Federal Register / Vol. 86, No. 11 / Tuesday, January 19, 2021 / Rules and 4909

DEPARTMENT OF COMMERCE reasonable understanding of the upon national security, including substance of the information for public economic security, and public health 15 CFR Part 7 consumption. Such summary and safety. [Docket No. 210113–0009] information will be posted on The purchase, incorporation, and use regulations.gov. by U.S. persons of ICTS—such as RIN 0605–AA51 • Supporting documents: network management or data storage— Æ The Regulatory Impact Analysis is produced by any person owned by, Securing the Information and available at http://www.regulations.gov controlled by, or subject to the Communications Technology and at docket number [DOC–2019–0005]; jurisdiction or direction of a foreign Services Supply Chain Æ The Center for Strategic & adversary—can create multiple AGENCY: U.S. Department of Commerce. International Studies, ‘‘Significant opportunities for those foreign Cyber Incidents 2020’’ is available at adversaries to exploit potential ACTION: Interim final rule; request for vulnerabilities in the ICTS. That, in comments. https://www.csis.org/programs/ technology-policy-program/significant- turn, could cause direct and indirect SUMMARY: The Department of Commerce cyber-incidents; harm to both the immediate targets of is promulgating regulations to Æ The National Security Strategy of the adverse action and to the United implement provisions of Executive the United States is available at https:// States as a whole. While attacks can Order 13873, ‘‘ on www.whitehouse.gov/wp-content/ originate from remote foreign sources, Securing the Information and uploads/2017/12/NSS-Final-12-18- incorporating certain software, Communications Technology and 2017-0905.pdf; equipment, and products into U.S. Services Supply Chain’’ (May 15, 2019). Æ ODNI’s 2016–2019 Worldwide domestic ICTS networks, as well as the These regulations create the processes Threat Assessments of the U.S. use of certain cloud, network and procedures that the Secretary of Intelligence Community are available at management, or other services, greatly Commerce will use to identify, assess, https://www.dni.gov/files/documents/ increases the risk that potential and address certain transactions, Newsroom/Testimonies/ vulnerabilities may be introduced, or including classes of transactions, SSCI%20Unclassified%20SFR%20- that vulnerabilities may be present between U.S. persons and foreign %20Final.pdf (2017), https:// without being detected. These potential persons that involve information and www.dni.gov/files/documents/ vulnerabilities, if exploited, could communications technology or services Newsroom/Testimonies/2018-ATA--- undermine the confidentiality, integrity, designed, developed, manufactured, or Unclassified-SSCI.pdf (2018), https:// and availability of U.S. person data supplied, by persons owned by, www.dni.gov/files/ODNI/documents/ including personally identifiable controlled by, or subject to the 2019-ATA-SFR---SSCI.pdf (2019); and information or other sensitive personal jurisdiction or direction of a foreign Æ The 2018 National Cyber Strategy data. Some foreign adversaries are known adversary; and pose an undue or of the United States of America is to exploit the sale of software and unacceptable risk. While this interim available at https:// hardware to introduce vulnerabilities final rule will become effective on www.whitehouse.gov/wp-content/ that can allow them to steal critical March 22, 2021, the Department of uploads/2018/09/National-Cyber- intellectual property, research results Commerce continues to welcome public Strategy.pdf. (e.g., health data), or government or input and is thus seeking additional FOR FURTHER INFORMATION CONTACT: financial information from users of the public comment. Once any additional Henry Young, U.S. Department of software or hardware. Such comments have been evaluated, the Commerce, telephone: (202) 482–0224. vulnerabilities can be introduced in the Department is committed to issuing a For media inquiries: Meghan Burris, network, cloud service, or individual final rule. Director, Office of Public Affairs, U.S. product data; allow traffic monitoring or DATES: Effective March 22, 2021. Department of Commerce, telephone: surveillance; and may be resistant to Comments to the interim final rule (202) 482–4883. detection by private purchasers or must be received on or before March 22, SUPPLEMENTARY INFORMATION: telecommunications carriers. Once 2021. I. Background detected, such vulnerabilities may be ADDRESSES: All comments must be extremely costly or impossible to submitted by one of the following The information and communications remediate. methods: technology and services (ICTS) supply Vulnerabilities to data integrity can be • By the Federal eRulemaking Portal: chain is critical to nearly every aspect created by including a foreign http://www.regulations.gov at docket of U.S. national security. U.S. business adversary’s hardware and software into number [DOC–2019–0005]. and governments at all levels rely U.S. networks and systems. This • By email directly to: heavily on ICTS, which: Underpin our incorporated hardware and software [email protected]. Include ‘‘RIN economy; support critical infrastructure poses opportunities to add or remove 0605–AA51’’ in the subject line. and emergency services; and facilitate important information, modify files or • Instructions: Comments sent by any the Nation’s ability to store, process, data streams, slow down, or otherwise other method, to any other address or and transmit vast amounts of data, modify the normal transmission or individual, or received after the end of including sensitive information, that is availability of data across U.S. networks. the comment period, may not be used for personal, commercial, Such capabilities could be exercised in considered. For those seeking to submit government, and national security areas as diverse as financial market confidential business information (CBI), purposes. The ICTS supply chain must communications, satellite please clearly mark such submissions as be secure to protect our national communications or control, or sensitive CBI and submit by email, mail, or hand security, including the economic consumer information. delivery as instructed above. Each CBI strength that is an essential element of A foreign adversary could also exploit submission must also contain a our national security. Ensuring the vulnerabilities provided by the summary of the CBI, clearly marked as resilience of, and trust in, our ICTS incorporation of hardware and software public, in sufficient detail to permit a supply chain is an issue that touches into U.S. environments by fully or

VerDate Sep<11>2014 16:33 Jan 17, 2021 Jkt 253001 PO 00000 Frm 00033 Fmt 4700 Sfmt 4700 E:\FR\FM\19JAR1.SGM 19JAR1 khammond on DSKJM1Z7X2PROD with RULES 4910 Federal Register / Vol. 86, No. 11 / Tuesday, January 19, 2021 / Rules and Regulations

partially closing down critical networks See, e.g., Center for Strategic & On November 27, 2019, the or functions at key times. These types of International Studies, ‘‘Significant Department of Commerce (Department) attacks are known as denial of service Cyber Incidents 2020,’’ available at published a proposed rule to implement attacks. Such attacks could cause https://www.csis.org/programs/ the terms of the Executive Order. (84 FR widespread problems, such as if they technology-policy-program/significant- 65316). The proposed rule set forth occur during periods of crisis, or they cyber-incidents. processes for (1) how the Secretary could be used selectively by targeting Consequently, the President has would evaluate and assess transactions individual corporations or important determined that the unrestricted involving ICTS to determine whether infrastructure elements or functions. acquisition or use of ICTS that are they pose an undue risk of sabotage to They could also be masked to make the designed, developed, manufactured, or or subversion of the ICTS supply chain, source of the disruption difficult to supplied by persons owned by, or an unacceptable risk to the national attribute and, therefore, difficult to trace controlled by, or subject to the security of the United States or the and stop. jurisdiction or direction of a foreign security and safety of U.S. persons; (2) These risks are not necessarily adversary constitutes an unusual and how the Secretary would notify parties confined to infrastructure environments. extraordinary threat to the national to transactions under review of the They could, for example, be present in security, foreign policy, and economy of Secretary’s decision regarding the ICTS the use of cloud services, as well as in the United States. Transaction, including whether the the widespread use of some consumer Executive Order 13873 of May 15, Secretary would prohibit or mitigate the devices, networked surveillance 2019, ‘‘Securing the Information and transaction; and (3) how parties to cameras, drones, or interconnection via Communications Technology and transactions reviewed by the Secretary the internet of computing devices Services Supply Chain’’ (84 FR 22689) could comment on the Secretary’s embedded in everyday objects, enabling (Executive Order), was issued pursuant preliminary decisions. The proposed them to send and receive data. For to the President’s authority under the rule also provided that the Secretary example, applications (‘‘apps’’), which Constitution and the laws of the United could act without complying with the may be downloaded from app stores or States, including the International proposed procedures where required by web browsers by a user to a mobile national security. Finally, the Secretary Emergency Economic Powers Act (50 device, may automatically capture vast would establish penalties for violations U.S.C. 1701 et seq.) (IEEPA), the swaths of sensitive personal data from of mitigation agreements, the National Emergencies Act (50 U.S.C. its users, including internet and other regulations, or the Executive Order. network activity information such as 1601 et seq.), and section 301 of Title 3, In addition to seeking general public location data and browsing and search . IEEPA and the comment, the Department requested histories. This data exfiltration— Executive Order grant the Secretary of comments from the public on five supported by U.S. web data hosting and Commerce (Secretary) the authority to specific questions: (1) Whether the storage servers—threatens to allow prohibit any acquisition, importation, Secretary should consider categorical foreign adversaries to exploit transfer, installation, dealing in, or use exclusions or whether there are classes Americans’ personal and proprietary of any ICTS (an ‘‘ICTS Transaction’’) by of persons whose use of ICTS cannot information by allowing a foreign any person, or with respect to any violate the Executive Order; (2) whether adversary to track the locations of property, subject to United States there are categories of uses or of risks Americans, build dossiers of sensitive jurisdiction, when such ICTS that are always capable of being reliably personal data for blackmail, and Transaction involves any property in and adequately mitigated; (3) how the conduct corporate espionage from which a foreign country or national has Secretary should monitor and enforce inside the borders of the United States. any interest, and the Secretary, in any mitigation agreements applied to a Multiple reported cybersecurity consultation with other agency heads transaction; (4) how the terms, incidents in the United States and (the Secretary of the Treasury, the ‘‘transaction,’’ ‘‘dealing in,’’ and ‘‘use among major allies in 2020 illustrate the Secretary of State, the Secretary of of’’ should be clarified in the rule; and potential risk in permitting unrestricted Defense, the Attorney General, the (5) whether the Department should add access to U.S. ICTS supply chains, such Secretary of Homeland Security, the record-keeping requirements for as: United States Trade Representative, the information related to transactions. —In July 2020, two Chinese hackers Director of National Intelligence, the In response to requests for additional working with the Chinese Ministry of Administrator of General Services, the time in which to comment on the State Security were indicted by the Chairman of the Federal proposed rule, the Department extended U.S. Department of Justice for Communications Commission, and the the initial comment period from conducting a global computer heads of any other executive December 27, 2019, until January 10, intrusion campaign targeting U.S. departments and agencies as the 2020. (84 FR 70445). As reflected intellectual property and confidential Secretary determines is appropriate) herein, the Department has carefully business information, including determines that the ICTS Transaction: considered and addressed the public’s COVID–19 vaccine research; (1) Involves ICTS designed, developed, comments in promulgating this rule. —German officials announced that a manufactured, or supplied by persons Nonetheless, because several Russian hacking group associated owned by, controlled by, or subject to commenters requested that the with the Federal Security Bureau had the jurisdiction or direction of a foreign Department provide for an additional compromised the networks of energy, adversary; and (2) poses an undue or round of public comment, and in an water, and power companies in unacceptable risk. Executive Order, effort to continue the Department’s work Germany by exploiting ICTS supply Section 1(a). The Executive Order to protect the national security while chains; and further provides the Secretary with the reducing the regulatory impact on the —Japan’s Defense Ministry announced authority to prohibit such an ICTS public, the Department is taking further it was investigating a large-scale cyber Transaction or ‘‘design or negotiate public comment on the rule. However, attack against Mitsubishi Electric that measures to mitigate concerns’’ about an mindful of the urgent need of the United could have compromised details of ICTS Transaction’s impact on national States to address national security new state-of-the-art missile designs. security. Executive Order, Section 1(b). concerns related to ICTS Transactions,

VerDate Sep<11>2014 16:33 Jan 17, 2021 Jkt 253001 PO 00000 Frm 00034 Fmt 4700 Sfmt 4700 E:\FR\FM\19JAR1.SGM 19JAR1 khammond on DSKJM1Z7X2PROD with RULES Federal Register / Vol. 86, No. 11 / Tuesday, January 19, 2021 / Rules and Regulations 4911

