The Commerce Department has published a Final Rule redesignating regulations governing the review of certain transactions involving information and communications technology and services (ICTS) from the Secretary of Commerce to the Bureau of Industry and Security (BIS), Office of Information and Communications Technology and Services (OICTS).
The rule is intended to cover ICTS
This action moves regulations from subtitle A in the Code of Federal Regulations (CFR), which is generally reserved for Secretarial actions and Department-wide activities and operations, to chapter VII in title 15 of the CFR, where BIS regulations are located.
This is a procedural change that does not impact any processes of the Department or BIS, and will have no impact on any public or private entity outside of BIS.
The ICTS program became a mission of BIS in 2022. OICTS is charged with implementing a series of Executive Orders (EOs) under the International Emergency Economic Powers Act (IEEPA) focused on protecting domestic information and communications systems from threats posed by foreign adversaries. The ICTS program’s authorities include:
EO 13873, “Securing the Information and Communications Technology and Services Supply Chain” (May 15, 2019), delegated to the Secretary of Commerce broad authority to prohibit or impose mitigation measures on any ICTS Transaction subject to United States jurisdiction that poses undue or unacceptable risks to the United States.
15 C.F.R. Part 7, “Securing the Information and Communications Technology and Services Supply Chain,” is the implementing regulation for EO 13873 and establishes the scope of an ICTS Transaction and creates a process for reviewing ICTS Transactions the Department or other agencies (through referrals) believe may pose an undue or unacceptable risk. The Department can, on its own accord or upon referral, investigate ICTS Transactions. Ultimately, the Secretary can prohibit or mitigate ICTS Transactions if those transactions pose one of the three risks outlined in EO 13873.
EO 13984, “Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities” (January 19, 2021), directs the Secretary of Commerce propose rules to address malicious cyber actors’ use of Infrastructure as a Service (IaaS), by proposing “know your customer” (KYC)requirements.
EO 14034, “Protecting Americans’ Sensitive Data from Foreign Adversaries” (June 11, 2021), builds upon EO 13873 to address threats posed by connected software applications linked to foreign adversaries.
EO 14110, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence” (October 30, 2023), builds on E.O. 13984, directing the Secretary of Commerce to impose record keeping requirements on IaaS providers when transacting with a foreign person to train certain large AI models.
|
FR Document: 2024-15258 |
Comments
No comments on this item Please log in to comment by clicking here