On November 27, 2019, the US Commerce Department published a proposed rule implementing regulations following President Trump’s May 15, 2019 Executive Order 13783 (E.O.) on Securing the Information and Communications Technology and Services (ICTS) Supply Chain. The proposed rule adopts an open-ended, case-by-case review framework by which the Commerce Department will be able to evaluate “transactions” and determine if they are prohibited or must be mitigated due to national security concerns. Reviews would be undertaken by the Commerce Department on its own initiative or via referrals from other U.S. Government agencies or private parties.
This proposed rule comes in the context of broader Executive Branch activity and Congressional scrutiny of telecommunications and cybersecurity vulnerabilities. The FCC released an order and further notice of proposed rulemaking on November 26, 2019 that prohibits use of the Commission’s Universal Service Fund (USF) to purchase or obtain equipment from companies and affiliates that proposes a national security threat, and outlines the process for identifying such companies. The FCC indicated that it is considering further proposals to remove and replace certain existing equipment and services from companies of concern. Comments on the FCC rulemaking will be due 30 days after publication in the Federal Register.
Background on Supply Chain E.O. and Key Proposed Rule Definitions
The E.O. grants the Commerce Department with the authority to prohibit any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service (a “transaction”) subject to United States’ jurisdiction where Commerce determines that the transaction:
- involves property in which a foreign country or national has an interest;
- includes information and communications technology or services designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary; and
- poses certain undue risks to critical infrastructure or the digital economy in the United States or certain unacceptable risks to U.S. national security or U.S. persons.
Property subject to U.S. jurisdiction would in this context include any goods entering the customs territory of the United States.
The broad definition of transaction would include not just investments (like CFIUS) but also any contracts including imports or domestically purchased products. Importantly, the proposed rule would define a transaction to include any transaction that was initiated, pending or completed after May 15, 2019 regardless of when any applicable contract was signed or entered into. This means that certain ongoing activities (e.g., managed services, software updates, repairs, etc.) in connection with contracts pre-dating May 15, 2019 would still constitute transactions that could be subject to E.O. 13783.
The term foreign adversary would be defined as any foreign government or foreign non-government person determined by the Secretary to have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons for the purposes of E.O. 13783.
The Commerce Department notes that the determination of a foreign adversary is an Executive branch decision. We would expect that China and/or Huawei will be declared a foreign adversary as part of any final rulemaking, though it is unclear whether any other countries or entities will be designated.
Who is Impacted?
The proposed rule will apply to any transaction involving a U.S. person and/or involving property subject to U.S. jurisdiction. The proposed rule would therefore have broad application to any number of U.S. sectors where the transaction involves ICTS, which would be defined as “any hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including through transmission, storage, or display.”
In the proposed rule, the Commerce Department identifies groups utilizing ICTS that might be affected:
Telecommunications Service Providers | Internet and Digital Service Providers | Vendors and Equipment Manufacturers | |
1. Incumbent Local Exchange Carriers (LECs) | 8. Wireless Telecommunications Carrier (except Satellite) | 1. Internet Service Providers (Broadband) | 1. Vendors of Infrastructure Development or “Network Buildout” |
2. Interchange Carriers (IXCs) | 9. Common Carrier Paging | 2. Internet Service Providers (Non-Broadband) | 2. Telephone Apparatus Manufacturing |
3. Competitive Access Providers | 10. Wireless Telephony | 3. Cloud Providers | 3. Radio and Television Broadcasting and Wireless Communications Equipment |
4. Operator Service Providers (OSPs) | 11. Satellite Telecommunications | 4. Data Center Service Providers | 4. Information Technology Equipment Manufacturers |
5. Local Resellers | 12. All Other Telecommunications | 5. Managed Security Service Providers | 5. Connected Device Manufacturers (e.g., connected video cameras,
health monitoring devices) |
6. Toll Resellers | 6. Internet Application Operators/Developers | 6. Other Communications Equipment Manufacturing | |
7. Wired Telecommunications Carriers | 7. Software Providers (platform as a service, software as a service, |
Review Process
The proposed rule would provide the Commerce Department with broad discretion to initiate an evaluation of a particular transaction. Parties would not have any mandated reporting or compliance requirement unless they receive a notice from the Commerce Department that a transaction is being evaluated.
The Commerce Department would be able to commence an evaluation of a particular transaction in one of three ways: (1) At its own discretion; (2) Upon request of certain U.S. Government agencies; or (3) Based on information submitted by private parties determined to credible. This would allow competitors and other private persons to submit allegations to the Department regarding other parties’ use of foreign adversary equipment and to seek a review of the transaction.
Parties entering into or performing contracts with any person identified as a “foreign adversary” would need to determine whether a transaction could potentially be subject to the E.O. and, if so, whether it might be unwound or mitigated in light of possible national security concerns. The Commerce Department would not provide advisory opinions before parties enter into a transaction.
During its review, the Commerce Department, in consultation with other agencies, will determine whether a transaction is subject to the E.O. and, if so, whether it poses an unacceptable national security risk. There is no timeline for the Department to initiate or conduct a review. The proposed rule does not identify the factors that the Department will consider other than the broad criteria referenced in the proposed rule. The proposed rule does not provide an opportunity for potentially affected parties to participate in the review. Only after the Commerce Department issues a preliminary determination to block a transaction or require mitigation would a party have 30 days to submit its opposition. The Commerce Department would then issue its final determination in 30 days.
Violations of a Commerce Department determination could be punished with civil fines under the International Economic Emergencies Powers Act.
Written comments on the proposed rule are due by December 27, 2019.