this interim final rule will be effective Intelligence, the Administrator of The list of ‘‘foreign adversaries’’ March 22, 2021. The Department is General Services, the Chairman of the consists of the following foreign committed to issuing a subsequent final Federal Communications Commission, governments and non-government rule in which the Department will and the heads of any other executive persons: The People’s Republic of consider and respond to additional departments and agencies the Secretary China, including the Hong Kong Special comments received. In addition, the of Commerce determines is appropriate. Administrative Region (China); the Department will implement and publish The Executive Order makes clear the Republic of Cuba (Cuba); the Islamic procedures for a licensing process by Secretary of Commerce will confer with Republic of Iran (Iran); the Democratic May 19, 2021. other agencies and departments as People’s Republic of Korea (North needed. Korea); the Russian Federation (Russia); II. Response to Comments and Venezuelan politician Nicola´s § 7.2—Definition of ‘‘Department’’ During the public comment period on Maduro (Maduro Regime). The the proposed rule, the Department Although it was not defined in the provision clarifies that the Secretary’s received a number of written proposed rule, the Department has determination is based on multiple submissions reflecting a wide range of added a definition of the term sources, including the National Security views. All comments received by the ‘‘Department’’ to clarify that it refers to Strategy of the United States, the Office end of the comment period are available the United States Department of of the Director of National Intelligence’s on the public docket at Commerce, rather than any other 2016–2019 Worldwide Threat https://www.regulations.gov. Cabinet-level agency. Assessments of the U.S. Intelligence Additionally, the Department § 7.2—Definition of ‘‘foreign adversary’’ Community, and the 2018 National participated in a number of meetings Cyber Strategy of the United States of with foreign governments and industry The rule grants the Secretary the America, as well as other reports and groups to discuss the proposed rule authority to block or mitigate certain assessments from the U.S. Intelligence prior to the comment period ending. ICTS Transactions involving a foreign Community, the U.S. Departments of adversary. Commenters suggested Summaries of those meetings are Justice, State and Homeland Security, limiting the definition of a ‘‘foreign available at https:// and other relevant sources. adversary’’ to entities already identified www.regulations.gov. Below, the Additionally, the provision notes that in legislation. Some commenters Department addresses the comments as the Secretary will periodically review recommended changing the concept of they pertain to each relevant provision this list in consultation with appropriate ‘‘foreign adversary’’ to focus on entities of the . agency heads and may add to, subtract or persons instead of nation-states. from, supplement, or otherwise amend § 7.2 Definitions Other commenters suggested that the the list. Department create a list of adversaries § 7.2—Definition of ‘‘appropriate agency It is important to note that the list at and a list of exempt countries and heads’’ section 7.4 identifies ‘‘foreign distinguish between government and adversaries’’ solely for the purposes of Numerous comments addressed the non-governmental entities. Commenters the Executive Order, this rule, and any extent to which the Department also recommended narrowing the scope subsequent rules. It does not reflect a interacts with other agencies and of the term ‘‘foreign adversary’’ to determination by the United States department heads throughout the situations where a foreign adversary has about the nature of such foreign process for reviewing ICTS controlling interest in the company governments or foreign non-government Transactions. Some commenters executing the covered transaction. persons for any other purpose. advocated for the rule to require The rule makes no changes to the interagency review of all parts of the definition of ‘‘foreign adversary,’’ which § 7.2—Definition of ‘‘ICTS Transaction’’ investigations and final determinations, is consistent with the Executive Order’s The proposed rule defined the term while other commenters noted that definition. However, as discussed ‘‘transaction’’ using terms from the interagency review should only happen further below, the rule now includes a Executive Order, to mean, ‘‘any during certain parts of the review provision titled ‘‘Determination of acquisition, importation, transfer, process. Other commenters requested foreign adversaries’’ in section 7.4. This installation, dealing in, or use of any that the Secretary notify the heads of provision sets out the list of foreign information and communications relevant agencies when a review is governments and foreign non- technology or service.’’ It also noted that initiated. government persons that the Secretary the term ‘‘transaction’’ ‘‘includes a class Requirements regarding interagency has determined, solely for the purposes of transactions.’’ review are already contained within the of the Executive Order, this rule, and Some commenters requested the Executive Order and, thus, are not any subsequent rules, are ‘‘foreign Department refine the definition of subject to change. adversaries.’’ It also explains some of ‘‘transaction’’ in various ways. For Nevertheless, for clarification, the the factors that the Secretary example, some commenters suggested Department has replaced the term considered, and will consider, when adopting language from the Securities ‘‘identified secretaries’’ with making any future determinations of Exchange Act of 1934 to define some of ‘‘appropriate agency heads,’’ to address whether a country is a ‘‘foreign the terms in the definition, such as the fact that some of the individuals adversary.’’ Pursuant to the Secretary’s ‘‘dealing in.’’ Others urged the referenced are not Cabinet Secretaries, discretion, the list of foreign adversaries Department to further clarify the but rather are heads of agencies. For will be revised as determined to be definition ‘‘transaction’’ to define the clarity, the term ‘‘appropriate agency necessary. Because the determination of terms ‘‘acquisition,’’ or ‘‘use’’ in the heads’’ refers to the Secretary of the foreign adversaries is subject solely to definition. Treasury, the Secretary of State, the the Secretary’s discretion, such The Department acknowledges that Secretary of Defense, the Attorney revisions will be effective immediately the terms ‘‘transaction,’’ ‘‘acquisition,’’ General, the Secretary of Homeland upon publication in the Federal and ‘‘use’’ are broad, and retain their Security, the United States Trade Register without prior notice or commonly-accepted meanings in the Representative, the Director of National opportunity for public comment. rule. The concerns raised by the

VerDate Sep<11>2014 16:33 Jan 17, 2021 Jkt 253001 PO 00000 Frm 00035 Fmt 4700 Sfmt 4700 E:\FR\FM\19JAR1.SGM 19JAR1 khammond on DSKJM1Z7X2PROD with RULES 4912 Federal Register / Vol. 86, No. 11 / Tuesday, January 19, 2021 / Rules and Regulations

commenters are addressed by defining reviewable transaction. This also affects over a 12 month period; and (2) results the term ‘‘ICTS Transaction’’ to include which parties will be notified by the of individual genetic testing. (1) ‘‘ongoing activities, such as managed Department regarding any potential The categories of identifiable data of services, data transmission, software review of a transaction. concern to the Department are: updates, repairs, or the platforming or Financial data that could be used to § 7.2—Definition of ‘‘Person owned by, data hosting of applications for indicate an individual’s financial controlled by, or subject to the consumer download;’’ and (2) ‘‘any distress or hardship; the set of data jurisdiction or direction of a foreign other transaction, the structure of which included in consumer reports; the set of adversary’’ is designed or intended to evade or data used for health and certain circumvent the application of the In addition to defining ‘‘party or financial insurance applications; data Executive Order.’’ The purpose of these parties to a transaction,’’ the Department relating to the physical, mental, or additions is to clarify that the Secretary sought to add clarity to the rule by psychological health condition of an may review ICTS Transactions, defining the phrase ‘‘person owned by, individual; non-public electronic including the provision of services, that controlled by, or subject to the communication information, such as occur on or after January 19, 2021, by jurisdiction or direction of a foreign personal emails; geolocation data used any person owned by, controlled by, or adversary,’’ as many commenters in certain technologies; biometric data; subject to the jurisdiction or direction of expressed concern that leaving such data stored and processed for generating a foreign adversary. Providing services, terms undefined might create confusion Federal, State, Tribal, Territorial, or such as software updates, to U.S. about the breadth of the rule’s reach. other government identification cards; persons may provide a foreign adversary The Department defines ‘‘person owned data concerning U.S. Government an opportunity to engage in the types of by, controlled by, or subject to the personnel security clearance status; and activities that may threaten U.S. jurisdiction or direction of a foreign data from security clearance or national security, as described above. adversary’’ to mean ‘‘any person, employment applications. Further, the definition of ICTS wherever located, who acts as an agent, As indicated in section 7.3, Scope, the Transaction clarifies that attempting to representative, or employee, or any Department believes that ICTS structure a transaction in order to person who acts in any other capacity Transactions involving sensitive circumvent Secretarial review is at the order, request, or under the personal data could create risks for the nonetheless an ICTS Transaction subject direction or control, of a foreign U.S. national security and also believes to this rule. adversary or of a person whose activities it is important to specifically identify are directly or indirectly supervised, these categories of data to provide the § 7.2—Definition of ‘‘party or parties to directed, controlled, financed, or regulated community with additional a transaction’’ subsidized in whole or in majority part specificity and certainty as to the scope Several commenters expressed an by a foreign adversary; any person, of the rule’s application. interest in the Department further wherever located, who is a citizen or § 7.2—Definition of ‘‘Undue or clarifying what entities are covered by resident of a nation-state controlled by unacceptable risk’’ the rule. Further, in revising the a foreign adversary; any corporation, proposed rule for finalization, the partnership, association, or other Commenters recommended various Department used the term ‘‘party to a organization organized under the laws alternative uses for and limits on this transaction’’ in several instances and of a nation-state controlled by a foreign term. For example, some suggested that believes it would be beneficial to define adversary; and any corporation, the Department identify certain that term. Accordingly, the rule adds a partnership, association, or other industries or types of transactions that definition of ‘‘party or parties to a organization, wherever organized or do not pose a risk to national security, transaction,’’ to mean a person engaged doing business, that is owned or and that the Department should exempt in an ICTS Transaction, including the controlled by a foreign adversary.’’ certain types of transactions from the person acquiring the ICTS and the rule. person from whom the ICTS is acquired. § 7.2—Sensitive Personal Data Most of the suggestions could The term ‘‘person’’ is also defined by Many commenters requested unnecessarily limit the United States’ the rule and is unchanged from the additional clarity about the specific ability to determine its national security proposed rule. ICTS that is subject to this rule. While interests and, thus, could limit the ‘‘Party or parties to a transaction’’ it is impossible to identify all of the ability to protect the Nation. However, include entities designed or intended to ICTS that may present undue or the Department agrees the term requires evade or circumvent application of the unnecessary risks, the Department has definition, and in this rule adopts the Executive Order. For purposes of this defined the term, ‘‘sensitive personal definition of ‘‘undue or unacceptable rule, this definition does not include data,’’ to identify, along with the risks’’ as those risks identified in common carriers that transport goods information identified in section 7.3 of Section 1(a)(ii) of the Executive Order. for a fee on behalf of the general public, the rule, some of types of information or Section 1(a)(ii) of the Executive Order except to the extent that a common communications that might be involved includes the following risks . . . an carrier knows, or should have known (as in an ICTS Transaction reviewed under undue risk of sabotage to or subversion the term ‘‘knowledge’’ is defined in 15 this rule where a party or parties to a of the design, integrity, manufacturing, CFR 772.1), it was providing transaction use, possess, or retain, or are production, distribution, installation, transportation services of ICTS to one or expected to use, possess, or retain operation, or maintenance of more of the parties to a transaction that sensitive personal data. information and communications has been prohibited in a final written The term ‘‘sensitive personal data’’ technology or services in the United determination made by the Department includes: (1) Personally Identifiable States; . . . an undue risk of or permitted subject to mitigation Information (i.e., data that can identify catastrophic effects on the security or measures. individuals) that is maintained or resiliency of United States critical This addition narrows the scope of collected by a U.S. business operating in infrastructure or the digital economy of the rule by adding clarity regarding specific areas, and that is maintained or the United States; or . . . an which persons are responsible for a collected on over one million people unacceptable risk to the national

VerDate Sep<11>2014 16:33 Jan 17, 2021 Jkt 253001 PO 00000 Frm 00036 Fmt 4700 Sfmt 4700 E:\FR\FM\19JAR1.SGM 19JAR1 khammond on DSKJM1Z7X2PROD with RULES Federal Register / Vol. 86, No. 11 / Tuesday, January 19, 2021 / Rules and Regulations 4913

security of the United States or the items by a United States person as a obtain ‘‘safe harbor’’ for those security and safety of United States party to a transaction authorized under transactions. Commenters argued that persons. a U.S. government-industrial security such a process would help ease business program, is not an ICTS Transaction. uncertainty in specific cases. § 7.3 Scope of Covered ICTS Additionally, the Department To afford parties greater certainty, Transactions acknowledges that ICTS Transactions within 60 days of the publication date Many commenters suggested ways the solely involving personal ICTS of this rule, the Department intends to Department could narrow the scope of hardware devices, such as handsets, do publish procedures to allow a party or the rule to provide more guidance for not warrant particular scrutiny. parties to a proposed, pending, or the types of transactions the Department ongoing ICTS Transaction to seek a may review. For example, commenters § 7.3—Technology Sectors license, pursuant to Section 2(b) of the noted the potential impact of the Many commenters requested that the Executive Order, in a manner consistent proposed rule on certain types of Department identify those technologies with the national security of the United transactions, such as transportation or products that the Department States. Within 120 days of the services of ICTS, and argued the rule considers create the greatest risks to the publication date of this rule, the would harm commenters’ industries. national security of the United States. Department intends to implement this They also argued that the proposed rule The Department understands the desire licensing process. The published was overly broad and that narrowing the for additional certainty and broke down procedures will establish criteria by scope would bring greater economic the scope of technologies included which persons may seek a license to certainty to ICTS Transactions and the under the scope of this rule into six enter into a proposed or pending ICTS technology industry as a whole. main types of ICTS Transactions Transaction or engage in an ongoing Other commenters sought to have the involving: (1) ICTS that will be used by ICTS Transaction. Persons who may Department identify categorical a party to a transaction in a sector seek a license will include any parties exemptions for select industries, such as designated as critical infrastructure by to a proposed, pending, or ongoing ICTS ICTS Transactions involving medical Presidential Policy Directive 21— Transaction as that term is defined in devices or services for air traffic control, Critical Infrastructure Security and this rule. License application reviews while yet others sought to exempt Resilience, including any subsectors or will be conducted on a fixed timeline, transactions involving companies with subsequently designated sectors; (2) not to exceed 120 days from accepting their business headquarters in allied software, hardware, or any other a license application, to enable nations, such as Japan. Commenters also product or service integral to wireless qualifying parties to conclude suggested that, provided appropriate local area networks, mobile networks, permissible transactions without undue cybersecurity mitigation techniques satellite payloads, satellite operations delay. If the Department does not issue exist, transactions involving otherwise and control, cable access points, a license decision within 120 days from banned equipment should be exempted wireline access points, core networking accepting a license application, the from this rule. systems, or long- and short-haul application will be deemed granted. In The Department concludes that systems; (3) software, hardware, or any no event, however, would the categorical exemptions of specific other product or service integral to data Department issue a license decision on industries or geographic locations are hosting or computing services that uses, an ICTS Transaction that would reveal unwarranted at this time, although the processes, or retains, or is expected to sensitive information to foreign Secretary may consider this possibility use, process, or retain, sensitive adversaries or others who may seek to in the future. Wholesale exemptions of personal data on greater than one undermine U.S. national security. industries and geographic locations million U.S. persons at any point over Qualifying parties may voluntarily would not serve the rule’s intended the twelve months preceding an ICTS apply for a license, and a party’s purpose of securing the ICTS supply Transaction; (4) certain ICTS products decision not to seek a license will not chain because such exemptions would which greater than one million units create a negative inference or contradict the Department’s evaluation have been sold to U.S. persons at any unfavorable presumption with respect method for ICTS Transactions. Such point over the twelve months prior to an to a transaction. exemptions would indicate to foreign ICTS Transaction; (5) software designed adversaries whole classes of ICTS primarily for connecting with and § 7.3—Presidential Policy Directive 21— Transactions outside the scope of communicating via the internet that is Critical Infrastructure Security and evaluation under this rule. This would in use by greater than one million U.S. Resilience allow foreign adversaries to pinpoint persons at any point over the twelve Regarding the Department’s certain types of ICTS Transactions that months preceding an ICTS Transaction; assessment of undue and unacceptable would more easily escape Departmental (6) ICTS integral to artificial intelligence risk, commenters suggested that the oversight and, therefore, threaten U.S. and machine learning, quantum key Department create risk criticality national security. By retaining broad distribution, quantum computing, categories for transactions, such as low, authority across industries, the drones, autonomous systems, or medium, and high, along with different Department will be better able to advanced robotics. assessment approaches. Other mitigate identified risks. commenters advocated using risk scores While the rule does not contain § 7.3—Licensing Process for Potential or categories to determine the frequency categorical exemptions of specific Transactions and rigor of monitoring. industries or geographic locations, the Many commenters requested that the The Department agrees that the scope rule now specifies that ICTS Department establish a process for of the rule could be narrowed to Transactions that involve certain entities to seek pre-approval of their indicate more specifically the types of technologies, hardware, or software will ICTS Transactions, similar to the ICTS Transactions that may be be considered to be covered ICTS process by which entities may inform reviewed. Accordingly, the Department Transactions. Additionally, the rule the Committee on Foreign Investment in clarifies that ICTS Transactions include does make clear that, as further the United States (CFIUS) of those that involve, among other aspects, discussed below, the acquisition of ICTS investments in U.S. businesses, and a sector designated as critical

