . The Department will update the technical conditions, based on technological advancements, as necessary and appropriate, as directed by E.O. 14110, through interpretive rules published in the Federal Register . The Department seeks comment on the definition of a “large AI model that could be used in malicious cyber-enabled activity,” and on what Red Flags, if any, the Department should adopt that would create a presumption that a foreign person is training a model with the technical conditions set out in E.O. 14110.

(4) Compliance and Enforcement

Though issued pursuant to the President's authority derived from IEEPA, E.O. 13984 is silent as to penalties for noncompliance. The Department proposes to clarify that any person who commits a violation of this proposed rule, if finalized, may be liable to the United States for civil or criminal penalties under IEEPA. Although the Department currently has penalty provisions under 15 CFR 7.200 for violations of Final Determinations issued pursuant to the Department's ICTS authorities pursuant to the IEEPA, the Department believes it is important to have a new enforcement section specific to violations of these IaaS-related provisions. Accordingly, the Department is adding a section on enforcement, which lists civil and criminal penalties, and the acts particular to these IaaS-related provisions that will result in those penalties. For example, the new enforcement section specifies that it is a violation to fail to create a CIP, or to fail to file with the Department a CIP certification, or fail to seek reauthorization for such CIPs on an Start Printed Page 5707 annual basis. It is also a violation to fail to inform the Department about a covered IaaS transaction that might result in a customer obtaining or using a large AI model with potential capabilities that could be used in malicious cyber-enabled activity when an IaaS provider knows or should know of such transaction.

Regarding penalties for violations, whether a violation results in a civil or criminal penalty will depend largely on the nature of the offense. For example, intentionally or knowingly violating a provision of these regulations could result in criminal penalties, while unintentional violations are more likely to result in civil penalties. The Department seeks comments on this approach.

V. Classification

a. Executive Order 12866

This rulemaking has been determined to be a significant action under Executive Order 12866, as amended by Executive Order 14094.

b. Regulatory Impact Analysis

As required by Executive Order 12866, and the Regulatory Flexibility Act, 5 U.S.C. 601, et seq., the Department of Commerce has prepared the following regulatory impact analysis (RIA) and initial regulatory flexibility analysis (IRFA) for this proposed rule.

1. Need for Regulatory Action

The reasons for and need for this action are summarized in this preamble. This rule is being proposed pursuant to E.O. 13984, “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities,” and E.O. 14110, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.” As stated in E.O. 13984, “Foreign actors use United States IaaS products for a variety of tasks in carrying out malicious cyber-enabled activities, which makes it extremely difficult for United States officials to track and obtain information through legal process before these foreign actors transition to replacement infrastructure and destroy evidence of their prior activities; foreign resellers of United States [IaaS] products make it easier for foreign actors to access these products and evade detection.” Furthermore, E.O. 14011 states that “irresponsible use could exacerbate societal harms such as fraud, discrimination, bias, and disinformation; displace and disempower workers; stifle competition; and pose risks to national security.” To address these threats, E.O. 13984 requires the Secretary to propose regulations “that require United States Infrastructure as a Service (IaaS) providers to verify the identity of a foreign person that obtains an Account.” These regulations must also require U.S. IaaS providers to verify the identity of foreign customers, and the E.O. authorizes the Secretary to limit certain foreign actors' access to U.S. IaaS products. E.O. 14110 adds to these requirements by requiring the Secretary to propose regulations that require U.S. IaaS providers to ensure that foreign resellers of U.S. IaaS products verify the identity of any foreign person that obtains an IaaS Account for the foreign reseller. These requirements are necessary to protect the national security of the United States and the integrity of the ICTS supply chain.

2. Affected Entities

The proposed rulemaking would apply to all U.S. providers of U.S. IaaS products, including resellers.

3. Number of Affected Entities

The Department estimated both a lower and upper bound for the number of entities affected by the proposed rule. To derive the lower bound estimate, the Department first identified a core group of IaaS providers that operate in the United States. This lower bound estimate assumes that all United States IaaS products are sold directly to the customer and no domestic resellers supply these products. Based on this lower bound estimate, the Department estimates that approximately 25 providers in the United States would be potentially directly impacted by this rulemaking.

