Securing the Information and Communications Technology and Services Supply Chain, 65316-65322 [2019-25554]

Agencies

• DEPARTMENT OF COMMERCE

[Federal Register Volume 84, Number 229 (Wednesday, November 27, 2019)]
[Proposed Rules]
[Pages 65316-65322]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-25554]


========================================================================
Proposed Rules
                                                Federal Register
________________________________________________________________________

This section of the FEDERAL REGISTER contains notices to the public of 
the proposed issuance of rules and regulations. The purpose of these 
notices is to give interested persons an opportunity to participate in 
the rule making prior to the adoption of the final rules.

========================================================================


Federal Register / Vol. 84 , No. 229 / Wednesday, November 27, 2019 / 
Proposed Rules

[[Page 65316]]



DEPARTMENT OF COMMERCE

15 CFR Part 7

[Docket No. 191119-0084]
RIN 0605-AA51


Securing the Information and Communications Technology and 
Services Supply Chain

AGENCY: U.S. Department of Commerce.

ACTION: Proposed rule; request for comments.

-----------------------------------------------------------------------

SUMMARY: Pursuant to an Executive order of May 15, 2019, entitled 
``Securing the Information and Communications Technology and Services 
Supply Chain,'' the Department of Commerce (the Department) proposes to 
implement regulations that would govern the process and procedures that 
the Secretary of Commerce (Secretary) will use to identify, assess, and 
address certain information and communications technology and services 
transactions that pose an undue risk to critical infrastructure or the 
digital economy in the United States, or an unacceptable risk to U.S. 
national security or the safety of United States persons.

DATES: Written comments must be received on or before December 27, 
2019.

ADDRESSES: All comments must be submitted by one of the following 
methods:
     By the Federal eRulemaking Portal: https://www.regulations.gov at docket number DOC-2019-0005.
     By email directly to: [email protected]. Include 
``RIN 0605-AA51'' in the subject line.
     By mail or hand delivery to: Henry Young, U.S. Department 
of Commerce, ATTN: RIN 0605-AA51, 1401 Constitution Avenue NW, 
Washington, DC 20230.
     Instructions: Comments sent by any other method, to any 
other address or individual, or received after the end of the comment 
period, may not be considered. For those seeking to submit confidential 
business information (CBI), please submit such information by email or 
mail or hand delivery as instructed above. Each CBI submission must 
also contain a summary of the CBI in sufficient detail to permit a 
reasonable understanding of the substance of the information for public 
consumption. Such summary information will be posted on 
regulations.gov.

FOR FURTHER INFORMATION CONTACT: Henry Young, U.S. Department of 
Commerce, 1401 Constitution Avenue NW, Washington, DC 20230; telephone: 
202-482-0224. For media inquiries: Rebecca Glover, Director, Office of 
Public Affairs, U.S. Department of Commerce, 1401 Constitution Avenue 
NW, Washington, DC 20230; telephone: (202) 482-4883.

SUPPLEMENTARY INFORMATION: 