VerDate Sep<11>2014 16:33 Jan 17, 2021 Jkt 253001 PO 00000 Frm 00037 Fmt 4700 Sfmt 4700 E:\FR\FM\19JAR1.SGM 19JAR1 khammond on DSKJM1Z7X2PROD with RULES 4914 Federal Register / Vol. 86, No. 11 / Tuesday, January 19, 2021 / Rules and Regulations

infrastructure by Presidential Policy proposed the Department only evaluate considered, solely for the purposes of Directive 21—Critical Infrastructure potential transactions prospectively. the Executive Order, this rule, and any Security and Resilience, including any Other commenters proposed subsequent rules, to be ‘‘foreign subsectors or subsequently designated grandfathering some ICTS equipment adversaries.’’ The list of foreign sectors. As explained below, the for a predetermined duration, governments and foreign non- Department has also clarified that potentially up to 10 years. In reviewing government persons this rule identifies transactions involving certain sensitive these comments and the proposed rule, as being ‘‘foreign adversaries’’ are: The personal data, regardless of whether the Department determined that the People’s Republic of China, including they involve a critical infrastructure temporal limits of the rule’s application the Hong Kong Special Administrative sector, will be considered ICTS could be clarified. Region (China); the Republic of Cuba Transactions for the purposes of the In response to these comments, the (Cuba); the Islamic Republic of Iran rule. Department has clarified, in section (Iran); the Democratic People’s Republic 7.3(a)(3), that the rule applies to an ICTS of Korea (North Korea); the Russian § 7.3—Exclusions Transactions that is initiated, pending, Federation (Russia); and Venezuelan Many commenters sought clarity or completed on or after January 19, politician Nicola´s Maduro (Maduro about the relationship of this rule to the 2021. Further, any act or service with Regime). The Secretary identified these rules relating to CFIUS’s review of respect to an ICTS Transaction, such as foreign adversaries because they have transactions. In response, the execution of any provision of a managed engaged in a long-term pattern or Department is clarifying that this rule services contract or installation of serious instances of conduct does not apply to an ICTS Transaction software updates, is an ICTS significantly adverse to the national that CFIUS is actively reviewing, or has Transaction on the date that the service security of the United States or security reviewed, as a covered transaction or or update is provided. Thus, if a person and safety of United States persons, covered real estate transaction or as part that is owned by, controlled by, or including taking actions and enacting of such a transaction under section 721 subject to the jurisdiction or direction of policies that are inimical to the interests of the Defense Production Act of 1950, a foreign adversary engages in an ICTS of the United States. as amended, and its implementing Transaction with a person subject to the The determination to identify these regulations. Note, however, that a jurisdiction of the United States on or ‘‘foreign adversaries’’ is based on transaction involving ICTS that is after January 19, 2021, even if the multiple sources, including threat separate from, and subsequent to, a service was provided pursuant to a assessments and reports from the U.S. transaction for which CFIUS has contract initially entered into prior to Intelligence Community, the U.S. concluded action under section 721 may January 19, 2021, that transaction is an Departments of Justice, State, and be subject to review under this rule, if ICTS Transaction that may be reviewed Homeland Security, and other relevant and to the extent that such transactions under this rule. The service is a new sources. Additionally, the Secretary will are separate from the transaction transaction separate from the underlying periodically review this list in reviewed by CFIUS. Parties should contract that will be subject to review by consultation with appropriate agency therefore be aware that CFIUS review the Secretary. heads and may add to, subtract from, related to a particular ICTS, by itself, supplement, or otherwise amend the § 7.4 Determination of Foreign list. Accordingly, this list may be does not present a safe harbor for future Adversaries transactions involving the same ICTS revised at any time in the future. Any that may present undue or unnecessary As noted above, many commenters such changes will be announced in the risks as determined by the Department. requested the Department identify those Federal Register. countries that it considers to be ‘‘foreign It is important to note that the list is § 7.3—Exclusions of ICTS Transactions adversaries.’’ Naming these countries, solely for the purposes of the Executive Commenters requested categorical the commenters argued, would facilitate Order, this rule, and any subsequent exclusions across many sectors, global trade by allowing U.S. businesses rules and does not reflect a industries, functions, and nations. The to assess the risks of certain types of determination by the United States Secretary recognizes the need to be ICTS Transactions from certain about the nature of such foreign judicious and deliberate in deciding countries. It would also allow governments and foreign non- what types of ICTS Transactions pose an companies to adjust their supply chains government persons for any purposes undue or unacceptable risk. To that end, to avoid the risks in such transactions, other than that ICTS Transactions with the rule excludes from the scope of the including the risk of an ICTS persons (as defined in this rule) owned rule those transactions that involve the Transaction being reviewed, and by, controlled by, or subject to the acquisition of ICTS items by a United possibly prohibited or modified, under jurisdiction or direction of an identified States person as a party to a transaction this rule. Several commenters also noted foreign adversary may pose an undue or authorized under a U.S. Government- that defining ‘‘foreign adversaries’’ unacceptable risk. Further, the rule industrial security program, because would help determine, and possibly states that any amendment to this list they are subject to continuous security reduce, the adverse economic impact will apply to any ICTS Transaction that oversight by, and contractual obligations the rule may have on businesses is initiated, pending, or completed on or to, other Federal agencies. through better business planning. after the date that the list is amended. In response to these comments, the § 7.3—Retroactivity of Rule’s Department reconsidered its prior § 7.5 Effect on Other Laws Applicability determination not to identify specific Many commenters suggested that this Some commenters argued that the ‘‘foreign adversaries.’’ The Department rule should not apply if overlapping and rule should not apply to transactions has determined that it is beneficial for existing U.S. authorities are in force, that took place prior to May 15, 2019, the clarity of the rule, as well as for referencing in particular existing when the Executive Order was issued. persons with ICTS Transactions that national security regulatory regimes. Other commenters advocated for the may be subject to the rule, to identify Specifically, commenters pointed to complete elimination of the proposed certain foreign governments and foreign CFIUS; authorities under various rule’s retroactivity provisions, and non-government persons that are National Defense Authorization Acts;

VerDate Sep<11>2014 16:33 Jan 17, 2021 Jkt 253001 PO 00000 Frm 00038 Fmt 4700 Sfmt 4700 E:\FR\FM\19JAR1.SGM 19JAR1 khammond on DSKJM1Z7X2PROD with RULES Federal Register / Vol. 86, No. 11 / Tuesday, January 19, 2021 / Rules and Regulations 4915

the Export Administration Regulations; provided by any U.S. Government undertaken pursuant to the authority the Committee for the Assessment of national security body or other Federal granted under sections 2(a) and (c) of Foreign Participation in the United Government agency, department or the Executive Order and IEEPA. The States Telecommunications Services regulatory body in determining what purpose of this clarification is to set out Sector (i.e., Team Telecom); and other action may be necessary to ameliorate a precisely the authorities that grant the programs under the authority of the threat posed by an ICTS Transaction. Secretary the power to access and Federal Communications Commission, collect documents related to the Department of Homeland Security, Subpart B—Review of ICTS investigations and determinations of and the Office of the Director of Transactions potentially prohibited transactions. National Intelligence. Other commenters Commenters largely recommended § 7.100(c)—Determining Foreign recommended exempting equipment the final rule clarify the review process, Adversary Involvement provided by companies involved in requesting the specific criteria by which mitigation agreements with the Federal the Department will use to review In order to provide industry with Government. transactions. As a whole, Subpart B more clarity regarding the determination This rule does not alter or affect any adds a more detailed review process, as of whether an ICTS Transaction of these existing authorities; it is requested by commenters. involves ICTS designed, developed, intended to complement, not supplant, manufactured, or supplied, by persons these existing regimes. However, the § 7.100 General owned by, controlled by, or subject to Department understands the need for § 7.100(a)—Consideration of Relevant the jurisdiction or direction of a foreign regulatory and business certainty, and Information adversary, the Department added in the interest of not duplicating efforts guidance about what information it will Many commenters sought clarity as to by other parts of the U.S. Federal consider when making these decisions. the type of information on which the government, the rule states that it does These factors include: (1) Whether the Secretary could base a determination to not apply to ICTS Transactions that party or its component suppliers have commence an evaluation of a CFIUS is actively reviewing, or has headquarters, research, development, reviewed, as a covered transaction or transaction. In response to these manufacturing, test, distribution, or covered real estate transaction or as part comments, section 7.100(a) identifies service facilities or other operations in of such a transaction under section 721 sources or information, factors, and a foreign country, including one of the Defense Production Act of 1950, other variables related to a transaction controlled by a foreign adversary; (2) as amended, and its implementing that the Secretary may consider when personal and professional ties between regulations. However, this exclusion in reviewing a transaction. This list is non- the party—including its officers, no way precludes a review of a exclusive and does not prevent the directors or similar officials, employees, subsequent ICTS Transaction if distinct Secretary from reviewing any available consultants, or contractors—and any from the previously CFIUS-reviewed information; the list is intended to foreign adversary; (3) laws and transaction or new information is provide parties to transactions with regulations of the foreign adversary in discovered. greater clarity about the types of which the party is headquartered or Other provisions of the rule provide materials on which the Secretary may conducts operations, including research additional means of ensuring that any rely when deciding whether to review and development, manufacturing, action taken by the Secretary neither (and during that review of) a packaging, and distribution; and (4) any conflicts with nor frustrates the transaction. other criteria that the Secretary deems purposes of other existing laws, The rule states that the Secretary may appropriate. regulations or processes. Thus, there are consider information provided by any § 7.100(d)—Factors for Determining an two separate points during the review U.S. Government national security body Undue or Unacceptable Risk process at which the Secretary is or other Federal agencies. In addition, expressly required to consult with the rule clarifies that the Secretary, Commenters also requested additional appropriate agency heads: before when making determinations about information from the Department about making an initial determination that the specific transactions, may also consider how it will determine whether an ICTS transactions is an ICTS Transaction that information that includes: (1) Relevant Transaction poses an undue or poses an undue or unacceptable risk public information; (2) confidential unacceptable risk. Along with listing (section 7.104) and before making a final business or proprietary information; (3) factors to help determine the determination (section 7.108). In classified national security information; relationship between a foreign party to requiring that the Secretary consult with (4) information from State, local, tribal, an ICTS Transaction and a foreign other agency heads, the rule provides or foreign governments; (5) information adversary, the Department has provided for a coordination mechanism with from parties to a transaction, including guidance on some of the information other agencies and Departments that records related to such transaction that that the Secretary, in consultation with have potentially overlapping any party keeps or uses, or would be the appropriate agency heads, will jurisdiction. For example, before making expected to keep or use, in their consider when determining the impact an initial determination concerning a ordinary course of business for such a of an ICTS Transaction on U.S. national transaction, the review of which might transaction; (6) information obtained security. potentially overlap with a review under through the authority granted under Specifically, when determining CFIUS, the Secretary is required to sections 2(a) and (c) of the Executive whether an ICTS Transaction poses an consult with, among others, the Order and IEEPA; and (7) information undue or unacceptable risk, the Secretary of the Treasury, who serves as provided by any other U.S. Government Secretary and the appropriate agency the Chairperson of CFIUS, thereby agency, department, or other regulatory heads will consider factors such as: (1) helping to ensure coordination and body. Threat assessments and reports avoid redundancy. The rule further revises section prepared by the Director of National In addition, section 7.100(a) of the 7.100(a) to specify that information may Intelligence pursuant to section 5(a) of rule provides that the Secretary may be obtained through any administrative the Executive Order; (2) removal or consider all relevant information investigative or enforcement action exclusion orders issued by the Secretary

VerDate Sep<11>2014 16:33 Jan 17, 2021 Jkt 253001 PO 00000 Frm 00039 Fmt 4700 Sfmt 4700 E:\FR\FM\19JAR1.SGM 19JAR1 khammond on DSKJM1Z7X2PROD with RULES 4916 Federal Register / Vol. 86, No. 11 / Tuesday, January 19, 2021 / Rules and Regulations