The upper bound estimate of potentially impacted entities is based on the estimated number of resellers who participate in the sale of U.S. IaaS products. According to the Census Bureau, in 2020 there were 1,812 firms that owned at least one establishment located within the United States and operating in North American Industry Classification System (NAICS) code 517121—Telecommunication Resellers in the United States.^[1] While most of these entities would not likely be impacted by this proposed rule as they do not resell IaaS products or services, the Department uses this figure as the upper bound estimate for this impact statement because it is possible all of the Telecommunications Resellers could engage in IaaS product resale. The Department therefore estimates the number of entities potentially affected by this rulemaking would be between 25 and 1,837. Of those firms operating in the Telecommunications Resellers industry under NAICS 51721, 99 percent, or 1,791 firms, operate an enterprise size of 500 or fewer employees. This data underscores that the majority of listed entities in this sector can be classified as small businesses based on this specific definition.

4. Administrative Compliance Burden on U.S. Companies

The Department assessed the administrative compliance burden on U.S. companies by estimating the costs of: (1) learning about the proposed rule; (2) developing CIPs; (3) implementing CIPs; (4) updating CIPs; (5) completing annual certifications; (6) educating foreign resellers on CIP requirements; and (7) processing reporting from and on foreign resellers and foreign customers. Although the rulemaking would provide certain regulatory alternatives for industry, such as the option to adopt the CIP of another provider, and exemptions from the CIP requirement in certain circumstances, the below analysis assumes that each company would engage in the development, implementation, and updating of a CIP.

The Department also requests public comment on any of the assumptions and estimates in this analysis.

i. Learning About the Proposed Rule

The Department expects that businesses learning about the proposed rule and its requirements would largely be accomplished by attorneys and operations managers. The Department's estimate for the cost to businesses of learning about the rulemaking is further derived from estimates of the number of firms potentially impacted by the rulemaking, the share of potentially impacted firms likely to devote time and resources to learning about the rulemaking, the number of hours needed to read and learn about the rulemaking, and the wages of the employees tasked with learning about the rulemaking. Table 1 provides a detailed breakdown of the framework for estimating these costs.

ii. Developing a CIP

To develop CIPs, companies would likely be required to assess their offerings of IaaS products, analyze relevant cybersecurity risks associated with these products, evaluate procedures for customer identity verification, and develop risk mitigation strategies.

To estimate the financial impact to businesses of developing a CIP, the Department estimated the number of firms likely impacted by the proposed rule, the share of potentially impacted firms likely to devote time and resources to developing a CIP, the number of hours needed to develop a CIP, and the wages of the employees tasked with developing a CIP. A detailed breakdown of the framework for estimating these costs can be found in table 2.

iii. Implementing the CIP

Implementation of a CIP would likely entail: collecting and verifying identifying information of customers, maintaining a secure recordkeeping system, performing due-diligence checks using government lists of known malicious cyber actors, and providing annual reports to the Department. The proposed rule would also require entities to monitor aspects of compliance with their foreign customers and resellers. The costs estimated for implementing a CIP would be incurred annually. To estimate the financial impact to businesses of implementing a CIP, the Department estimated the number of firms potentially impacted by the proposed rule, the share of potentially impacted firms likely to implement a CIP, and the wages of the employees performing these tasks. A detailed breakdown of the framework for estimating these costs can be found in table 3.

iv. Updating the CIP

The proposed rule would require that affected entities regularly, at least annually, update their CIPs to account for new technologies, cybersecurity vulnerabilities, and changes to their business. This would likely entail reviewing the threat landscape from the previous year and identifying system vulnerabilities. Table 4 details the estimated financial impact to businesses of annually updating a CIP.

v. Annual Certifications

The proposed rule would require IaaS providers to annually certify to the Department that they have updated their CIP, that their CIP complies with the rulemaking, and that they have recorded the resolution of each situation in which the IaaS provider was unable to verify the identity of a customer since its last certification.

