Commerce Department Issues Final Rule on Information and Communications Technology Supply Chain
On June 16, the U.S. Department of Commerce published a final rule, effective July 17, 2023, on Securing the Information and Communications Technology and Services ("ICTS") Supply Chain, signaling potential new actions on "connected software applications."
The Biden Administration has embraced a broad view of national security that encompasses personal data, civilian network security, and threats posed by disinformation. Among other tools to address these issues, the administration is formalizing a process for national security reviews (and potential industry-wide legal prohibitions) for certain imports of technology and software. The Commerce Department has drafted rules to govern this process and implement Executive Order 13873 (Securing the Information and Communications Technology and Services Supply Chain) and companion directive, Executive Order 14034 (Protecting Americans' Sensitive Data From Foreign Adversaries).
With the new final rule, the Commerce Department has moved to expand and institutionalize its new review process, broadening the factors it may use to determine whether a transaction involving "connected software applications" presents "undue or unacceptable risks." The rule defines these applications as "software, a software program, or a group of software programs, that is designed to be used on an end-point computing device and includes as an integral functionality, the ability to collect, process, or transmit data via the internet."
The new final rule provides eight criteria that the Commerce Department may consider when making this determination. These criteria include "[t]he number and sensitivity of the users of the connected software application," "[t]he scope and sensitivity of the data collected," "[a] lack of thorough and reliable third-party auditing of connected software applications," and "[t]he extent to which identified risks have been or can be addressed by independently verifiable measures."
The new rule may portend broader actions focused on connected software applications that collect or store personal data, potentially targeting specific products or classes of products. Companies that develop, use, or facilitate actions by software applications should be prepared to respond quickly as the Commerce Department implements its new authorities and review process.