Securing the Information and Communications Technology and Services Supply Chain: Licensing Procedures

AGENCY:

U.S. Department of Commerce.

ACTION:

Advance notice of proposed rulemaking.

SUMMARY:

On January 19, 2021, the Department of Commerce (the Department) published a interim final rulemaking, “Securing the Information and Communications Technology and Services Supply Chain,” which became effective on March 22, 2021. It allows the Secretary of Commerce, in accordance with Executive Order 13873, to prohibit certain information and communications technology and services transactions (ICTS Transactions) to address national security threats. In the January 19 notice, the Department stated it would implement a licensing process by May 19th for entities seeking pre-approval before engaging in or continuing to engage in ICTS Transactions. The Department is now seeking public input on such a licensing or other pre-clearance process.

DATES:

Comments must be received by April 28, 2021.

ADDRESSES:

All comments must be submitted by one of the following methods:

• By the Federal eRulemaking Portal: http://www.regulations.gov at docket number [DOC-2021-DOC-2021-0004].
• By email directly to: ICTsupplychain@doc.gov. Include “RIN 0605-AA60: ANPRM” in the subject line.
• Instructions: Comments sent by any other method, to any other address or individual, or received after the end of the comment period, may not be considered. For those seeking to submit confidential business information (CBI), please clearly mark such submissions as CBI and submit by email or via the Federal eRulemaking Portal, as instructed above. Each CBI submission must also contain a summary of the CBI, clearly marked as public, in sufficient detail to permit a reasonable understanding of the substance of the information for public consumption. Such summary information will be posted on regulations.gov.

FOR FURTHER INFORMATION CONTACT:

Joe Bartels, U.S. Department of Commerce, telephone: (202) 482-1595. For media inquiries: Brittany Caplin, Deputy Director of Public Affairs and Press Secretary, U.S. Department of Commerce, telephone: (202) 482-4883, email PublicAffairs@doc.gov.

SUPPLEMENTARY INFORMATION:

On November 27, 2019, the Department of Commerce (the Department) published a notice of proposed rulemaking (84 FR 65316) seeking public comment on implementing Executive Order 13873 of May 15, 2019, “Securing the Information and Communications Technology and Services Supply Chain” (84 FR 22689). On January 19, 2021, the Department published a interim final rulemaking that is effective as of March 22, 2021 (86 FR 4909). In this document, in response to requests from various commenters, including multiple trade associations, to provide a pre-clearance process or similar program that would reduce uncertainty for entities seeking to engage in ICTS Transactions, the Department stated it would implement a licensing process by May 19, 2021 (86 FR 4909, at 4911).

However, it has become apparent additional public input is needed, and the Department does not expect to have a licensing or other pre-clearance process in place by May 19, 2021. With this ANPRM, the Department is seeking input into several aspects of a potential voluntary licensing or pre-clearance process. The Department will consider the public input as it drafts a Notice of Proposed Rulemaking.

Please note this ANPRM does not alter the effective date of the interim final rule nor does it reopen or extend the deadline for submitting comments on the interim final rule. This ANPRM is solely seeking public input on the forthcoming licensing procedures.

In responding to this ANPRM, please refer to the definitions and the explaination of those definitions used in the interim rule. For ease of reference, some of the more important terms are re-stated below:

ICTS Transaction means any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service, including ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download. An ICTS Transaction includes any other transaction, the structure of which is designed or intended to evade or circumvent the application of the Executive Order. The term ICTS Transaction includes a class of ICTS Transactions.

Note that ICTS Transactions include provision of services, and the term includes any and all transactions that occurred on or after January 19, 2021, by any person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary. Providing services, such as software updates, to U.S. persons may provide a foreign adversary an opportunity to engage in the types of activities that may threaten U.S. national security.