The estimated costs of submitting annual certifications would occur annually. This estimate for costs is derived from estimates of the number of firms impacted by the proposed rule, the share of potentially impacted firms likely to submit the annual certifications, and the wages of the employees performing these tasks. A detailed breakdown of the framework for estimating these costs can be found in table 5.

vi. Foreign Reseller Requirements

The burden of learning about the proposed rule, and developing, maintaining, and recertifying CIPs for foreign resellers would fall upon foreign entities (the foreign resellers themselves). However, the Department recognizes that U.S. IaaS providers would be part of educating foreign resellers on regulatory requirements. U.S. IaaS providers would also need to collect and submit CIPs from foreign resellers. The Department anticipates that foreign resellers of U.S. IaaS providers would comply with the regulatory requirements, so does not anticipate there to be impact beyond the regulatory costs of compliance (which will fall to foreign entities), and the burden on U.S. providers to educate foreign resellers and process foreign reseller CIPs.

The Department recognizes that individual costs to industry would vary according to the number of foreign resellers connected to a U.S. IaaS provider. However, the Department is unable to estimate the potential number of foreign resellers of U.S. IaaS products, as this information is business proprietary information held by the U.S. IaaS providers. Following the implementation of CIP reporting requirements to the Department, the Department may be able to estimate a lower bound and upper bound on potential cost per CIP certification. However, at this time, due to the described limitations, the cost estimates have been made on a programmatic basis as opposed to a per CIP certification basis.

vii. Educating Foreign Resellers on U.S. CIP Requirements

U.S. IaaS providers would be required to ensure their foreign resellers comply with this proposed rule and to ensure they receive CIPs from their foreign resellers. This could involve notifying their foreign resellers of this proposed rule's requirements, advising foreign resellers on CIP solutions or processes, and generally educating foreign resellers about this rulemaking.

This estimate for costs is derived from estimates of the number of U.S. firms impacted by the proposed rule, the share of potentially impacted firms to educate their foreign resellers, and the wages of the employees performing these tasks. A detailed breakdown of the framework for estimating these costs can be found in table 6.

viii. Processing Reporting From Foreign Resellers and on AI Training Runs

The costs to U.S. IaaS providers associated with processing reporting from foreign resellers include costs of collecting and submitting to the Department upon request the CIPs from any foreign resellers, as well as any associated miscellaneous administrative costs. Processing reporting also would include U.S. IaaS providers' activities to report on any of their foreign customers using their U.S. IaaS products in a covered transaction for large AI model training. These would be annual costs.

This estimate for costs is derived from estimates of the number of U.S. firms impacted by the proposed rule, the share of potentially impacted firms that need to process foreign reseller CIPs and reports on foreign customers using their U.S. IaaS products in a covered transaction for large AI model training, and the wages of the employees performing these tasks. A detailed breakdown of the framework for estimating these costs can be found in table 7.

5. Potential Economic Impact of the Proposed Rule

Using the methodology described above, the Department has broken out the estimated compliance costs—summarized in tables 8 and 9—associated with the proposed rule's implementation. The cumulative costs are estimated to be between $270,672 and $171.7 million.

6. Benefits of the Proposed Rule

The ICTS industry, which includes IaaS products, has become integral to the daily operations and functionality of U.S. critical infrastructure, to U.S. Government operations, and to the U.S. economy as a whole. As such, exploitation of vulnerabilities within the ICTS supply chain can have a drastic effect on the U.S. national security. As noted in E.O. 13984, “foreign malicious cyber actors aim to harm the United States economy through the theft of intellectual property and sensitive data and to threaten national security by targeting United States critical infrastructure for malicious cyber-enabled activities.”

U.S. entities providing IaaS products, such as network management or data storage, can create multiple opportunities for foreign adversaries to exploit potential vulnerabilities in the ICTS ecosystem. These potential vulnerabilities are often categorized under the general concepts of threats to privacy, data integrity, and denial of service.

As E.O. 13984 highlights, foreign actors can exploit IaaS product vulnerabilities to steal critical intellectual property, health data, government information, or financial user information, potentially without detection. Once detected, the existence of such vulnerabilities may be extremely costly or impossible to remedy.

Malicious foreign actors can also exploit U.S. networks and systems to facilitate data breaches, potentially modifying critical files or data streams, or otherwise impacting the availability of data across U.S. networks. Such capabilities could be exercised in areas as diverse as financial market communications, satellite control systems, or other sensitive sectors.

Further, a foreign adversary could target vulnerable IaaS products to implement denial of service attacks, potentially causing widespread disruptions to critical industries. Without effective attribution, it is difficult for authorities to take mitigating actions to trace and prevent these types of attacks.