I. Background

    The information and communications technology and services (ICTS) 
supply chain is critical to nearly every aspect of U.S. national 
security. It underpins our economy; supports critical infrastructure 
and emergency services; and facilitates the nation's ability to store, 
process, and transmit vast amounts of data, including sensitive 
information, that is used for personal, commercial, government, and 
national security purposes. The ICTS supply chain must be secure to 
protect our national security, including the economic strength that is 
an essential element of our national security. However, the ICTS supply 
chain has become increasingly vulnerable to exploitation and is an 
attractive target for espionage, sabotage, and foreign interference 
activity. ICTS that are designed, developed, manufactured, or supplied 
by persons owned by, controlled by, or subject to the jurisdiction or 
direction of a foreign adversary augment our adversaries' ability to 
create or exploit vulnerabilities in ICTS to potentially catastrophic 
effect. The President has determined that the unrestricted acquisition 
or use of such ICTS causes an unusual and extraordinary threat to the 
national security, foreign policy, and economy of the United States.
    Executive Order 13873 of May 15, 2019, ``Securing the Information 
and Communications Technology and Services Supply Chain'' (84 FR 22689) 
(Executive order), was issued pursuant to the President's authority 
under the Constitution and the laws of the United States, including the 
International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) 
(IEEPA), the National Emergencies Act (50 U.S.C. 1601 et seq.), and 
section 301 of Title 3, United States Code. The Executive order grants 
the Secretary of Commerce (Secretary) the authority to prohibit any 
acquisition, importation, transfer, installation, dealing in, or use of 
any information and communications technology or service (a 
``transaction'') subject to United States' jurisdiction where the 
Secretary, in consultation with other relevant agency heads, determines 
that the transaction: (i) Involves property in which a foreign country 
or national has an interest; (ii) includes information and 
communications technology or services designed, developed, 
manufactured, or supplied by persons owned by, controlled by, or 
subject to the jurisdiction or direction of a foreign adversary; and 
(iii) poses certain undue risks to critical infrastructure or the 
digital economy in the United States or certain unacceptable risk to 
U.S. national security or U.S. persons. (84 FR 22689).
    The Department is proposing regulations that would implement the 
terms of the Executive order by establishing a process by which the 
Secretary will determine whether a particular transaction should be 
prohibited. A transaction that meets the following conditions will be 
subject to review by the Secretary and may require mitigation, 
prohibition, or an unwinding of the transaction if determined to be 
prohibited: (1) The transaction is conducted by any person subject to 
the jurisdiction of the United States or involves property subject to 
the jurisdiction of the United States; (2) the transaction involves any 
property in which any foreign country or a national thereof has an 
interest (including through an interest in a contract for the provision 
of the technology or service); and (3) the transaction was initiated, 
pending, or completed after May 15, 2019, regardless of when any 
contract applicable to the transaction was entered into, dated or 
signed, or when any license, permit, or authorization applicable to 
such transaction was

[[Page 65317]]

granted. Transactions involving certain ongoing activities, including 
but not limited to managed services, software updates, or repairs, 
would constitute transactions that was completed on or after May 15, 
2019 even if a contract was entered into prior to May 15, 2019.
    To assist the Department in the execution and implementation of the 
Executive order, Section 5 of the Executive order requires the Office 
of the Director of National Intelligence (ODNI) and the Department of 
Homeland Security (DHS) to produce an initial threat assessment and 
vulnerability assessment, respectively. Pursuant to Section 5(a) of the 
Executive order, the Director of National Intelligence produced an 
initial, classified threat assessment setting forth the threats to the 
United States and its people from ICTS designed, developed, 
manufactured, or supplied by persons owned by, controlled by, or 
subject to the jurisdiction or direction of a foreign adversary.
    Pursuant to Section 5(b) of the Executive order, DHS provided to 
the Department an initial vulnerabilities assessment identifying and 
assessing ICTS hardware, software, and services that present 
vulnerabilities in the United States. The Department will use this 
vulnerability assessment as one of the available sources of information 
to inform its analysis of risks and will use the categories of ICTS 
identified in the assessment as an analytical tool to assist in 
evaluating transactions within the Executive order's scope.
    The Secretary herein adopts a case-by-case, fact-specific approach 
to determine those transactions that meet the requirements set forth in 
the Executive order and are therefore prohibited or must be mitigated. 
A case-by-case process allows for the deliberative application of the 
authority granted to the Secretary by the President in the Executive 
order as the Secretary seeks to calibrate properly the application of 
this new authority. A case-by-case application of this authority would 
allow the Secretary to target and prohibit transactions that meet the 
Executive order criteria, without unintentionally prohibiting other 
transactions involving similar ICTS that may not rise to the level of 
presenting an undue risk to critical infrastructure or the digital 
economy in the United States or an unacceptable risk to national 
security or the safety of U.S. persons. This approach would also ensure 
that the Department does not inadvertently preclude innovation or 
access to technology in the United States.