of Homeland Security, the Secretary of National Intelligence pursuant to electronic documents relating to any Defense, or the Director of National section 5(a) of the Executive Order; (2) matter under investigation. Intelligence (or their designee) pursuant removal or exclusion orders issued by § 7.102 Confidentiality of Information to recommendations of the Federal the Secretary of Homeland Security, the Acquisition Security Council, under 41 Secretary of Defense, or the Director of The proposed rule requested U.S.C. 1323; (3) relevant provisions of National Intelligence (or their designee) comments and recommendations from the Defense Federal Acquisition pursuant to recommendations of the stakeholders on additional Regulation and the Federal Acquisition Federal Acquisition Security Council, recordkeeping requirements for Regulation, and their respective under 41 U.S.C. 1323; (3) relevant information related to transactions. supplements; (4) entities, hardware, provisions of the Defense Federal Most commenters focused on the software, and services that present Acquisition Regulation and the Federal confidentiality and the public vulnerabilities in the United States as Acquisition Regulation, and their availability of any information received. determined by the Secretary of respective supplements; (4) entities, Commenters strongly advocated that the Homeland Security pursuant to section hardware, software, and services that Department protect confidential or 5(b) of the Executive Order, Department present vulnerabilities in the United proprietary business information when of Homeland Security Cybersecurity and States as determined by the Secretary of making or publishing reports. Some Infrastructure Security Agency, Homeland Security pursuant to section commenters advocated for more open ‘‘Information and Communications 5(b) of the Executive Order, Department publication of these reports, and how Technology Supply Chain Risk of Homeland Security Cybersecurity and each threat was mitigated or eliminated. Management Task Force: Interim Infrastructure Security Agency, To address these concerns and Report,’’ September 18, 2019; (5) actual ‘‘Information and Communications provide additional certainty for entities required to produce documents related and potential threats to execution of a Technology Supply Chain Risk to transactions, the rule clarifies the ‘‘National Critical Function’’ identified Management Task Force: Interim Department’s responsibility to preserve by the Department of Homeland Report,’’ September 18, 2019; (5) actual the confidentiality of information Security Cybersecurity and and potential threats to execution of a requested by the Department. Infrastructure Security Agency; (6) the ‘‘National Critical Function’’ identified Specifically, the rule provides that nature, degree, and likelihood of by the Department of Homeland information or documentary materials consequence to the United States public Security Cybersecurity and that are not otherwise publicly or and private sectors that could occur if Infrastructure Security Agency; (6) the commercially available, submitted or ICTS vulnerabilities were to be nature, degree, and likelihood of exploited; and (7) any other source or filed with the Secretary under this part, consequence to the United States public will not be released publicly except to information that the Secretary deems and private sectors that could occur if appropriate. the extent required by law. However, ICTS vulnerabilities were to be the Secretary may disclose information § 7.100(d)—Risk Management exploited; and (7) any other source or or documentary materials, not otherwise information that the Secretary deems The Department specifically publicly or commercially available: (1) appropriate. requested comments on transactions Pursuant to any administrative or that could present an undue or § 7.101 Information To Be Furnished judicial proceeding; (2) pursuant to an unacceptable risk, but where that risk on Demand ; (3) pursuant to a request could be reliably and adequately from any duly authorized committee or mitigated or prevented. Commenters The proposed rule contemplated that subcommittee of Congress; (4) pursuant suggested creating national security risk individuals might be requested to to a request to any domestic categories for transactions and furnish the Secretary with information governmental entity, or to any foreign providing assurance that the Secretary related to a transaction under review. governmental entity of a United States would impose the least intrusive Section 7.101 in this rule clarifies that, ally or partner, information or measures to mitigate transactions in under the Secretary’s authority pursuant documentary materials, not otherwise each category. Other commenters to IEEPA, persons may be required to publicly or commercially available and advocated creating risk categories or furnish under oath complete important to the national security bands with different assessment information relative to any ICTS analysis or actions of the Secretary, but approaches. The Department did not Transaction under review. The only to the extent necessary for national adopt these suggestions. ICTS Secretary may require that such reports security purposes, and subject to Transaction reviews are made on a case- include the production of any books, appropriate confidentiality and by-case basis. Therefore, categorically contracts, letters, papers, or other hard classification requirements; (5) where labeling transactions with pre- copy or electronic documents relating to the parties or a party to a transaction determined mitigation requirements any such act, transaction, or property, in have consented the information or would effectively counteract that the custody or control of the persons documentary materials not otherwise individualized approach and may result required to make such reports. Reports publicly or commercially available may in ICTS Transactions proceeding that may be required either before, during, or be disclosed to third parties; and (6) any otherwise should have been reviewed, after an ICTS Transaction under review. other purpose authorized by law. These and possibly prohibited or mitigated. Additionally, under the authorities provisions largely incorporate the In determining whether an ICTS provided by IEEPA, the Secretary may, record release requirements of the Transaction poses an undue or through any person or agency, conduct Freedom of Information Act, 5 U.S.C. unacceptable risk, the rule clarifies the investigations, hold hearings, 552. While the Department will, as risk factors the Secretary, in administer oaths, examine witnesses, always, seek to protect business and consultation with the appropriate receive evidence, take depositions, and other confidential information provided agency heads, may consider. require by subpoena the attendance and by parties, parties providing such Specifically, the Secretary may testimony of witnesses and the information in response to this rule consider: (1) Threat assessments and production of any books, contracts, must clearly mark those documents as reports prepared by the Director of letters, papers, and other hard copy or business or other confidential.

VerDate Sep<11>2014 16:33 Jan 17, 2021 Jkt 253001 PO 00000 Frm 00040 Fmt 4700 Sfmt 4700 E:\FR\FM\19JAR1.SGM 19JAR1 khammond on DSKJM1Z7X2PROD with RULES Federal Register / Vol. 86, No. 11 / Tuesday, January 19, 2021 / Rules and Regulations 4917

§ 7.103 Initial Review of ICTS to assist the decision-making process. parties to the ICTS Transaction known Transactions Specifically, the rule provides that the to the Secretary at the time of service. Many commenters addressed the Secretary shall assess whether the ICTS Service may be made by registered U.S. manner in which an ICTS Transaction Transaction: Falls within the scope of mail, facsimile, electronic transmission, could be identified to the Secretary as § 7.3(a) of the rule; involves ICTS or third-party commercial carrier, to an a transaction that should be reviewed. designed, developed, manufactured, or addressee’s last known address or by In particular, many commenters sought supplied, by persons owned by, personal delivery. Service of documents clarity on the proposed provision that controlled by, or subject to the will be considered effective upon the the Secretary could commence jurisdiction or direction of a foreign date of postmark, facsimile evaluations of transactions based on adversary; and poses an undue or transmission, delivery to third party information received from private unacceptable risk. The Secretary will commercial carrier, electronic transmission or upon personal delivery. parties ‘‘that the Secretary determines to evaluate each transaction, on a case-by- case basis, based upon the particular Notice of the initial determination to the be credible.’’ The commenters requested facts and circumstances, including the parties may also be accomplished by clear guidance on what types of identity of the parties involved. publication in the Federal Register information, or parties, the Secretary The rule also further articulates what where the Secretary determines that the would deem credible. Additionally, the Secretary will consider when initial determination concerns or could several commenters noted that such a determining whether an ICTS impact entities beyond the parties to the provision might incentivize parties to Transactions poses an undue or ICTS Transaction, where one or more of engage in anti-competitive behavior that unacceptable risk. The Department has the parties to the ICTS Transaction are would not necessarily lead to identified ten criteria for such unknown to the Secretary, or in any identifying transactions posing risks to determinations. Along with other other circumstance at the Secretary’s national security. In light of these factors, when determining if an ICTS discretion. comments and concerns, the rule Transaction poses an undue or clarifies that the Secretary may consider unacceptable risk, the Secretary will § 7.106 Retention of Records any referral for review of a transaction consider the nature of the information The proposed rule requested public (referral): (1) Upon receipt of any and communications technology or comments on whether to require parties information identified in section services at issue in the ICTS to undertake additional recordkeeping 7.100(a); (2) upon written request of an Transaction, including technical for information related to transactions. appropriate agency head; or (3) at the capabilities, applications, and market Some commenters argued that the Secretary’s discretion. Following receipt share considerations; the nature and Department should not impose of a referral, the Secretary will assess degree of the direction or jurisdiction additional recordkeeping requirements. whether the referral falls within the exercised by the foreign adversary over Additionally, some commenters scope of § 7.3(a) and involves ICTS the design, development, manufacture, suggested that the recordkeeping designed, developed, manufactured, or or supply at issue in the ICTS requirement begin upon receipt of a supplied by persons owned by, Transaction; and the statements and transaction notice, rather than being an controlled by, or subject to the actions of the foreign adversary at issue ongoing duty for any potentially jurisdiction of direction of a foreign in the ICTS Transaction. Other prohibited ICTS Transaction. adversary, and determine whether to: (1) considerations include whether the After reviewing these comments, and Accept the referral and commence an ICTS Transaction poses a discrete or consistent with IEEPA, the rule provides initial review of the transaction; (2) persistent threat and the nature of the that, after receiving notification that an request additional information, as vulnerability implicated by the ICTS ICTS Transaction is under review or identified in § 7.100(a), including Transaction. that an initial determination concerning information from the referring entity an ICTS Transaction has been made, a regarding the referral; or (3) reject the § 7.104 First Interagency Consultation notified person must immediately take referral. The Department has clarified that the steps to retain any and all records Several commenters requested the Secretary will consult with the related to such transaction. rule establish clearer procedures for appropriate agency heads after finding § 7.107 Procedures Governing how the Secretary will review ICTS that an ICTS Transaction may fall Response and Mitigation Transactions. Commenters also within the scope of the Executive Order. advocated for differing determination Commenters requested that the final timeframes, deadlines, or milestones § 7.105 Initial Determination rule explain how the Secretary’s based on device nature, threat severity, This rule clarifies that if, after review determinations may be ‘‘appealed’’ and equipment replacement risks, and other of an ICTS Transaction and consultation how mitigation agreements will be potential harms. with the appropriate agency heads, the reached and enforced. Commenters also In response to these and other Secretary determines that such ICTS sought more robust procedures for comments, the Department provides Transaction meets the criteria in section waivers, appeals, and mitigation. The that, unless the Secretary determines in 7.103(c) of the rule, the Secretary shall proposed rule had provided that, within writing that additional time is then issue an initial written 30 days of a preliminary determination necessary, the Secretary shall issue the determination explaining the finding by the Secretary that a transaction was final determination within 180 days of and whether the Secretary has an ICTS Transaction that would pose an accepting a referral and commencing the determined to prohibit or propose undue or unacceptable risk to the U.S. initial review of the ICTS Transaction. mitigation measures to the ICTS national security, parties to that Regarding the procedures for the Transaction at issue. The initial transaction could submit a response to Secretary’s review of ICTS Transactions, determination will contain no the decision. The proposed rule also the Executive Order provides a careful confidential information, even if such allowed the Secretary to require a process for the Secretary’s decision- was relied upon to make the initial transaction be mitigated to reduce the making. The rule further sets out the determination. Notice of this initial risks the Secretary identified in the factors that the Secretary will consider determination shall be served upon the preliminary determination.

VerDate Sep<11>2014 16:33 Jan 17, 2021 Jkt 253001 PO 00000 Frm 00041 Fmt 4700 Sfmt 4700 E:\FR\FM\19JAR1.SGM 19JAR1 khammond on DSKJM1Z7X2PROD with RULES 4918 Federal Register / Vol. 86, No. 11 / Tuesday, January 19, 2021 / Rules and Regulations

In response to these comments, the The process involved response periods, Additionally, the Department will Department has added provisions to as well as possible extensions, given to implement, within 120 days of enhance and clarify when and how any party affected by a preliminary publishing this rule, procedures for how parties to an ICTS Transaction that is determination. Commenters addressed parties to a proposed, pending, or the subject of an initial determination communications regarding initial and ongoing ICTS Transaction may seek a may engage with the Secretary about the final determinations within the context license, pursuant to Section 2(b) of the initial determination. The rule of this process. Some commenters Executive Order, in a manner consistent establishes a clear process for suggested that the Secretary should with the national security of the United responding to an initial determination collaborate with private industry when States. concerning an ICTS Transaction and making determinations, similar to the As noted above, after reviewing an provides further guidance on how any process within the Department of ICTS Transaction that the Secretary identified risks may be mitigated so that Homeland Security’s Supply Chain Risk believes may pose an undue or an identified ICTS Transaction may Management Task Force. Similar unacceptable risk, the Secretary will proceed. Similar to the proposed rule, comments were received advocating for engage in a first interagency within 30 days of being notified of an the establishment of a mechanism for consultation with the appropriate initial determination, pursuant to industry to seek guidance on specific agency heads to discuss the ICTS section 7.105 of the rule, parties to that work programs or participants involved. Transaction and the Secretary’s transaction may respond to the initial The Department has declined to add concerns. Following that consultation, determination or assert that the specific provisions relating to the Secretary will make an initial circumstances leading to the initial collaborating with industry on ICTS determination and, if that decision determination no longer apply. A party Transaction determinations. However, includes a determination to prohibit an may submit arguments or evidence in in consideration of these comments ICTS Transaction, will notify the parties support of their response and may also there is now a provision explaining to the transaction of the Secretary’s propose remedial steps that the party what factors and sources the Secretary initial determination. After the parties believes would negate the basis for the will take into consideration during the are afforded an opportunity to respond Secretary’s initial determination. The second consultation. Specifically, the to the initial determination and propose rule also allows parties to an ICTS Secretary will take into account the mitigation measures, the Secretary will Transaction that is subject to an initial views of the appropriate agency heads, engage in a second interagency determination to request a meeting with through the interagency consultation consultation with the appropriate the Department, which may be granted processes. In providing their views, the agency heads, to discuss the transaction, at the Secretary’s discretion. appropriate agency heads may consider the initial determination, and any Additionally, the rule clarifies that if the the perspective of relevant public- response. This process will help ensure parties to an ICTS Transaction do not private working groups and advisory that all information regarding ICTS submit a response to the Secretary’s committees with which they convene or Transactions and the views of the initial determination within 30 days engage. For instance, DHS’s views could appropriate agency head are considered following service of the initial incorporate input from the Supply when the Secretary makes a final determination, that initial determination Chain Risk Management Task Force. determination. The Department also points out that it will become final. § 7.109 Final Determination Other commenters recommended the maintains a number of advisory adoption of an appeals process for committees that provide regular As noted above, the Department parties notified of a final determination. opportunities for industry and the appreciates the comments requesting The Department has adopted a process regulated community to provide additional clarity on the process by for reconsidering an initial feedback to the Department on issues which the Secretary will make decisions determination by the Secretary. impacting their operations. Under the about ICTS Transactions. The rule now However, an administrative appeals Secure and Trusted Communications provides a specific step for issuing final process would hinder the Secretary’s Networks Act of 2020, the National determinations on ICTS Transactions. ability to move swiftly to prevent an Telecommunications and Information The outcome of a final determination undue or unacceptable risk. Administration is also charged with remains unchanged from the proposed Some commenters also requested that establishing a program to share supply rule and will provide that an ICTS the Department establish a maximum chain risk information with Transaction is either: (1) Prohibited; (2) life span for imposed mitigations, telecommunication providers and not prohibited; or (3) permitted arguing that such a rule would reduce manufacturers. pursuant to the adoption of agreed-upon the inhibiting effects that mitigations Commenters also requested that the mitigation measures. Moreover, the rule would have on ICTS innovation. The Department explain whether and how clarifies that the written final Department disagrees with commenters, the Secretary’s determinations may be determinations will include directions finding that such a clause would appealed or reviewed by another on the timing and manner of cessation prevent the Department from evaluating authority. This rule adds a provision of a prohibited ICTS Transaction, as the mitigations put in place on ICTS that, should any appropriate agency applicable, along with the penalties, as Transactions. Failing to reevaluate head oppose the Secretary’s proposed authorized by IEEPA, for violations of would effectively limit mitigation final determination, the Secretary shall applicable mitigation terms or other requirements and potentially reopen notify the President of the Secretary’s direction or prohibition issued under national security vulnerabilities. proposed final determination and such this rule. The final determination will opposition. After receiving direction provide a specific description of the § 7.108 Second Interagency from the President regarding the prohibited ICTS Transaction and shall Consultation Secretary’s proposed final be limited in force to the circumstances The proposed rule set out the review determination and any appropriate described therein. Moreover, if the process that must be followed before the agency head’s opposition thereto, the Secretary determines that an ICTS Secretary issues a final determination Secretary shall issue a final Transaction is prohibited, the final that constitutes a final agency action. determination pursuant to § 7.109. determination shall direct the least