These risks, if exploited, could carry significant economic and social costs to both the U.S. Government and consumers. Sophisticated cyber-attacks are often obfuscated, making it difficult to establish the exact number of attacks that have leveraged IaaS product vulnerabilities against the U.S. ICTS supply chain. Such attacks, however, are increasing in frequency, exacting heavy tolls on U.S. consumers and businesses. Not only can attacks impact both sales and productivity, but they can also enact direct costs on businesses that must expend significant resources to remedy vulnerabilities or even pay ransom to retrieve data lost to attackers. While the Department is unable to calculate with certainty the number of attacks targeting the IaaS industry, the potential costs from these attacks are undoubtedly high. Additionally, if the use of IaaS products is expected to increase in the future, so too would the possibility of attacks. While the Department lacks the data necessary to determine precisely the monetary benefits of this proposed rule to compare with its estimated costs, significant portions of the U.S. economy are dependent on resilient ICTS and IaaS supply chains to function, and any disruption to these supply chains will cause significant economic harm to downstream industries.

7. Regulatory Alternatives

The Department considered several alternatives to this regulation to reduce the costs. These are explained in detail in subpart C, Regulatory Flexibility Analysis, of this section, below.

A. Regulatory Flexibility Act

In compliance with section 603 of the Regulatory Flexibility Act (RFA), 5 U.S.C. 601–612, the Department has prepared an initial regulatory flexibility analysis (IRFA) for this proposed rule. The IRFA describes the economic impacts the proposed action may have on small entities. The Department seeks comments on all aspects of the IRFA, including the categories and numbers of small entities that may be directly impacted by this proposed rule.

(1) A description of the reasons why action by the agency is being considered. The description of the reasons why the proposed rule is being considered is contained earlier in the preamble and is not repeated here.

(2) A succinct statement of the objectives of, and legal basis for, the proposed rule. The Department is proposing this rule to comply with Executive Order 13984, “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities” (86 FR 6387), and E.O. 14110, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence” (88 FR 75191). E.O. 13984 directs the Secretary to propose regulations requiring U.S. IaaS providers to collect customer identifying information from prospective customers and to verify the identity of all foreign customers. This E.O. further requires the Secretary to propose regulations authorizing the Start Printed Page 5724 Secretary to utilize one of two special measures to limit or prohibit specific IaaS Accounts should the Secretary, in consultation with various heads of other Executive agencies, determine that reasonable grounds exist to conclude the IaaS Account is being used to conduct malicious, cyber-enabled activity. E.O. 14110 also requires the Secretary to propose regulations that require U.S. IaaS providers report to the Department when they transact with a foreign reseller to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity.

(3) A description of, and where feasible, an estimate of the number of small entities to which the proposed rule will apply. The proposed rule would apply to all providers of U.S. IaaS products, including resellers. The Department acknowledges that actions taken pursuant to this proposed rule may affect small entities or groups that are not easily categorized at present. The Department assesses, based on publicly available information, that the IaaS market is dominated by four large providers; however, it is difficult to ascertain how many small entities, are present in this market. For resellers, Survey of U.S. Business Data suggests that approximately 99 percent of the roughly 1,800 enterprises categorized as “Telecommunications Resellers” under NAICS code 517911 have fewer than 500 employees, indicating that the vast number of those resellers would be small businesses under the Small Business Administration (SBA) threshold for this NAICS code ( https://www.sba.gov/​document/​support-table-size-standards). However, the Department lacks data on the number of these Telecommunications Resellers that offer IaaS products.

(4) A description of the projected reporting, recordkeeping and other compliance requirements of the proposed rule, including an estimate of the classes of small entities that will be subject to the requirement and the type of professional skills necessary for preparation of the report or record. The proposed rule would impose on all U.S. IaaS providers of U.S. IaaS products a new requirement to identity and verify the identity of all foreign customers. It would require providers to ensure that foreign resellers of their U.S. IaaS products verify the identity of foreign users. It would require all U.S. IaaS providers of U.S. IaaS products to report to the Department information on instances of training runs by foreign persons for large AI model with potential capabilities that could be used in malicious cyber-enabled activity. Finally, it would require providers to submit annual certifications attesting to the Department that they have reviewed their CIPs and adjusted them to account for changes to the threat landscape since their prior certification. The Department believes this requirement would create the following recordkeeping obligations:

(i) The proposed rule would require that the customer identification and verification requirement be satisfied by obtaining identification information from each customer. The provider would then be required to verify customer identities through documentary or non-documentary methods and to maintain in its records for two years a description of (i) any document relied on for verification, (ii) any such non-documentary methods and results of such measures undertaken, and (iii) the resolution of any substantive discrepancies discovered in verifying the identification information. The Department estimates that the identification, verification, and recordkeeping requirements in the proposed rule would require an IaaS provider employee twenty (20) minutes, on average, to fulfill.

(ii) Annual Certifications. The proposed rule would require that U.S. IaaS providers of U.S. IaaS products provide to the Department annual certifications that indicate that the provider has updated their customer identification program to account for technological advances and the evolving threat landscape. The Department estimates it would require eight (8) to twenty-four (24) hours to review prior year compliance, complete CIP updates, and submit certification.

(iii) The proposed rule would require providers to submit a report to the Department whenever a foreign person transacts with them to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity. The Department estimates that an IaaS provider making a report on such a transaction could take on average twenty (20) minutes, depending on the complexity of the instance.

(5) An identification, to the extent practicable, of all relevant Federal rules that may duplicate, overlap or conflict with the proposed rule. This rulemaking does not duplicate or conflict with any Federal rules.

(6) A description of any significant alternatives to the proposed rule that accomplish the stated objectives of Executive Order 13984 and Executive Order 14110 and applicable statutes and that would minimize any significant economic impact of the proposed rule on small entities.

• No-action alternative: Not implementing a rule under these Executive orders (E.O.s) is not a viable alternative because both E.O.s expressly direct that the Secretary “shall propose for notice and comment regulations” given the related national security concerns associated with malicious cyber-enabled activities through the use of U.S. IaaS products.

• Alternative that would categorically exclude small entities or groups of small entities: This alternative would not achieve the national security objectives of these E.O.s. Due to the nature of ICTS networks, allowing even small entities or groups of small entities unregulated access to IaaS products or services can allow malicious actors to perpetrate attacks on the entire network, posing an undue risk to U.S. critical infrastructure and the U.S. economy as a whole.

• Preferred alternative: The proposed rule is the preferred alternative. It would achieve the objectives of the E.O.s by requiring IaaS providers to verify customer identities and facilitating the implementation of special measures that would allow the Secretary to apply a case-by-case, fact-specific process to identify, assess, and address any and all IaaS Accounts that pose an undue risk to the U.S. national security. The proposed rule also offers an exemption program that would offer providers an alternative to the CIP requirements to reduce their compliance burdens, as providers can decide whether it is less burdensome to implement a CIP or to apply for an exemption.

B. Paperwork Reduction Act

The Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.) (PRA) provides that an agency generally cannot conduct or sponsor a collection of information, and no person is required to respond to nor be subject to a penalty for failure to comply with a collection of information subject to the requirements of the PRA, unless that collection has obtained Office of Management and Budget (OMB) approval and displays a currently valid OMB Control Number.

This proposed rule contains new collection-of-information requirements subject to review and approval by OMB under the PRA. Specifically, this proposed rule would require U.S. IaaS providers of U.S. IaaS products to develop a written CIP, which dictates how the provider would collect identifying information about its customers, how the provider would verify the identity of its foreign customers, store and maintain Start Printed Page 5725 identifying information, and notify its customers about the disclosure of identifying information. Additionally, the proposed rule would require providers to report to the Department information on instances of training runs by foreign persons for large AI models with potential capabilities that could be used in malicious cyber-enabled activity. The Department requests comment on what additional information, if any, the Department should require providers report. Moreover, the proposed rule would require that U.S. IaaS providers of U.S. IaaS products submit to the Department an initial certification, and subsequent annual certifications, detailing certain aspects of their CIPs and stating that they have reviewed their CIP and adjusted it to account for changes to the threat landscape since their prior certification. These certifications would also include an attestation that the current CIP complies with the provisions of the proposed rule. The attestations would require the provider to indicate the frequency with which it was unable to verify the identity of a foreign customer in the prior calendar year and the number of times the provider refused to open an Account.