II. Prohibited Transactions

    The Executive order proscribes transactions, which involve the 
acquisition, importation, transfer, installation, dealing in or use of 
ICTS by any person where the transaction (i) involves any property in 
which a foreign country or a national thereof has any interest, (ii) 
involves any ICTS ``designed, developed, manufactured, or supplied'' by 
entities ``owned by, controlled by, or subject to the jurisdiction or 
direction of a foreign adversary,'' and (iii) poses ``an undue risk'' 
of several specified adverse consequences, or ``an unacceptable risk'' 
to national security or the safety of U.S. persons.
    In implementing the Executive order, the Secretary will decide 
whether the particular circumstances of a potentially prohibited 
transaction may meet this standard. The Secretary, upon the Secretary's 
own motion or upon referral of a particular transaction from another 
Federal agency, will evaluate transactions the Secretary believes may 
be covered by the Executive order and determine, in consultation with 
the heads of other agencies as appropriate, whether any such 
transaction should be prohibited or mitigated.
    Under the procedures set forth in the proposed rule the Secretary 
would provide, as appropriate, direct notice to the parties of a 
transaction that an evaluation of a transaction is being conducted and 
that he has reached a preliminary determination regarding a 
transaction. In making determinations, the Secretary, in consultation 
with other Federal agencies, would assess, for example, whether a party 
to a transaction is owned by, controlled by, or subject to the 
jurisdiction or direction of a foreign adversary, and whether the use 
of a certain class of ICTS or transactions by particular classes of 
users present an undue or unacceptable risk. Parties notified of an 
evaluation and preliminary determination would have an opportunity to 
submit an opposition and information in support of their opposition, 
which may include proposed measures for mitigation, prior to the 
Secretary issuing a final determination.
    Upon completion of the evaluation, the Secretary would issue an 
unclassified, written final determination to the parties engaged in the 
transaction, and, as appropriate, to the public, that would summarize 
the elements of the evaluation and explain how the Secretary's 
determination is consistent with the terms of the Executive order and 
its implementing regulations. In the event that classified or any other 
protected information is used or relied upon by the Secretary in making 
a determination, such information would not be made available except as 
required by law. If the Secretary determines that a transaction 
presents an undue or unacceptable risk, the Secretary may require 
measures to mitigate the transaction's identified risks or may prohibit 
the transaction, including by requiring that the parties engaged in the 
transaction immediately cease the use of the ICTS that poses the undue 
or unacceptable risk, even if such ICTS has been installed or was in 
operation prior to the Secretary's determination. The Secretary will 
not issue an advisory opinion or a declaratory ruling with respect to 
any particular transaction.
    The Executive order also authorizes the Secretary to exempt certain 
classes of transactions from the Executive order's restrictions if the 
Secretary determines (for example, because of the nature or 
capabilities of the ICTS involved or the characteristics of the 
purchaser or ultimate user) that such transactions do not present an 
undue or unacceptable risk or are outside the scope of the Executive 
order. The Executive order also authorizes the Secretary to prohibit 
transactions as a class if the Secretary determines that such class of 
transactions pose an undue or unacceptable risk. The proposed rule does 
not recognize particular technologies or particular participants in the 
market for ICTS as categorically included or excluded from the 
prohibitions established by the Executive order. If, in the future, the 
Secretary determines that it is appropriate to designate classes of 
transactions for categorical inclusion or exclusion, further guidance 
will be issued at that time.
    It is expected that parties engaging in any transaction subject to 
the Executive order will maintain records related to such transaction 
in a manner consistent with the recordkeeping practices used in their 
ordinary course of business for such a transaction. Any parties 
notified that a transaction is being evaluated will be advised by that 
notice to immediately take steps to retain any and all records relating 
to such transaction.

III. Request for Comment

    The Department invites comment on all aspects of the proposed 
regulation but notes that the determination of a ``foreign adversary'' 
for purposes of implementing the Executive order is a matter of 
executive branch discretion and will be made by the Secretary in 
consultation with the Secretary of the Treasury, the Secretary of 
State, the Secretary of Defense, the Attorney

[[Page 65318]]