VerDate Sep<11>2014 16:33 Jan 17, 2021 Jkt 253001 PO 00000 Frm 00042 Fmt 4700 Sfmt 4700 E:\FR\FM\19JAR1.SGM 19JAR1 khammond on DSKJM1Z7X2PROD with RULES Federal Register / Vol. 86, No. 11 / Tuesday, January 19, 2021 / Rules and Regulations 4919

restrictive means that the Secretary, in ICTS infrastructure. However, the review and determination process. the Secretary’s discretion, determines to Department is unable to offer technical Second, the rule details the be necessary to attenuate or alleviate the assistance at this time. Accordingly, the requirements for responding to initial undue or unacceptable risk posed by the Department declines to implement any determinations. Third, the rule clarifies ICTS Transaction. provision for technical assistance in the that parties may respond to an initial rule, and the parties to the transaction determination or seek to negotiate a § 7.109(c)—Notification of Final will bear the responsibility and cost of mitigation agreement with the Secretary. Determination complying with any prohibition or Fourth, the rule now provides that Commenters also provided a number mitigation measure. unless the Secretary determines in of suggestions on how to further ensure Third, one commenter argued that the writing that additional time is the Secretary is held accountable for his rule imposes an unfunded mandate on necessary, the Secretary shall issue a or her actions under the authority of this the private sector, within the meaning of final determination within 180 days of rule. Recommendations include limiting the Unfunded Mandates Reform Act of accepting a referral and commencing the the Secretary’s ability to assign a 1995, Public Law 104–4 (UMRA), initial review of an ICTS Transaction, designee with final decision-making contrary to the determination made by eliminating the uncertainty of an open- authority and deleting the emergency the Department in the proposed rule. ended review process. Fifth, the rule action provision set forth in section The commenter further argued that ensures transparency by specifically 7.100(f) of the proposed rule. These UMRA requires that before the rule requiring the Secretary to publish the suggestions are intended to ensure that becomes final, the Department must results of final determinations, absent Congress can hold the executive branch include in the rule a written statement any confidential business information, accountable for enforcement actions. assessing the costs and benefits of the in the Federal Register. Sixth, the rule In response to these comments, the rule, and estimates of future compliance now specifies that an ICTS Transactions final rule enhances transparency by costs, as required by UMRA. The between parties outside of a sector requiring final written determinations to Department continues to believe that the designated as critical infrastructure be published in the Federal Register, rule does not constitute a ‘‘Federal must involve a clearly specified where they are readily accessible to both private sector mandate’’ as defined by technology or service in order to be the Congress and the public. Moreover, UMRA, in that the rule does not impose considered a covered ICTS the rule now clarifies that the ‘‘an enforceable duty’’ upon the private Transactions. publication shall omit any confidential sector. See 2 U.S.C. 658(7). Rather, the Additionally, in response to business information. rule sets out the processes and commenters seeking clarity regarding procedures that the Secretary of § 7.200 Penalties the scope of the rule, including Commerce will use to identify, assess, numerous requests for the identification Commenters requested the final rule and address certain transactions, of ‘‘foreign adversaries,’’ the Department clarify the type and scope of penalties including classes of transactions. defines certain terms. The added for noncompliance with the Secretary’s However, as the commenter notes, when definitions help to clarify the scope of prohibition or mitigation of a a rule does constitute a ‘‘Federal private the rule by providing guidance on transaction. We agree with commenters sector mandate,’’ UMRA requires the which entities may be subject to the that the type and scope of the penalties agency prepare a written statement rule, what constitutes an ICTS for noncompliance were unclear, and containing information about the costs Transaction, and whether an ICTS the section has been revised and benefits of the mandate, including, Transaction involves a foreign accordingly. The rule now clarifies that where feasible, future compliance costs, adversary. This additional clarity will any person who commits a violation of 2 U.S.C. 1532, as well as that the agency assist entities with making appropriate identify and consider regulatory any final determination, direction, or decisions regarding ICTS Transactions alternatives and select the least costly, mitigation agreement may be liable to that may present risks to the national most cost-effective, or least burdensome the United States for civil or criminal security, therefore helping to protect the alternative that achieves the objectives penalties under IEEPA. United States’ ICTS supply chain. of the rule, 2 U.S.C. 1535. Thus, even in Other Comments the event that the rule were considered Classification The Department received other to constitute a federal private sector A. Executive Order 12866 (Regulatory comments with which the Department mandate, the Department has met these Policies and Procedures) disagrees. The Department responds to requirements in full through the those comments below. preparation of the accompanying Pursuant to the procedures First, one commenter requested that Regulatory Impact Analysis. established to implement Executive the Department expand the meaning of Order 12866, the Office of Management the term ‘‘electronic means’’ within the Changes From the Proposed Rule and Budget has determined that this definition of ICTS. While the Upon consideration of the public rule is economically significant. Department cannot modify the comments received, the Department definition of ICTS contained in the makes several changes, as discussed in B. Executive Order 13771 (Reducing Executive Order, the Department detail above, from the proposed rule in Regulation and Controlling Regulatory clarifies that ‘‘electronic means’’ order to increase clarity and certainty Costs) includes electromagnetic, magnetic, and for the public. First, the rule provides This rule is not subject to the photonic means. This change is not detail on the procedures the Secretary requirements of Executive Order 13771 intended to widen the scope of the rule, will follow when reviewing ICTS because the benefit-cost analysis but merely to clarify the means by Transactions, including identifying the demonstrates that the regulation is which ICTS must function in order for criteria and information the Secretary anticipated to improve national security the rule to apply. will consider. For example, the rule as its primary direct benefit. Second, some commenters requested provides clarity as to when the ICTS has become integral to the daily that the Department provide technical Secretary will consult with the operations and functionality of U.S. assistance for parties forced to alter appropriate agency heads as part of the critical infrastructure, as well as much,

VerDate Sep<11>2014 16:33 Jan 17, 2021 Jkt 253001 PO 00000 Frm 00043 Fmt 4700 Sfmt 4700 E:\FR\FM\19JAR1.SGM 19JAR1 khammond on DSKJM1Z7X2PROD with RULES 4920 Federal Register / Vol. 86, No. 11 / Tuesday, January 19, 2021 / Rules and Regulations

if not most, of U.S. industry. Moreover, incorporated hardware and software the U.S. government to address ICTS ICTS accounts for a large part of the U.S. could then pose opportunities to add or supply chain issues before they arise, economy. Accordingly, if vulnerabilities remove important information, modify and which may be beyond the means of in the ICTS supply chain—composed of files or data streams, slow down, or individual telecommunications carriers hardware, software, and managed otherwise modify the normal or other U.S. ICTS purchasers or users services from third-party vendors, transmission or availability of data to address on their own. As noted suppliers, service providers, and across U.S. networks. Such capabilities above, the costs associated with the contractors—are exploited, the could be exercised in areas as diverse as potential attacks, loss of service, or consequences can affect all users of that financial market communications, disruption to the ICTS supply chain are technology or service, potentially satellite communications or control, or not known at this time, and are in causing serious harm to critical other sensitive consumer information. actuality unknowable due to the infrastructure, U.S. Government Privileged access to market movement generally clandestine nature of the operations, and disrupting the United and trends, or other manipulation, attacks and the fact that they may or States and the global economy. These could disrupt and harm the operation of may not occur. However, by deterring, harms are already occurring. As noted major exchanges. preventing, or mitigating these attacks, in Executive Order 13873, ‘‘foreign A foreign adversary could also this rule will provide the United States adversaries are increasingly creating and effectively deny access to critical with substantial, though unknowable, exploiting vulnerabilities in information services by exploiting vulnerabilities economic benefits as well as benefits to and communications technology and provided by the incorporation of the national security of the United services, which store and communicate hardware and software into U.S. States. vast amounts of sensitive information, environments, fully or partially shutting C. Regulatory Flexibility Analysis facilitate the digital economy, and down critical networks or functions at support critical infrastructure and vital key times. These types of attacks are The Department has examined the emergency services.’’ known as denial of service attacks. Such economic implications of this final rule U.S. entities purchasing and attacks could cause widespread on small entities as required by the incorporating ICTS equipment and problems, such as if they occur during Regulatory Flexibility Act (RFA). The using ICTS services, such as network periods of crisis, or they could be used RFA requires an agency to describe the management or data storage, provided selectively by targeting individual impact of a rule on small entities by by foreign adversaries can create corporations, infrastructure elements, or providing a regulatory flexibility multiple opportunities for foreign other important infrastructure functions. analysis. The Department published an adversaries to exploit potential They could also be masked to make the initial regulatory flexibility analysis in vulnerabilities in the ICTS. That, in source of the disruption difficult to the proposed rule issued on November turn, could cause direct and indirect attribute, and therefore be difficult to 27, 2019 (84 FR 65316) and has posted harm to both the immediate targets of trace and terminate. a final regulatory flexibility analysis the adverse action and to the United Such risks can be substantially (FRFA) as part of the RIA (see States as a whole. Incorporation of a increased by incorporating the software ADDRESSES). This final rule is likely to foreign adversary’s software, equipment, and equipment from unreliable have a significant economic impact on and products into domestic ICTS adversaries into the U.S. a substantial number of small entities. A networks, as well as the use of use of telecommunications infrastructure. summary of the FRFA follows. However, these risks are not necessarily foreign cloud, network management, or A Statement of the Significant Issues confined to infrastructure environments. other services, greatly increases the risk Raised by Public Comments or by the They could, for example, be present in that potential vulnerabilities may be Chief Counsel for Advocacy of the Small the use of cloud services, as well as in introduced, or that they may be present Business Administration in Response to the widespread use of some consumer without being detected. These potential the IRFA, a Statement of the Assessment devices, networked surveillance vulnerabilities are often categorized of the Agency of Such Issues, and a cameras, drones, or interconnection via under the general concepts of threats to Statement of Any Changes Made in the the internet of computing devices privacy, data integrity, and denial of Proposed Rule as a Result of Such embedded in everyday objects, enabling service. Comments Some foreign actors are known to them to send and receive data. exploit the sale or lease of software and The number of attacks by foreign Many commenters discussed the hardware to introduce vulnerabilities adversaries on the ICTS supply chain possibility that this rule could present that can allow them to steal critical are known to be increasing. The significant economic costs. For example, intellectual property, research results associated costs are borne by the U.S. one commenter stated that ‘‘Commerce’s (e.g., health data), or government or Government as well as private industry. proposed rules would result in an financial information from users of the Given the ubiquity of ICTS in the extremely broad and unprecedented software or hardware. Such modern economy and especially in increase in regulatory jurisdiction over vulnerabilities can be introduced at the critical infrastructure, the benefits of private ICT transactions. The notice of network, cloud service or individual preventing significant disruptions or proposed rulemaking thus marks a product data, allow traffic monitoring or harms to the ICTS supply chain that watershed regulatory moment for surveillance, and may be resistant to could cause incalculable costs to U.S. companies in or adjacent to the ICT detection by private purchasers or firms, consumers, and the U.S. market—which is to say, virtually every telecommunications carriers. Once Government, would be very high. company in United States—given the detected, the existence of such This rule provides a process through government’s newfound stance that it vulnerabilities may be extremely costly which serious disruptions to the United can determine key terms of what ICT or impossible to remediate. States telecommunications companies can buy, sell, or use. As a Vulnerabilities to data integrity can be infrastructure can be avoided or result, this proceeding and the rules that created by including an adversary’s ameliorated. The rule provides the result from it inescapably will impose hardware and software into U.S. means of bringing to bear the additional costs on ICT companies, such networks and systems. This information and analytical resources of as the increased practical need—even

VerDate Sep<11>2014 16:33 Jan 17, 2021 Jkt 253001 PO 00000 Frm 00044 Fmt 4700 Sfmt 4700 E:\FR\FM\19JAR1.SGM 19JAR1 khammond on DSKJM1Z7X2PROD with RULES Federal Register / Vol. 86, No. 11 / Tuesday, January 19, 2021 / Rules and Regulations 4921