Alternatively, under the proposed rule, U.S. IaaS providers of U.S. IaaS products may seek an exemption from the CIP requirement by providing a written submission to the Secretary. Should the Secretary grant an exemption on the basis of a finding that the provider complies with security best practices to deter abuse of IaaS products, including that the provider has established an Abuse of IaaS Products Deterrence Program, the provider must thereafter submit annual notifications to the Department so that the Department could be assured that it continues to maintain security best practices to deter the abuse of U.S. IaaS products.

Public reporting burden for the reporting and recordkeeping requirements are estimated to average 245,229 hours for the initial learning, developing, and implementing a CIP for the relevant industry participants (897 respondents * 274 hours, tables 1, 2, and 3). Thereafter, the Department estimates a public reporting burden of 84,494 hours to update and annually certify with the Department a CIP once it has been developed, as well as prepare the annual certification (929 respondents * 91 hours, tables 4 and 5). The Department estimates a public reporting burden of 127,328 hours for the relevant industry participants to educate their foreign resellers on the proposed rule and process reporting from and on foreign resellers and foreign customers (692 respondents * 184 hours, tables 6 and 7). These estimates include the time for reviewing instructions, searching existing data sources, gathering the data needed, and completing and reviewing the collection of information.

The total estimated cost to the U.S. Government is $409,200 (500 notifications * 2 staff @GS–12 salary ($102.30/hr) * average of 10 hours each to review for each notification). The $102.30 per hour cost estimate for this information collection is consistent with the GS-scale salary data for a GS–12 step 5.

The Department requests comments on the information collection and recordkeeping requirements associated with this proposed rule. These comments will help the Department:

(i) evaluate whether the information collection is necessary for the proper performance of our agency's functions, including whether the information will have practical utility;

(ii) evaluate the accuracy of our estimate of the burden of the information collection, including the validity of the methodology and assumptions used;

(iii) enhance the quality, utility, and clarity of the information to be collected; and

(iv) minimize the burden of the information collection on those who are to respond (such as through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses).

C. Unfunded Mandates Reform Act of 1995

This proposed rule would not produce a Federal mandate (under the regulatory provisions of title II of the Unfunded Mandates Reform Act of 1995) for State, local, and tribal governments or the private sector.

D. Executive Order 13132 (Federalism)

This proposed rule does not contain policies having federalism implications requiring preparations of a Federalism Summary Impact Statement.

E. Executive Order 12630 (Governmental Actions and Interference With Constitutionally Protected Property Rights)

This proposed rule does not contain policies that have takings implications.

F. Executive Order 13175 (Consultation and Coordination With Indian Tribes)

The Department has analyzed this proposed rule under Executive Order 13175 and has determined that the action would not have a substantial direct effect on one or more Indian tribes, would not impose substantial direct compliance costs on Indian tribal governments, and would not preempt tribal law.

G. National Environmental Policy Act

The Department has reviewed this rulemaking action for the purposes of the National Environmental Policy Act (42 U.S.C. 4321 et seq.). It has determined that this proposed rule would not have a significant impact on the quality of the human environment.

List of Subjects in 15 CFR Part 7

• Administrative practice and procedure
• Business and industry
• Communications
• Computer technology
• Critical infrastructure
• Executive orders
• Foreign persons
• Investigations
• National security
• Penalties
• Technology
• Telecommunications

For the reasons set out in the preamble, 15 CFR part 7 is proposed to be amended as follows:

PART 7—SECURING THE INFORMATION AND COMMUNICATIONS TECHNOLOGY AND SERVICES SUPPLY CHAIN

1. The authority citation for part 7 is revised to read as follows:

Authority: 50 U.S.C. 1701, et seq.;50 U.S.C. 1601, et seq.;E.O. 13873, 84 FR 22689, 3 CFR, 2019 Comp., p. 317; E.O. 13984, 86 FR 6837, 3 CFR, 2021 Comp., p. 403.

2. Add subpart D, consisting of §§ 7.300 through 7.310, to read as follows:

Subpart D—Infrastructure as a Service Providers' Responsibility To Verify the Identity of Their Customers, Special Measures, and the Use of Their Products for Large AI Model Training

Footnotes