General, the Secretary of Homeland Security, the United States Trade 
Representative, the Director of National Intelligence, the 
Administrator of General Services, the Chairman of the Federal 
Communications Commission, and, as appropriate, the heads of other 
executive departments and agencies (agencies).
     As noted above, the Secretary would initially engage in a 
case-by-case analysis of specific transactions, as facts become known 
to the Secretary to determine if they are prohibited by the Executive 
order. Are there instances where the Secretary should consider 
categorical exclusions? Are there classes of persons whose use of ICTS 
can never violate the Executive order? If so, please provide a detailed 
explanation of why the commenter believes a particular transaction can 
never meet the requirements of the Executive order.
     Are there transactions involving types or classes of ICTS 
where the acquisition or use in the United States or by U.S. parties 
would fall within the terms of the Executive order's prohibited 
transactions because the transaction could present an undue or 
unacceptable risk, but that risk could be reliably and adequately 
mitigated to prevent the undue or unacceptable risk? If the commenter 
believes the risks of a prohibited transaction can be mitigated, what 
form could such mitigation measures take?
     If mitigation measures are adopted for a transaction 
otherwise prohibited by the Executive order, how should the Secretary 
ensure that parties to such transaction consistently execute and comply 
with the agreed-upon mitigation measures that make an otherwise 
prohibited transaction permissible? How best could the Secretary be 
made aware of changes in factual circumstances, including technology 
developments, that could render mitigation measures obsolete, no longer 
effective, or newly applicable?
     Section 1(a) of the Executive order and the definition of 
``transaction'' that the proposed rule would implement refer to 
``acquisition, importation, transfer, installation, dealing in, or use 
of any information and communications technology or service.'' How are 
these terms, in particular ``dealing in'' and ``use of,'' best 
interpreted?
     As discussed above, the Secretary expects persons engaged 
in transactions will maintain records of those transactions in the 
ordinary course of business. Should the Department require additional 
recordkeeping requirements for information related to transactions? Any 
non-public oral communication to Department officials regarding the 
substance of the proposed rule would be considered an ex parte 
presentation, and a summary of the substance of the ex parte 
presentation will be placed on the public record and become part of 
this docket. No later than two (2) business days after an oral 
communication or meeting, the party which engaged in such communication 
or meeting must submit a memorandum to the Department summarizing the 
substance of the communication. The Department reserves the right to 
supplement the memorandum with additional information as necessary, or 
to request that the party making the filing do so, if a Department 
official believes that important information was omitted or 
characterized incorrectly. Any written presentation provided in support 
of the oral communication or meeting will also be placed on the public 
record and become part of this docket. Such ex parte communications 
must be submitted to this docket as provided in the ADDRESSES section 
above and clearly labeled as an ex parte presentation. Federal entities 
are not subject to these procedures.

IV. Classification

A. Executive Order 12866 (Regulatory Policies and Procedures)

    This rulemaking has been determined to be a significant action 
under Executive Order 12866.

B. Executive Order 13771 (Reducing Regulation and Controlling 
Regulatory Costs)

    This rulemaking is exempt from the requirements of Executive Order 
13771 because it involves a national security matter.

C. Regulatory Flexibility Act

    In compliance with section 603 of the Regulatory Flexibility Act 
(RFA), the Department has prepared the below initial regulatory 
flexibility analysis (IRFA) for this proposed rule. The IRFA describes 
the economic impacts the proposed action may have on small entities. 
The Department seeks comment on all aspects of the IRFA, including the 
categories and numbers of small entities that may be directly impacted 
by this proposed rule.
    (1) A statement of the need for, objectives, and the legal basis of 
the proposed rule. The description of the action, why it is being 
considered, and the legal basis for the proposed rule are contained in 
the preamble.
    (2) A description of, and where feasible, an estimate of the number 
of small entities to which the proposed rule will apply. The proposed 
rule defines ``information and communications technology or services'' 
as ``any hardware, software, or other product or service primarily 
intended to fulfill or enable the function of information or data 
processing, storage, retrieval, or communication by electronic means, 
including through transmission, storage, or display.'' A majority of 
entities today, large or small, utilize some manner of ICTS, therefore 
it is extremely difficult to obtain a determination of the kind and 
number of small entities impacted by the proposed rule. The Department 
acknowledges that actions taken pursuant to this proposed rule may 
affect small entities or groups that are not easily categorized at 
present. We therefore describe here, at the outset, three broad groups 
of small entities that utilize ICTS that could be directly affected 
herein. The Department understands that the groups set forth here do 
not encompass all of the small entities or groups that utilize ICTS and 
could potentially be impacted by the proposed rule. The Department 
invites comment on other small entities or groups that should be 
identified as potentially impacted by the proposed rule.
1. Telecommunications and Information Technology Equipment and Service 
Providers
i. Telecommunications Service Providers
    1. Incumbent Local Exchange Carriers (LECs)
    2. Interchange Carriers (IXCs)
    3. Competitive Access Providers
    4. Operator Service Providers (OSPs)
    5. Local Resellers
    6. Toll Resellers
    7. Wired Telecommunications Carriers
    8. Wireless Telecommunications Carrier (except Satellite)
    9. Common Carrier Paging
    10. Wireless Telephony
    11. Satellite Telecommunications
    12. All Other Telecommunications
ii. Internet and Digital Service Providers
    1. Internet Service Providers (Broadband)
    2. Internet Service Providers (Non-Broadband)
    3. Cloud Providers
    4. Data Center Service Providers
    5. Managed Security Service Providers
    6. Internet Application Operators/Developers
    7. Software Providers (platform as a service, software as a 
service, etc.)
iii. Vendors and Equipment Manufacturers
    1. Vendors of Infrastructure