Party or parties to a transaction means a person engaged in an ICTS Transaction, including the person acquiring the ICTS and the person from whom the ICTS is acquired. Party or parties to a transaction include entities designed, or otherwise used with the intention, to evade or circumvent application of the Executive Order. For purposes of this rulemaking, this definition does not include common carriers, except to the extent that a common carrier knew or should have known (as the term “knowledge” is defined in 15 CFR 772.1) that it was providing transportation services of ICTS to one or more of the parties to a transaction that has been prohibited in a final written determination made by the Secretary or, if permitted subject to mitigation measures, in violation of such mitigation measures.

Person means an individual or entity.

Person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary means any person, wherever located, who acts as an agent, representative, or employee, or any person who acts in any other capacity at the order, request, or under the direction or control, of a foreign adversary or of a person whose activities are directly or indirectly supervised, directed, controlled, financed, or subsidized in whole or in majority part by a foreign adversary; any person, wherever located, who is a citizen or resident of a nation-state controlled by a foreign adversary; any corporation, partnership, association, or other organization organized under the laws of a nation-state controlled by a foreign adversary; and any corporation, partnership, association, or other organization, wherever organized or doing business, that is owned or controlled by a foreign adversary.

While the Department welcomes comments and views on all aspects of the future licensing process, the Department is particularly interested in obtaining information on the following questions:

• Multiple commenters pointed to notifications to the Committee on Foreign Investment in the United States (CFIUS) regarding certain investments in U.S. businesses and real estate transactions in the United States by foreign persons, as well as voluntary disclosures to the Bureau of Industry and Security (BIS) regarding potential violations of U.S. export controls, as potential models for creating a process that would provide entities seeking to engage in an ICTS Transaction greater certainty that the transaction will not be prohibited. Given the differences between the type of transactions subject to CFIUS jurisdiction, those governed by BIS's export control regime, and ICTS Transactions governed by the interim final rule, are the CFIUS and BIS processes useful models for an ICTS Transaction licensing or pre-clearance process? If so, are there specific factors or aspects of the CFIUS and BIS processes that Commerce should consider?
• Pre-clearance or licensing processes can take a range of forms from, for example, a regime that would require authorization prior to engaging in an ICTS Transaction, to one that allow entities to seek additional certainty from the Department that a potential ICTS Transaction would not be prohibitedby the process under the interim final rule. What are the benefits and disadvantages of these various approaches? Which would be most appropriate given the nature of ICTS transactions? How can these approaches be implemented to ensure that national security is protected?
• What considerations could be provided to small entities in the licensing or other pre-clearance process that would not impair the goal of protecting the national security?
• Are there categories or types of ICTS Transactions described in 15 CFR 7.3 or within the interim final rule that should or should not be considered for a license or pre-clearance? Are there categories or types of ICTS Transactions described in 15 CFR 7.3 or within the interim final rule that the Department should prioritize for licensing or pre-clearance? Should the licensing or pre-clearance process be structured differently for distinct categories or types of ICTS Transactions?
• Should a license or pre-clearance apply to more than a single ICTS Transaction? For example, should the Department consider issuing a license that applies to multiple ICTS Transactions from a single entity that is engaged in a long-term contract for ICTS? If so, what factors should the Department evaluate in determining the appropriateness of such a license or series of licenses?
• What categories of information should the Department require or not require, e.g. technical, security, operational information?
• While the Department understands that business decisions must often be made within tight timeframes, the Department may not be able to determine whether a particular ICTS Transaction qualifies for a license or pre-clearance without detailed information and analysis. Considering this tension, should the Department issue decisions on a shorter timeframe if that could result in fewer licenses or pre-clearances being granted, or would the inconvenience of a longer timeframe for review be outweighed by the potential for a greater number of licenses or pre-clearances being issued?
• How should the potential for mitigation of an ICTS Transaction be assessed in considering whether to grant a license or pre-clearance for that transaction?
• If a license or pre-clearance request is approved, but the subject ICTS Transaction is subsequently modified, what process should be enacted to avoid invalidation of the license or other form of pre-clearance?
• Should holders of an ICTS Transaction license or other form or pre-clearance have the opportunity to renew them rather than reapplying? If so, what factors should be considered in a renewal assessment? What would be the appropriate length of time between renewals? How should any renewal process be structured?