absent a legal requirement—to Description and Estimate of Economic adverse impact on small firms relative document supply chain risk Effects on Entities, by Entity Size and to larger firms. management analysis in the event a Industry However, the changes made from the transaction is investigated, along with In the Costs section of the RIA, the proposed rule benefit small businesses related due diligence to consider the as- Department estimates that costs to all by limiting the scope of transactions yet uncertain possibilities for affected entities will range between subject to the rule. Small entities have government intervention.’’ In the RIA, approximately $235 million and $20.2 fewer suppliers and engage in fewer the Department estimated costs billion, or about $2,800 to $6,300 per transactions than large entities. As a associated with developing and entity. The Department estimated the result, by identifying specific foreign implementing a plan to conduct due costs to small entities using the same adversaries and providing guidance on diligence on potentially covered methodology. All small entity which entities may be subject to the rule transactions, including estimating the calculations and assumptions can be as well as additional criteria on what number of small entities that could be found in Tables 10 through 14. These constitutes an ICTS Transaction, small affected by the rule and the economic tables are analogous to Tables 5 through entities will more readily be able to impact on those small entities. 9 in the RIA. While most of the determine whether their transactions are assumptions below are identical to subject to review under the rule—and Statement of the Objectives of, and those found in the previous estimates, may in some cases, find that none of Legal Basis for, the Final Rule there are 3 important adjustments to assumptions in the small entity cost their transaction are likely to be within A description of this final rule, why estimates: the scope of the rule. Additionally, by it is being implemented, the legal basis, 1. Entities potentially impacted by the specifically requiring the Secretary to and the purpose of this final rule are rule reduced by 0.4 percent to account publish the results of final contained in the SUMMARY and for our finding that 99.6 percent of all determinations in the Federal Register, SUPPLEMENTARY INFORMATION sections of affected entities have less than 500 small businesses will be able to assess this preamble, as well as in the employees. whether their transactions are preamble to the Notice of Proposed 2. Small entities are less likely to have substantially similar to those that have Rulemaking issued on November 27, the resources to develop and implement been prohibited. Finally, the rule 2019 (84 FR 65316), and are not a compliance plan. This analysis thus reduces the potential burdens on small repeated here. reduces estimates of the share of small entities by emphasizing that (1) the firms likely to engage in these activities Secretary will choose the least A Description and, Where Feasible, accordingly. burdensome restriction that still allows Estimate of the Number of Small 3. Small entities engage in fewer for protection of the national security Entities to Which the Final Rule Applies transactions than large entities. This when deciding whether to prohibit or Small Business Administration (SBA) analysis reduces the estimates of the mitigate an ICTS Transaction, and (2) size standards for businesses are based number of transactions subject to the the Secretary shall issue a final on annual receipts and average rule per small firm accordingly. determination within 180 of employment. For the purpose of this As a result of these adjustments, the commencing an initial review. Department estimates that costs to analysis we define a small business as affected small entities will range A Description of, and an Explanation of one employing fewer than 500 persons. between approximately $109 million the Basis for, Assumptions Used This definition allows us to use 2017 and $10.9 billion, or about $1,800 and Census data on firm employment by $3,900 per small entity. SBA size standards for businesses are NAICS industry to estimate the number based on annual receipts and average of affected small entities. Potential Economic Impact of the Rule employment. For the purpose of this on Small Entities In the RIA, the Department identified analysis, the Department defines a small 4,533,000 firms that imported Small businesses, as opposed to larger business as one employing fewer than significant amounts of goods and firms, may not have the same ability to 500 persons. This definition allows the services potentially subject to review deal with the burdens, both direct and Department to use 2017 Census data on under the Rule. This formed our upper indirect, associated with the rule. Faced firm employment by NAICS industry to bound estimate for the total number of with the various costs associated with estimate the number of affected small affected entities. By replicating this compliance, firms will have to absorb entities. The Department does not have methodology with firm employment those costs and/or pass them along to access to sufficiently detailed data on data, the Department finds that their consumers in the form of higher firm employment and receipts to make 4,516,000 of these firms, about 99.6 prices. Either action will reduce the use of the full set of SBA size standard percent, have less than 500 employees. profits of firms. Due to their lack of thresholds. market power, and their lower profit Assuming the lower bound estimate of margins, small firms may find it The Department notes, however, that 268,000 affected entities is also made up difficult to pursue either or both of 84% of SBA employee thresholds are of 99.6 percent small businesses, the those responses while remaining viable. above 500, and 91% of SBA receipt Department estimates that between A similar situation will hold with thresholds are above $6 million. Census 266,995 and 4,516,000 small businesses respect to the indirect impacts of the data show that average receipts for firms will be potentially affected by this rule. rule. Small firms downstream of employing less than 500 employees are Federal Rules That May Duplicate, impacted industries are likely to face $2.2 million. Thus, using our threshold Overlap or Conflict With the Final Rule increases in the prices of ICT products of 500 employees we estimate that they use as inputs and either absorb the 99.6% of affected entities are small The Department did not identify any increase in cost and/or raise their prices. businesses which is likely a slight Federal rule that duplicates, overlaps, or Given this situation, it is possible that underestimate. conflicts with this final rule. the rule will have a more substantial

VerDate Sep<11>2014 16:33 Jan 17, 2021 Jkt 253001 PO 00000 Frm 00045 Fmt 4700 Sfmt 4700 E:\FR\FM\19JAR1.SGM 19JAR1 khammond on DSKJM1Z7X2PROD with RULES 4922 Federal Register / Vol. 86, No. 11 / Tuesday, January 19, 2021 / Rules and Regulations

Description of Any Significant allow potentially problematic E. Unfunded Mandates Reform Act of Alternatives to the Final Rule That transactions that are substantially 1995 Accomplish the Stated Objectives of similar to those conducted by non- This rule would not produce a Applicable Statutes and That Minimize exempt entities to avoid review, Federal mandate (under the regulatory Any Significant Economic Impact of the undermining the rule’s national security provisions of Title II of the Unfunded Rule on Small Entities objectives. For example, a company that Mandates Reform Act of 1995) for State, This rule will allow the Secretary to is headquartered in a foreign adversary local, and tribal governments or the review ICTS Transactions to determine country, regardless of its size or main private sector. whether they present an undue or industry sector, may be involved in unacceptable risk, a function which is legitimate cybersecurity research and F. Executive Order 13132 (Federalism) currently not performed by any other development initiatives performed This rule does not contain policies private or public entity. As noted above, under the National Cooperative having federalism implications private industry often lacks the Research and Production Act, 15 U.S.C. requiring preparations of a Federalism incentive, information, or resources to 4301–06, and the foreign company may Summary Impact Statement. review their ICTS purchases for study foreign equipment to gain insights G. Executive Order 12630 malicious suppliers or other potentially on new innovations or potential (Governmental Actions and Interference bad actors in the ICTS supply chain. network security risks. However, that With Constitutionally Protected Property The U.S. Government is uniquely same company may also be conducting Rights) situated to determine threats and protect operations during other ICTS This rule does not contain policies the national security, including Transactions that could harm U.S. that have unconstitutional takings economic security. national security interests. By The Department considered two implications. promulgating the chosen alternative for regulatory alternatives to reduce the H. Executive Order 13175 (Consultation burden on small entities: (1) Excluding the rule, the Department sought to and Coordination With Indian Tribes) small entities with 5 or fewer remove both the possibility for employees, and (2) excluding certain confusion as well as the ability for The Department has analyzed this industries and sectors. However, the malicious actors to argue that some proposed rule under Executive Order Department determined that neither of legitimate cybersecurity research 13175 and has determined that the these two alternatives would achieve performed by a company would exempt action would not have a substantial the goal of protecting the national all cybersecurity research by a company, direct effect on one or more Indian security, nor would they eliminate the legitimate or otherwise. Thus, the rule tribes, would not impose substantial rule’s significant economic impact on a applies to types of ICTS Transactions direct compliance costs on Indian tribal substantial number of small entities. most affecting U.S. national security as governments, and would not preempt First, the Department considered opposed to exempting entire industries, tribal law. providing an exemption for small sectors, or regulated smallest entities I. National Environmental Policy Act entities that have 5 or fewer employees. from review. The Department has reviewed this (‘‘smallest entities’’). According to Section 212 of the Small Business Census Bureau’s most recent dataset of rulemaking action for the purposes of Regulatory Enforcement Fairness Act of number of firms by employee count, the National Environmental Policy Act 1996 states that, for each rule or group about 61% of all firms have less than 5 (42 U.S.C. 4321 et seq.). It has of related rules for which an agency is employees. determined that this final rule would Second, the Department examined the required to prepare a FRFA, the agency not have a significant impact on the feasibility of eliminating the application shall publish one or more guides to quality of the human environment. assist small entities in complying with of the rule to certain small entities List of Subjects in 15 CFR Part 7 involved in specific industries or sectors the rule, and shall designate such by excluding: (a) ICTS Transactions that publications as ‘‘small entity Administrative practice and involve only the acquisition of compliance guides.’’ The agency shall procedure, Business and industry, commercial items as defined by Federal explain the actions a small entity is Communications, Computer technology, Acquisition Regulation Part 2.101; (b) required to take to comply with a rule Critical infrastructure, Executive orders, ICTS Transactions that are used solely or group of rules. Foreign persons, Investigations, for the purpose of cybersecurity National security, Penalties, D. Paperwork Reduction Act mitigation or legitimate cybersecurity Technology, Telecommunications. research; and (c) ICTS Transactions The Paperwork Reduction Act of 1995 This document of the Department of under which a United States person is (44 U.S.C. 3501 et seq.) (PRA) provides Commerce was signed on January 13, by subject to a security control agreement, that an agency generally cannot conduct Wilbur Ross, Secretary of Commerce. special security agreement, or proxy or sponsor a collection of information, That document with the original agreement approved by a cognizant and no person is required to respond to signature and date is maintained by the Department of Commerce. For security agency to offset foreign nor be subject to a penalty for failure to ownership, control, or influence administrative purposes only, and in comply with a collection of information, pursuant to the National Industrial compliance with requirements of the unless that collection has obtained Security Program regulations (32 CFR Office of the Federal Register, the part 2004). Office of Management and Budget undersigned Department of Commerce Ultimately, the Department decided (OMB) approval and displays a Federal Register Liaison Officer has against adopting either of these currently valid OMB Control Number. been authorized to sign and submit the regulatory alternatives. Exempting This rulemaking does not contain a document in electronic format for certain industries or sectors or collection of information requirement publication, as an official document of eliminating the application of the rule to subject to review and approval by OMB the Department of Commerce. This smallest entities could inadvertently under the PRA. administrative process in no way alters

VerDate Sep<11>2014 16:33 Jan 17, 2021 Jkt 253001 PO 00000 Frm 00046 Fmt 4700 Sfmt 4700 E:\FR\FM\19JAR1.SGM 19JAR1 khammond on DSKJM1Z7X2PROD with RULES Federal Register / Vol. 86, No. 11 / Tuesday, January 19, 2021 / Rules and Regulations 4923

the legal effect of this document upon rule, which include classes of security of the United States or security publication in the Federal Register. transactions, on a case-by-case basis. and safety of United States persons. Signed in Washington, DC, on January 13, The Secretary, in consultation with ICTS Transaction means any 2021. appropriate agency heads specified in acquisition, importation, transfer, Asha Mathew, Executive Order 13873 and other installation, dealing in, or use of any information and communications Federal Register Liaison Officer, U.S. relevant governmental bodies, as Department of Commerce. appropriate, shall make an initial technology or service, including determination as to whether to prohibit ongoing activities, such as managed ■ For the reasons set out in the a given ICTS Transaction or propose services, data transmission, software preamble, 15 CFR part 7 is added to mitigation measures, by which the ICTS updates, repairs, or the platforming or read as follows: Transaction may be permitted. Parties data hosting of applications for may submit information in response to consumer download. An ICTS PART 7—SECURING THE the initial determination, including a Transaction includes any other INFORMATION AND response to the initial determination transaction, the structure of which is COMMUNICATIONS TECHNOLOGY and any supporting materials and/or designed or intended to evade or AND SERVICES SUPPLY CHAIN proposed measures to remediate or circumvent the application of the Subpart A—General mitigate the risks identified in the initial Executive Order. The term ICTS Transaction includes a class of ICTS 7.1 Purpose. determination as posed by the ICTS Transaction at issue. Upon Transactions. 7.2 Definitions. IEEPA means the International 7.3 Scope of Covered ICTS Transactions. consideration of the parties’ 7.4 Determination of foreign adversaries. submissions, the Secretary will issue a Emergency Economic Powers Act (50 7.5 Effect on other laws. final determination prohibiting the U.S.C. 1701, et seq.). 7.6 Amendment, modification, or transaction, not prohibiting the Information and communications revocation. transaction, or permitting the technology or services or ICTS means 7.7 Public disclosure of records. transaction subject to the adoption of any hardware, software, or other product or service, including cloud- Subpart B—Review of ICTS Transactions measures determined by the Secretary to computing services, primarily intended sufficiently mitigate the risks associated 7.100 General. to fulfill or enable the function of with the ICTS Transaction. The 7.101 Information to be furnished on information or data processing, storage, demand. Secretary shall also engage in retrieval, or communication by 7.102 Confidentiality of information. coordination and information sharing, electronic means (including 7.103 Initial review of ICTS Transactions. as appropriate, with international electromagnetic, magnetic, and 7.104 First interagency consultation. partners on the application of these photonic), including through 7.105 Initial determination. regulations. 7.106 Recordkeeping requirement. transmission, storage, or display. 7.107 Procedures governing response and § 7.2 Definitions. Party or parties to a transaction mitigation. means a person engaged in an ICTS Appropriate agency heads means the 7.108 Second interagency consultation. Transaction, including the person Secretary of the Treasury, the Secretary 7.109 Final determination. acquiring the ICTS and the person from of State, the Secretary of Defense, the 7.110 Classified national security whom the ICTS is acquired. Party or information. Attorney General, the Secretary of parties to a transaction include entities Homeland Security, the United States Subpart C—Enforcement designed, or otherwise used with the Trade Representative, the Director of intention, to evade or circumvent 7.200 Penalties. National Intelligence, the Administrator application of the Executive Order. For Authority: 50 U.S.C. 1701 et seq.; 50 of General Services, the Chairman of the purposes of this rule, this definition U.S.C. 1601 et seq.; E.O. 13873, 84 FR 22689. Federal Communications Commission, does not include common carriers, and the heads of any other executive except to the extent that a common Subpart A—General departments and agencies the Secretary carrier knew or should have known (as determines is appropriate. § 7.1 Purpose. the term ‘‘knowledge’’ is defined in 15 These regulations set forth the Commercial item has the same CFR 772.1) that it was providing procedures by which the Secretary may: meaning given to it in Federal transportation services of ICTS to one or (a) Determine whether any acquisition, Acquisition Regulation (48 CFR part more of the parties to a transaction that importation, transfer, installation, 2.101). has been prohibited in a final written dealing in, or use of any information Department means the United States determination made by the Secretary or, and communications technology or Department of Commerce. if permitted subject to mitigation service (ICTS Transaction) that has been Entity means a partnership, measures, in violation of such designed, developed, manufactured, or association, trust, joint venture, mitigation measures. supplied by persons owned by, corporation, group, subgroup, or other Person means an individual or entity. controlled by, or subject to the non-U.S. governmental organization. Person owned by, controlled by, or jurisdiction or direction of foreign Executive Order means Executive subject to the jurisdiction or direction of adversaries poses certain undue or Order 13873, May 15, 2019, ‘‘Securing a foreign adversary means any person, unacceptable risks as identified in the the Information and Communications wherever located, who acts as an agent, Executive Order; (b) issue a Technology and Services Supply representative, or employee, or any determination to prohibit an ICTS Chain’’. person who acts in any other capacity Transaction; (c) direct the timing and Foreign adversary means any foreign at the order, request, or under the manner of the cessation of the ICTS government or foreign non-government direction or control, of a foreign Transaction; and (d) consider factors person determined by the Secretary to adversary or of a person whose activities that may mitigate the risks posed by the have engaged in a long-term pattern or are directly or indirectly supervised, ICTS Transaction. The Secretary will serious instances of conduct directed, controlled, financed, or evaluate ICTS Transactions under this significantly adverse to the national subsidized in whole or in majority part