[[Page 65319]]

Development or ``Network Buildout''
    2. Telephone Apparatus Manufacturing
    3. Radio and Television Broadcasting and Wireless Communications 
Equipment
    4. Information Technology Equipment Manufacturers
    5. Connected Device Manufacturers (e.g., connected video cameras, 
health monitoring devices)
    6. Other Communications Equipment Manufacturing

    (3) A description of the projected reporting, recordkeeping and 
other compliance requirements of the proposed rule, including an 
estimate of the classes of small entities that will be subject to the 
requirement and the type of professional skills necessary for 
preparation of the report or record. This proposed rule would not 
mandate any reporting, recordkeeping, or other compliance requirements 
unless an entity receives direct notice that an evaluation into a 
transaction to which such entity is a party is being conducted. If a 
small entity receives such notice, the entity will need to retain and 
provide requested information. The Department does not anticipate that 
any specific professional skills will be required to retain and provide 
such information. As discussed above, the Department anticipates a 
broad range of small entities or groups involved in ICTS that may be 
impacted by the proposed rule, thus making it difficult to determine 
the kind and number of small entities that may be impacted. However, as 
a part of the initial analysis to determine the kind and number of 
small entities that may be impacted by the proposed rule, the 
Department has identified the three broad groups of small entities 
listed above that utilize ICTS and may be subject under the proposed 
rule to an evaluation of a transaction to which such small entities may 
be a party.
    (4) An identification, to the extent practicable, of all relevant 
Federal rules that may duplicate, overlap or conflict with the proposed 
rule. This rule does not duplicate or conflict with any Federal rules.
    (5) A description of any significant alternatives to the proposed 
rule that accomplish the stated objectives of Executive Order 13873 and 
applicable statutes and that would minimize any significant economic 
impact of the proposed rule on small entities.
     No-action alternative: Not implementing a rule under the 
Executive order is not a viable alternative because of the national 
security concerns associated with transactions involving information 
and communications technology or services designed, developed, 
manufactured, or supplied by persons owned by, controlled by, or 
subject to the jurisdiction or direction of a foreign adversary.
     Alternative that would categorically exclude small 
entities or groups of small entities: This alternative would also not 
achieve the objectives of Executive Order 13873 of alleviating the 
national security concerns associated with certain transactions 
because, due to the nature of ICTS networks, transactions by small 
entities or groups of information and communications technology or 
services designed, developed, manufactured, or supplied by persons 
owned by, controlled by, or subject to the jurisdiction or direction of 
a foreign adversary may pose an undue risk to critical infrastructure 
or the digital economy in the United States or an unacceptable risk to 
national security or U.S. persons, and as such, should be evaluated in 
order to determine whether they should be mitigated, prohibited, or 
require an unwinding of the transaction.
     Preferred alternative: The proposed rule is the preferred 
alternative. It would achieve the objectives of Executive Order 13873 
by implementing a procedure that would allow the Secretary to apply a 
case-by-case, fact-specific process to identify, assess, and address 
any and all transactions that pose an undue risk to critical 
infrastructure or the digital economy in the United States or an 
unacceptable risk to national security or U.S. persons.

