The Matrix
{ Blog Post Bio Photo }

U.S. Department of Commerce Proposed Restrictions to Secure the IT Supply Chain

Posted by

Over the last few weeks, the federal government has issued a number of trade sanctions and restrictions targeting the People’s Republic of China.  These include prohibitions on investments in certain companies deemed to be Chinese military companies, and further restrictions on any business relationships with an entity connected to Huawei.  This article discusses certain new restrictions with significant data, privacy and cybersecurity implications.

Last week, the U.S. Department of Commerce (“Commerce”) proposed sweeping restrictions on imports or use of software and IT hardware produced by, in, or licensed from a person located in or under the control of China (including Hong Kong), Russia, Iran, Cuba, North Korea or the Maduros regime of Venezuela.  On January 19, 2021, Commerce issued an Interim Final Rule targeting all business transactions deemed ICTS Transactions (as defined below) by U.S. companies sourcing information technology supplies and services deemed ICTS (as defined below) from designated “foreign adversaries”, specifically China and Hong Kong, Cuba, Iran, North Korea, Russia and Venezuela.  Pending review by the incoming Biden administration, this Interim Final Rule will be effective March 22, 2021, and will require Commerce review and approval for certain technology transactions which could pose an undue or unacceptable risk to national security.  

The technology restrictions focus on any hardware or software system that a third party could exploit to compromise the security or integrity of communications, infrastructure or sensitive personal data of U.S. persons or companies.  Transactions include not only M&A transactions but also ongoing business transactions or even routine software updates.  Such transactions will be subject to review by Commerce, which is currently on a voluntary basis, but may be required for certain critical infrastructure sectors as defined below under “Covered ICTS Transactions”.  Transactions authorized under a U.S. government-industrial security program and transactions involving personal hardware devices, such as handsets, will not be subject to particular scrutiny.

This reporting is distinct and separate from the investment and acquisition review conducted by the Committee for Foreign Investment in the United States (“CFIUS”).  Business transactions which are covered transactions subject to review before the CFIUS are likewise not subject to this Interim Final Rule. Violations of this Interim Final Rule are subject to the maximum civil and criminal penalties under International Emergency Economic Powers Act (“IEEPA”).

Key Definitions:

  • ICTS: hardware, software, or other product or service, including cloud-computing services, primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means (including electromagnetic, magnetic, and photonic), including through transmission, storage, or display.
  • ICTS Transactions: any acquisition, importation, transfer, installation, dealing in, or use of any integral information and communications technology or service, including ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download.
  • Covered ICTS Transactions: There are six categories of ICTS Transactions which may be reviewed by Commerce under this Interim Final Rule:
    • Integral to businesses in a critical infrastructure sector as established under Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience:
  • Wireless and fiber optic networking devices and applications;
  • Advanced technical systems such as artificial intelligence, machine learning, quantum computing, drones, autonomous systems, or advanced robotics.
  • Software, hardware, or services (including VPN) that processes, uses or retains sensitive personal data on more than 1 million U.S. persons, or a related hosting, cloud-storage, or content delivery service;
  • Hardware with U.S. sales of more than 1 million units per year; or
  • Internet-based communications software or apps with more than 1 million U.S. users.

More regulatory action to follow:
Pending Biden administration review, the proposed new import restrictions will be effective March 22, 2021 and can apply to any Covered ICTS Transaction happening on or after January 19, 2021.  While the Biden administration has issued a freeze for any new or pending regulations or rules issued prior to noon, January 20, 2021, the Office of Management and Budget may exempt any rule for national security purposes.  Therefore, while the status of this rule and the precise timing of its implementation may be in flux, it is likely to become effective in relatively short order. 

Commerce has committed to publishing procedures to allow parties to a proposed, pending or ongoing ICTS Transaction to voluntarily seek a pre-approval and obtain a license for a transaction, which would not otherwise undermine U.S. national security.  This process would be similar to the CFIUS “safe harbor” that may be obtained for foreign direct investments or foreign buyer acquisitions. 

What now?
Companies operating in a critical infrastructure sector or developing advanced technical systems should begin review of their supply chain for any integral technological products or services sourced from a designated foreign adversary.  These restrictions may need to be considered as part of legal diligence for client matters involving a business or M&A transaction in any of the above-listed critical infrastructure sectors.

For more information or to discuss how this rule will impact your business, contact your regular Honigman attorney.

Jump to Page