VerDate Sep<11>2014 00:53 Jan 18, 2021 Jkt 253001 PO 00000 Frm 00047 Fmt 4700 Sfmt 4700 E:\FR\FM\19JAR1.SGM 19JAR1 khammond on DSKJM1Z7X2PROD with RULES 4924 Federal Register / Vol. 86, No. 11 / Tuesday, January 19, 2021 / Rules and Regulations

by a foreign adversary; any person, data. Such results shall not include data (3) NodeB base stations; wherever located, who is a citizen or derived from databases maintained by (4) Home location register databases; resident of a nation-state controlled by the U.S. Government and routinely (5) Home subscriber servers; a foreign adversary; any corporation, provided to private parties for purposes (6) Mobile switching centers; partnership, association, or other of research. For purposes of this (7) Session border controllers; and organization organized under the laws paragraph, ‘‘genetic test’’ shall have the (8) Operation support systems; of a nation-state controlled by a foreign meaning provided in 42 U.S.C. 300gg– (C) Satellite payloads, including: adversary; and any corporation, 91(d)(17). (1) Satellite telecommunications partnership, association, or other Undue or unacceptable risk means systems; organization, wherever organized or those risks identified in Section 1(a)(ii) (2) Satellite remote sensing systems; doing business, that is owned or of the Executive Order. and controlled by a foreign adversary. United States person means any (3) Satellite position, navigation, and Secretary means the Secretary of United States citizen; any permanent timing systems; Commerce or the Secretary’s designee. resident alien; or any entity organized (D) Satellite operations and control, Sensitive personal data means: under the laws of the United States or including: (1) Personally-identifiable any jurisdiction within the United (1) Telemetry, tracking, and control information, including: States (including such entity’s foreign systems; (i) Financial data that could be used branches). (2) Satellite control centers; to analyze or determine an individual’s (3) Satellite network operations; financial distress or hardship; § 7.3 Scope of Covered ICTS Transactions. (4) Multi-terminal ground stations; (ii) The set of data in a consumer (a) This part applies only to an ICTS and report, as defined under 15 U.S.C. Transaction that: (5) Satellite uplink centers; 1681a, unless such data is obtained from (1) Is conducted by any person subject (E) Cable access points, including: a consumer reporting agency for one or to the jurisdiction of the United States (1) Core routers; more purposes identified in 15 U.S.C. or involves property subject to the (2) Core networks; and 1681b(a); jurisdiction of the United States; (3) Core switches; (iii) The set of data in an application (2) Involves any property in which (F) Wireline access points, including: for health insurance, long-term care any foreign country or a national thereof (1) Access infrastructure datalinks; insurance, professional liability has an interest (including through an and insurance, mortgage insurance, or life interest in a contract for the provision (2) Access infrastructure digital loops; insurance; of the technology or service); (G) Core networking systems, (iv) Data relating to the physical, (3) Is initiated, pending, or completed including: mental, or psychological health on or after January 19, 2021, regardless (1) Core infrastructure synchronous condition of an individual; of when any contract applicable to the optical networks and synchronous (v) Non-public electronic transaction is entered into, dated, or digital hierarchy systems; communications, including email, signed or when any license, permit, or (2) Core infrastructure dense messaging, or chat communications, authorization applicable to such wavelength division multiplexing or between or among users of a U.S. transaction was granted. Any act or optical transport network systems; business’s products or services if a service with respect to an ICTS (3) Core infrastructure internet primary purpose of such product or Transaction, such as execution of any protocol and internet routing systems; service is to facilitate third-party user provision of a managed services (4) Core infrastructure content communications; contract, installation of software delivery network systems; (vi) Geolocation data collected using updates, or the conducting of repairs, (5) Core infrastructure internet positioning systems, cell phone towers, that occurs on or after January 19, 2021 protocol and multiprotocol label or WiFi access points such as via a may be deemed an ICTS Transaction switching systems; mobile application, vehicle GPS, other within the scope of this part, even if the (6) Data center multiprotocol label onboard mapping tool, or wearable contract was initially entered into, or switching routers; and electronic device; the activity commenced, prior to (7) Metropolitan multiprotocol label (vii) Biometric enrollment data January 19, 2021; and switching routers; or including facial, voice, retina/iris, and (4) Involves one of the following (H) Long- and short-haul networks, palm/fingerprint templates; ICTS: including: (viii) Data stored and processed for (i) ICTS that will be used by a party (1) Fiber optical cables; and generating a Federal, State, Tribal, to a transaction in a sector designated as (2) Repeaters; Territorial, or other government critical infrastructure by Presidential (iii) Software, hardware, or any other identification card; Policy Directive 21—Critical product or service integral to data (ix) Data concerning U.S. Government Infrastructure Security and Resilience, hosting or computing services, to personnel security clearance status; or including any subsectors or include software-defined services such (x) The set of data in an application subsequently designated sectors; as virtual private servers, that uses, for a U.S. Government personnel (ii) Software, hardware, or any other processes, or retains, or is expected to security clearance or an application for product or service integral to: use, process, or retain, sensitive employment in a position of public (A) Wireless local area networks, personal data on greater than one trust; or including: million U.S. persons at any point over (2) Genetic information, which (1) Distributed antenna systems; and the twelve (12) months preceding an includes the results of an individual’s (2) Small-cell or micro-cell base ICTS Transaction, including: genetic tests, including any related stations; (A) Internet hosting services; genetic sequencing data, whenever such (B) Mobile networks, including: (B) Cloud-based or distributed results, in isolation or in combination (1) eNodeB based stations; computing and data storage; with previously released or publicly (2) gNodeB or 5G new radio base (C) Managed services; and available data, constitute identifiable stations; (D) Content delivery services;

VerDate Sep<11>2014 16:33 Jan 17, 2021 Jkt 253001 PO 00000 Frm 00048 Fmt 4700 Sfmt 4700 E:\FR\FM\19JAR1.SGM 19JAR1 khammond on DSKJM1Z7X2PROD with RULES Federal Register / Vol. 86, No. 11 / Tuesday, January 19, 2021 / Rules and Regulations 4925

(iv) Any of the following ICTS (1) The People’s Republic of China, § 7.7 Public disclosure of records. products, if greater than one million including the Hong Kong Special Public requests for agency records units have been sold to U.S. persons at Administrative Region (China); related to this part will be processed in any point over the twelve (12) months (2) Republic of Cuba (Cuba); accordance with the Department of prior to an ICTS Transaction: (3) Islamic Republic of Iran (Iran); Commerce’s Freedom of Information (A) Internet-enabled sensors, (4) Democratic People’s Republic of Act regulations, 15 CFR part 4, or other webcams, and any other end-point Korea (North Korea); applicable law and regulation. surveillance or monitoring device; (5) Russian Federation (Russia); and (6) Venezuelan politician Nicola´s (B) Routers, modems, and any other Subpart B—Review of ICTS Maduro (Maduro Regime). Transactions home networking device; or (b) The Secretary’s determination of (C) Drones or any other unmanned foreign adversaries is solely for the § 7.100 General. aerial system; purposes of the Executive Order, this In implementing this part, the (v) Software designed primarily for rule, and any subsequent rule Secretary of Commerce may: connecting with and communicating via promulgated pursuant to the Executive (a) Consider any and all relevant the internet that is in use by greater than Order. Pursuant to the Secretary’s information held by, or otherwise made one million U.S. persons at any point discretion, the list of foreign adversaries available to, the Federal Government over the twelve (12) months preceding will be revised as determined to be that is not otherwise restricted by law an ICTS Transaction, including: necessary. Such revisions will be for use for this purpose, including: (A) Desktop applications; effective immediately upon publication (1) Publicly available information; (B) Mobile applications; in the Federal Register without prior (2) Confidential business information, (C) Gaming applications; and notice or opportunity for public as defined in 19 CFR 201.6, or (D) Web-based applications; or comment. proprietary information; (vi) ICTS integral to: (c) The Secretary’s determination is (3) Classified National Security (A) Artificial intelligence and based on multiple sources, including: Information, as defined in Executive machine learning; (1) National Security Strategy of the Order 13526 (December 29, 2009) and (B) Quantum key distribution; United States; its predecessor executive orders, and (C) Quantum computing; (2) The Director of National Controlled Unclassified Information, as (D) Drones; Intelligence’s 2016–2019 Worldwide defined in Executive Order 13556 (E) Autonomous systems; or Threat Assessments of the U.S. (November 4, 2010); (F) Advanced Robotics. Intelligence Community; (4) Information obtained from state, (b) This part does not apply to an (3) The 2018 National Cyber Strategy local, tribal, or foreign governments or ICTS Transaction that: of the United States of America; and authorities; (5) Information obtained from parties (1) Involves the acquisition of ICTS (4) Reports and assessments from the to a transaction, including records items by a United States person as a U.S. Intelligence Community, the U.S. related to such transaction that any party to a transaction authorized under Departments of Justice, State and Homeland Security, and other relevant party uses, processes, or retains, or a U.S. government-industrial security would be expected to use, process, or program; or sources. (d) (d) The Secretary will periodically retain, in their ordinary course of (2) The Committee on Foreign review this list in consultation with business for such a transaction; Investment in the United States (CFIUS) appropriate agency heads and may add (6) Information obtained through the is actively reviewing, or has reviewed, to, subtract from, supplement, or authority granted under sections 2(a) as a covered transaction or covered real otherwise amend this list. Any and (c) of the Executive Order and estate transaction or as part of such a amendment to this list will apply to any IEEPA, as set forth in U.S.C. 7.101; transaction under section 721 of the ICTS Transaction that is initiated, (7) Information provided by any other Defense Production Act of 1950, as pending, or completed on or after the U.S. Government national security amended, and its implementing date that the list is amended. body, in each case only to the extent regulations. necessary for national security (c) (c) Notwithstanding the exemption § 7.5 Effect on other laws. purposes, and subject to applicable in paragraph (b)(2) of this section, ICTS Nothing in this part shall be confidentiality and classification Transactions conducted by parties to construed as altering or affecting any requirements, including the Committee transactions reviewed by CFIUS that other authority, process, regulation, for the Assessment of Foreign were not part of the covered transaction investigation, enforcement measure, or Participation in the United States or covered real estate transaction review provided by or established under Telecommunications Services Sector reviewed by CFIUS remain fully subject any other provision of Federal law, and the Federal Acquisitions Security to this part. including prohibitions under the Council and its designated information- sharing bodies; and § 7.4 Determination of foreign adversaries. National Defense Authorization Act of 2019, the Federal Acquisition (8) Information provided by any other (a) The Secretary has determined that Regulations, or IEEPA, or any other U.S. Government agency, department, or the following foreign governments or authority of the President or the other regulatory body, including the foreign non-government persons have Congress under the Constitution of the Federal Communications Commission, engaged in a long-term pattern or United States. Department of Homeland Security, and serious instances of conduct Department of Justice; significantly adverse to the national § 7.6 Amendment, modification, or (b) Consolidate the review of any security of the United States or security revocation. ICTS Transactions with other and safety of United States persons and, Except as otherwise provided by law, transactions already under review therefore, constitute foreign adversaries any determinations, prohibitions, or where the Secretary determines that the solely for the purposes of the Executive decisions issued under this part may be transactions raise the same or similar Order, this rule, and any subsequent amended, modified, or revoked, in issues, or that are otherwise properly rule: whole or in part, at any time. consolidated;

VerDate Sep<11>2014 16:33 Jan 17, 2021 Jkt 253001 PO 00000 Frm 00049 Fmt 4700 Sfmt 4700 E:\FR\FM\19JAR1.SGM 19JAR1 khammond on DSKJM1Z7X2PROD with RULES 4926 Federal Register / Vol. 86, No. 11 / Tuesday, January 19, 2021 / Rules and Regulations

(c) In consultation with the occur if ICTS vulnerabilities were to be schedules, affidavits, presentations, appropriate agency heads, in exploited; and transcripts, surveys, graphic determining whether an ICTS (7) Any other source or information representations of any kind, drawings, Transaction involves ICTS designed, that the Secretary deems appropriate; photographs, graphs, video or sound developed, manufactured, or supplied, and recordings, and motion pictures or other by persons owned by, controlled by, or (e) In the event the Secretary finds film. subject to the jurisdiction or direction of that unusual and extraordinary harm to (c) Persons providing documents to a foreign adversary, consider the the national security of the United the Secretary pursuant to this section following: States is likely to occur if all of the must produce documents in a format (1) Whether the person or its procedures specified herein are useable to the Department of Commerce, suppliers have headquarters, research, followed, the Secretary may deviate which may be detailed in the request for development, manufacturing, test, from these procedures in a manner documents or otherwise agreed to by the distribution, or service facilities, or tailored to protect against that harm. parties. other operations in a foreign country, § 7.101 Information to be furnished on § 7.102 Confidentiality of information. including one controlled by, or subject demand. to the jurisdiction of, a foreign (a) Pursuant to the authority granted (a) Information or documentary adversary; to the Secretary under sections 2(a), materials, not otherwise publicly or (2) Ties between the person— 2(b), and 2(c) of the Executive Order and commercially available, submitted or including its officers, directors or IEEPA, persons involved in an ICTS filed with the Secretary under this part similar officials, employees, Transaction may be required to furnish will not be released publicly except to consultants, or contractors—and a under oath, in the form of reports or the extent required by law. foreign adversary; otherwise, at any time as may be (b) The Secretary may disclose (3) Laws and regulations of any required by the Secretary, complete information or documentary materials foreign adversary in which the person is information relative to any act or that are not otherwise publicly or headquartered or conducts operations, transaction, subject to the provisions of commercially available and referenced including research and development, this part. The Secretary may require that in paragraph (a) in the following manufacturing, packaging, and such reports include the production of circumstances: distribution; and (4) Any other criteria that the any books, contracts, letters, papers, or (1) Pursuant to any administrative or Secretary deems appropriate; other hard copy or electronic documents judicial proceeding; (d) In consultation with the relating to any such act, transaction, or (2) Pursuant to an act of Congress; appropriate agency heads, in property, in the custody or control of (3) Pursuant to a request from any determining whether an ICTS the persons required to make such duly authorized committee or Transaction poses an undue or reports. Reports with respect to subcommittee of Congress; unacceptable risk, consider the transactions may be required either (4) Pursuant to any domestic following: before, during, or after such governmental entity, or to any foreign (1) Threat assessments and reports transactions. The Secretary may, governmental entity of a United States prepared by the Director of National through any person or agency, conduct ally or partner, information or Intelligence pursuant to section 5(a) of investigations, hold hearings, documentary materials, not otherwise the Executive Order; administer oaths, examine witnesses, publicly or commercially available and (2) Removal or exclusion orders receive evidence, take depositions, and important to the national security issued by the Secretary of Homeland require by subpoena the attendance and analysis or actions of the Secretary, but Security, the Secretary of Defense, or the testimony of witnesses and the only to the extent necessary for national Director of National Intelligence (or production of any books, contracts, security purposes, and subject to their designee) pursuant to letters, papers, and other hard copy or appropriate confidentiality and recommendations of the Federal documents relating to any matter under classification requirements; Acquisition Security Council, under 41 investigation, regardless of whether any report has been required or filed in (5) Where the parties or a party to a U.S.C. 1323; transaction have consented, the (3) Relevant provisions of the Defense connection therewith. (b) For purposes of paragraph (a) of information or documentary material Federal Acquisition Regulation (48 CFR that are not otherwise publicly or ch. 2) and the Federal Acquisition this section, the term ‘‘document’’ includes any written, recorded, or commercially available may be Regulation (48 CFR ch. 1), and their disclosed to third parties; and respective supplements; graphic matter or other means of (4) The written assessment produced preserving thought or expression (6) Any other purpose authorized by pursuant to section 5(b) of the Executive (including in electronic format), and all law. Order, as well as the entities, hardware, tangible things stored in any medium (c) This section shall continue to software, and services that present from which information can be apply with respect to information and vulnerabilities in the United States as processed, transcribed, or obtained documentary materials that are not determined by the Secretary of directly or indirectly, including otherwise publicly or commercially Homeland Security pursuant to that correspondence, memoranda, notes, available and submitted to or obtained section; messages, contemporaneous by the Secretary even after the Secretary (5) Actual and potential threats to communications such as text and issues a final determination pursuant to execution of a ‘‘National Critical instant messages, letters, emails, § 7.109 of this part. Function’’ identified by the Department spreadsheets, metadata, contracts, (d) The provisions of 18 U.S.C. 1905, of Homeland Security Cybersecurity and bulletins, diaries, chronological data, relating to fines and imprisonment and Infrastructure Security Agency; minutes, books, reports, examinations, other penalties, shall apply with respect (6) The nature, degree, and likelihood charts, ledgers, books of account, to the disclosure of information or of consequence to the United States invoices, air waybills, bills of lading, documentary material provided to the public and private sectors that could worksheets, receipts, printouts, papers, Secretary under these regulations.