D. Paperwork Reduction Act

    The Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.) (PRA) 
provides that an agency generally cannot conduct or sponsor a 
collection of information, and no person is required to respond to nor 
be subject to a penalty for failure to comply with a collection of 
information, unless that collection has obtained Office of Management 
and Budget (OMB) approval and displays a currently valid OMB Control 
Number. This rulemaking does not contain a collection of information 
requirement subject to review and approval by OMB under the PRA; the 
rule would require only that parties engaging in any transaction 
subject to Executive Order 13873 shall maintain records related to such 
transaction in a manner consistent with the recordkeeping practices 
used in their ordinary course of business.

E. Unfunded Mandates Reform Act of 1995

    This proposed rule would not produce a Federal mandate (under the 
regulatory provisions of Title II of the Unfunded Mandates Reform Act 
of 1995) for State, local, and tribal governments or the private 
sector.

F. Executive Order 13132 (Federalism)

    This proposed rule does not contain policies having federalism 
implications requiring preparations of a Federalism Summary Impact 
Statement.

G. Executive Order 12630 (Governmental Actions and Interference With 
Constitutionally Protected Property Rights)

    This proposed rule does not contain policies that have takings 
implications.

H. Executive Order 13175 (Consultation and Coordination With Indian 
Tribes)

    The Department has analyzed this proposed rule under Executive 
Order 13175 and has determined that the action would not have a 
substantial direct effect on one or more Indian tribes, would not 
impose substantial direct compliance costs on Indian tribal 
governments, and would not preempt tribal law.

I. National Environmental Policy Act

    The Department has reviewed this rulemaking action for the purposes 
of the National Environmental Policy Act (42 U.S.C. 4321 et seq.). It 
has determined that this proposed rule would not have a significant 
impact on the quality of the human environment.

List of Subjects in 15 CFR Part 7

    Administrative practice and procedure, Business and industry, 
Communications, Computer technology, Critical infrastructure, Executive 
orders, Foreign persons, Investigations, National security, Penalties, 
Technology, Telecommunications.

    For the reasons set out in the preamble, 15 CFR part 7 is proposed 
to be added to read as follows:

PART 7--SECURING THE INFORMATION AND COMMUNICATIONS TECHNOLOGY AND 
SERVICES SUPPLY CHAIN

Subpart A--General
Sec.
7.1 Scope.
7.2 Definitions.
7.3 Purpose.
7.4 Effect on other law.
7.5 Amendment, modification, or revocation.
7.6 Public disclosure of records.

[[Page 65320]]

7.7 No advisory opinions or declaratory rulings.
7.8 No categorical inclusions or exclusions.
Subpart B--Implementation for Evaluations
7.100 Commencement of an evaluation of a transaction.
7.101 Criteria to assess the effect of a transaction.
7.102 Conduct of an evaluation.
7.103 Written determinations; adjustment of transactions; signature, 
date, and public availability.
7.104 Emergency action.
Subpart C--Enforcement
7.200 Penalties.

    Authority: 50 U.S.C. 1701 et seq.; 50 U.S.C. U.S.C. 1601 et 
seq.; E.O. 13873, 84 FR 22689.

Subpart A--General


Sec.  7.1  Scope.

    (a) Except as provided in paragraph (b) of this section, this part 
applies only to any acquisition, importation, transfer, installation, 
dealing in, or use of any information and communications technology or 
service (a ``transaction''), that meets each of the following 
conditions:
    (1) The transaction is conducted by any person subject to the 
jurisdiction of the United States or involves property subject to the 
jurisdiction of the United States;
    (2) The transaction involves any property in which any foreign 
country or a national thereof has an interest (including through an 
interest in a contract for the provision of the technology or service); 
and
    (3) The transaction was initiated, is pending, or will be completed 
after May 15, 2019, regardless of when any contract applicable to the 
transaction was entered into, dated, or signed or when any license, 
permit, or authorization applicable to such transaction was granted. 
Transactions involving certain ongoing activities, including but not 
limited to managed services, software updates, or repairs, constitute 
transactions that ``will be completed'' on or after May 15, 2019 even 
if a contract was entered into prior to May 15, 2019. Such transactions 
are subject to review by the Secretary and may require mitigation or an 
unwinding of the transaction if determined to be prohibited.
    (b) This part does not apply to any other acquisition, importation, 
transfer, installation, dealing in or use of information communications 
technology and services or any other goods or services.


Sec.  7.2  Definitions.