VerDate Sep<11>2014 16:33 Jan 17, 2021 Jkt 253001 PO 00000 Frm 00050 Fmt 4700 Sfmt 4700 E:\FR\FM\19JAR1.SGM 19JAR1 khammond on DSKJM1Z7X2PROD with RULES Federal Register / Vol. 86, No. 11 / Tuesday, January 19, 2021 / Rules and Regulations 4927

§ 7.103 Initial review of ICTS Transactions. (10) The likelihood that the ICTS reference thereto, and, at the Secretary’s (a) Upon receipt of any information Transaction will in fact cause discretion, may not contain sensitive identified in § 7.100(a), upon written threatened harm. but unclassified information. request of an appropriate agency head, (d) If the Secretary finds that an ICTS or at the Secretary’s discretion, the Transaction does not meet the criteria of § 7.106 Recordkeeping requirement. Secretary may consider any referral for paragraph (b) of this section: Upon notification that an ICTS review of a transaction (referral). (1) The transaction shall no longer be Transaction is under review or that an (b) In considering a referral pursuant under review; and initial determination concerning an to paragraph (a), the Secretary shall (2) Future review of the transaction ICTS Transaction has been made, a assess whether the referral falls within shall not be precluded, where additional notified person must immediately take the scope of § 7.3(a) of this part and information becomes available to the steps to retain any and all records involves ICTS designed, developed, Secretary. relating to such transaction. manufactured, or supplied by persons § 7.104 First interagency consultation. § 7.107 Procedures governing response owned by, controlled by, or subject to and mitigation. the jurisdiction or direction of a foreign Upon finding that an ICTS adversary, and determine whether to: Transaction likely meets the criteria set Within 30 days of service of the (1) Accept the referral and commence forth in § 7.103(c) during the initial Secretary’s notification pursuant to an initial review of the transaction; review under § 7.103, the Secretary shall § 7.105, a party to an ICTS Transaction (2) Request additional information, as notify the appropriate agency heads may respond to the Secretary’s initial identified in § 7.100(a), from the and, in consultation with them, shall determination or assert that the referring entity regarding the referral; or determine whether the ICTS circumstances resulting in the initial (3) Reject the referral. Transaction meets the criteria set forth determination no longer apply, and thus (c) Upon accepting a referral pursuant in § 7.103(c). seek to have the initial determination to paragraph (b) of this section, the rescinded or mitigated pursuant to the Secretary shall conduct an initial review § 7.105 Initial determination. following administrative procedures: of the ICTS Transaction and assess (a) If, after the consultation required (a) A party may submit arguments or whether the ICTS Transaction poses an by § 7.104, the Secretary determines that evidence that the party believes undue or unacceptable risk, which may the ICTS Transaction does not meet the establishes that insufficient basis exists be determined by evaluating the criteria set forth in § 7.103(c): for the initial determination, including following criteria: (1) The transaction shall no longer be any prohibition of the ICTS Transaction; (1) The nature and characteristics of under review; and (b) A party may propose remedial the information and communications (2) Future review of the transaction steps on the party’s part, such as technology or services at issue in the shall not be precluded, where additional corporate reorganization, disgorgement ICTS Transaction, including technical information becomes available to the of control of the foreign adversary, capabilities, applications, and market Secretary. engagement of a compliance monitor, or share considerations; (b) If, after the consultation required similar steps, which the party believes (2) The nature and degree of the by § 7.104, the Secretary determines that would negate the basis for the initial ownership, control, direction, or the ICTS Transaction meets the criteria determination; jurisdiction exercised by the foreign set forth in § 7.103(c), the Secretary (c) Any submission must be made in adversary over the design, development, shall: writing; manufacture, or supply at issue in the (1) Make an initial written (d) A party responding to the ICTS Transaction; determination, which shall be dated and Secretary’s initial determination may (3) The statements and actions of the signed by the Secretary, that: request a meeting with the Department, foreign adversary at issue in the ICTS (i) Explains why the ICTS Transaction and the Department may, at its Transaction; meets the criteria set forth in § 7.103(c); discretion, agree or decline to conduct (4) The statements and actions of the and such meetings prior to making a final persons involved in the design, (ii) Sets forth whether the Secretary determination pursuant to § 7.109; development, manufacture, or supply at has initially determined to prohibit the (e) This rule creates no right in any issue in the ICTS Transaction; ICTS Transaction or to propose person to obtain access to information (5) The statements and actions of the mitigation measures, by which the ICTS in the possession of the U.S. parties to the ICTS Transaction; Transaction may be permitted; and Government that was considered in (6) Whether the ICTS Transaction (2) Notify the parties to the ICTS making the initial determination to poses a discrete or persistent threat; Transaction either through publication prohibit the ICTS Transaction, to (7) The nature of the vulnerability in the Federal Register or by serving a include classified national security implicated by the ICTS Transaction; copy of the initial determination on the information or sensitive but unclassified (8) Whether there is an ability to parties via registered U.S. mail, otherwise mitigate the risks posed by information; and facsimile, and electronic transmission, (f) (f) If the Department receives no the ICTS Transaction; or third-party commercial carrier, to an (9) The severity of the harm posed by response from the parties within 30 addressee’s last known address or by the ICTS Transaction on at least one of days after service of the initial personal delivery. determination to the parties, the the following: (c) Notwithstanding the fact that the (i) Health, safety, and security; Secretary may determine to issue a final (ii) Critical infrastructure; initial determination to prohibit or determination without the need to (iii) Sensitive data; propose mitigation measures on an ICTS engage in the consultation process (iv) The economy; Transaction may, in whole or in part, provided in section 7.108 of this rule. (v) Foreign policy; rely upon classified national security (vi) The natural environment; and information, or sensitive but § 7.108 Second interagency consultation. (vii) National Essential Functions (as unclassified information, the initial (a) Upon receipt of any submission by defined by Federal Continuity Directive- determination will contain no classified a party to an ICTS Transaction under 2 (FCD–2)); and national security information, nor § 7.107, the Secretary shall consider

VerDate Sep<11>2014 16:33 Jan 17, 2021 Jkt 253001 PO 00000 Frm 00051 Fmt 4700 Sfmt 4700 E:\FR\FM\19JAR1.SGM 19JAR1 khammond on DSKJM1Z7X2PROD with RULES 4928 Federal Register / Vol. 86, No. 11 / Tuesday, January 19, 2021 / Rules and Regulations

whether and how any information (6) Explain, if applicable, that a final agreement shall, upon conviction of a provided—including proposed determination that the ICTS Transaction violation of IEEPA, be fined not more mitigation measures—affects an initial is not prohibited does not preclude the than $1,000,000, or if a natural person, determination of whether the ICTS future review of transactions related in may be imprisoned for not more than 20 Transaction meets the criteria set forth any way to the ICTS Transaction; years, or both. in § 7.103(c). (7) Include, if applicable, a (3) The Secretary may impose a civil (b) After considering the effect of any description of the mitigation measures penalty of not more than the maximum submission by a party to an ICTS agreed upon by the party or parties to statutory penalty amount, which, when Transaction under § 7.107 consistent the ICTS Transaction and the Secretary; adjusted for inflation, is $307,922, or with paragraph (a), the Secretary shall and consult with and seek the consensus of twice the amount of the transaction that (8) State the penalties a party will face is the basis of the violation, per all appropriate agency heads prior to if it fails to comply fully with any issuing a final determination as to violation on any person who violates mitigation agreement or direction, any final determination, direction, or whether the ICTS Transaction shall be including violations of IEEPA, or other prohibited, not prohibited, or permitted mitigation agreement issued pursuant to violations of law. this part under IEEPA. pursuant to the adoption of negotiated (e) The written, signed, and dated mitigation measures. final determination shall be sent to: (i) Notice of the penalty, including a (c) If consensus is unable to be (1) The parties to the ICTS written explanation of the penalized reached, the Secretary shall notify the Transaction via registered U.S. mail and conduct specifying the laws and President of the Secretary’s proposed electronic mail; and regulations allegedly violated and the final determination and any appropriate (2) The appropriate agency heads. amount of the proposed penalty, and agency head’s opposition thereto. (f) The results of final written notifying the recipient of a right to make (d) After receiving direction from the determinations to prohibit an ICTS a written petition within 30 days as to President regarding the Secretary’s Transaction shall be published in the why a penalty should not be imposed, proposed final determination and any Federal Register. The publication shall shall be served on the notified party or appropriate agency head’s opposition omit any confidential business parties. thereto, the Secretary shall issue a final information. (ii) The Secretary shall review any determination pursuant to § 7.109. presentation and issue a final § 7.110 Classified national security § 7.109 Final determination. information. administrative decision within 30 days of receipt of the petition. (a) For each transaction for which the In any review of a determination Secretary issues an initial determination made under this part, if the (4) Any civil penalties authorized in that an ICTS Transaction is prohibited, determination was based on classified this section may be recovered in a civil the Secretary shall issue a final national security information, such action brought by the United States in determination as to whether the ICTS information may be submitted to the U.S. district court. Transaction is: reviewing court ex parte and in camera. (b) Adjustments to penalty amounts. (1) Prohibited; This section does not confer or imply (1) The civil penalties provided in (2) Not prohibited; or any right to review in any tribunal, IEEPA are subject to adjustment (3) Permitted, at the Secretary’s judicial or otherwise. discretion, pursuant to the adoption of pursuant to the Federal Civil Penalties negotiated mitigation measures. Subpart C—Enforcement Inflation Adjustment Act of 1990 (Pub. (b) Unless the Secretary determines in L. 101–410, as amended, 28 U.S.C. 2461 writing that additional time is § 7.200 Penalties. note). necessary, the Secretary shall issue the (a) Maximum penalties. (2) The criminal penalties provided in final determination within 180 days of (1) Civil penalty. A civil penalty not IEEPA are subject to adjustment accepting a referral and commencing the to exceed the amount set forth in pursuant to 18 U.S.C. 3571. initial review of the ICTS Transaction Section 206 of IEEPA, 50 U.S.C. 1705, pursuant to § 7.103. may be imposed on any person who (c) The penalties available under this (c) If the Secretary determines that an violates, attempts to violate, conspires section are without prejudice to other ICTS Transaction is prohibited, the to violate, or causes any knowing penalties, civil or criminal, available Secretary shall have the discretion to violation of any final determination or under law. Attention is directed to 18 direct the least restrictive means direction issued pursuant to this part, U.S.C. 1001, which provides that necessary to tailor the prohibition to including any violation of a mitigation whoever, in any matter within the address the undue or unacceptable risk agreement issued or other condition jurisdiction of any department or agency posed by the ICTS Transaction. imposed under this part. IEEPA in the United States, knowingly and (d) The final determination shall: provides for a maximum civil penalty willfully falsifies, conceals, or covers up (1) Be written, signed, and dated; not to exceed the greater of $250,000, by any trick, scheme, or device a (2) Describe the Secretary’s subject to inflationary adjustment, or an material fact, or makes any false, determination; amount that is twice the amount of the fictitious, or fraudulent statements or (3) Be unclassified and contain no transaction that is the basis of the representations, or makes or uses any reference to classified national security violation with respect to which the false writing or document knowing the information; penalty is imposed. same to contain any false, fictitious, or (4) Consider and address any (2) Criminal penalty. A person who fraudulent statement or entry, shall be information received from a party to the willfully commits, willfully attempts to fined under title 18, United States Code, ICTS Transaction; commit, or willfully conspires to or imprisoned not more than 5 years, or (5) Direct, if applicable, the timing commit, or aids and abets in the both. and manner of the cessation of the ICTS commission of a violation of any final [FR Doc. 2021–01234 Filed 1–14–21; 4:15 pm] Transaction; determination, direction, or mitigation BILLING CODE 3510–20–P

VerDate Sep<11>2014 16:33 Jan 17, 2021 Jkt 253001 PO 00000 Frm 00052 Fmt 4700 Sfmt 4700 E:\FR\FM\19JAR1.SGM 19JAR1 khammond on DSKJM1Z7X2PROD with RULES