    Entity means a partnership, association, trust, joint venture, 
corporation, group, subgroup, or other organization.
    Executive order means Executive Order 13873 of May 15, 2019.
    Foreign adversary means any foreign government or foreign non-
government person determined by the Secretary to have engaged in a 
long-term pattern or serious instances of conduct significantly adverse 
to the national security of the United States or security and safety of 
United States persons for the purposes of Executive Order 13783.
    Information and communications technology or services means any 
hardware, software, or other product or service primarily intended to 
fulfill or enable the function of information or data processing, 
storage, retrieval, or communication by electronic means, including 
through transmission, storage, or display.
    Person means an individual or entity.
    Secretary means the Secretary of Commerce or the Secretary's 
designee.
    Transaction means any acquisition, importation, transfer, 
installation, dealing in, or use of any information and communications 
technology or service. Use of the term transaction in this part 
includes a class of transactions.
    United States person means any United States citizen, permanent 
resident alien, entity organized under the laws of the United States or 
any jurisdiction within the United States (including foreign branches), 
or any person in the United States.


Sec.  7.3   Purpose.

    The regulations in this part set forth the procedures by which the 
Secretary shall commence and conduct evaluations to determine the 
effect that any acquisition, importation, transfer, installation, 
dealing in, or use of an information and communications technology or 
service that has been designed, developed, manufactured, or supplied by 
persons owned by, controlled by, or subject to the jurisdiction or 
direction of foreign adversaries have on the national security, foreign 
policy, and economy of the United States. The evaluations will address 
transactions on a case-by-case, fact-specific basis. Based on the 
evaluation findings, the Secretary, in consultation with relevant 
agency heads specified in the Executive order and other relevant 
governmental bodies, as appropriate shall make a decision for action or 
inaction regarding adjustment of a transaction. Action regarding 
adjustment of a transaction may include a prohibition or approval of an 
otherwise prohibited transaction due to adoption of mitigation measures 
determined by the Secretary to sufficiently mitigate the risks 
associated with the transaction. The Secretary shall also engage in 
coordination and information sharing, as appropriate, with 
international partners on the application of the regulations in this 
part.


Sec.  7.4  Effect on other law.

    Nothing in this part shall be construed as altering or affecting 
any other authority, process, regulation, investigation, enforcement 
measure, or review provided by or established under any other provision 
of Federal law, including prohibitions under the National Defense 
Authorization Act of 2019, the Federal Acquisition Regulations, or the 
International Emergency Economic Powers Act (IEEPA) (50 U.S.C. 1701 et 
seq.), or any other authority of the President or the Congress under 
the Constitution of the United States.


Sec.  7.5  Amendment, modification, or revocation.

    Except as otherwise provided by law, the provisions of this part 
and any determinations, orders, or decisions issued thereunder may be 
amended, modified, or revoked, in whole or in part, at any time.


Sec.  7.6   Public disclosure of records.

    Public requests for agency records related to this part will be 
processed in accordance with the Department of Commerce's Freedom of 
Information Act regulations, 15 CFR part 4, or other applicable law and 
regulation.


Sec.  7.7  No advisory opinions or declaratory rulings.

    The Secretary will not issue an advisory opinion or a declaratory 
ruling with respect to any particular transaction.


Sec.  7.8   No categorical inclusions or exclusions.

    The Secretary has declined to identify classes of transactions that 
are subject to prohibition or are excluded from prohibition. 
Determination of transactions prohibited by the Executive order will be 
made on a case-by-case basis. Should the Secretary determine based on a 
particular case that a class of transactions should be prohibited or 
excluded, the Secretary will publish such determination and further 
guidance or request for comment (if needed) in the Federal Register.

[[Page 65321]]

Subpart B--Implementation for Evaluations


Sec.  7.100  Commencement of an evaluation of a transaction.

    The Secretary may commence an evaluation of a transaction in one of 
three ways:
    (a) At the Secretary's discretion;
    (b) Upon request of the Secretary of the Treasury, the Secretary of 
State, the Secretary of Defense, the Attorney General, the Secretary of 
Homeland Security, the United States Trade Representative, the Director 
of National Intelligence, the Administrator of General Services, or the 
Chairman of the Federal Communications Commission, or, as appropriate, 
the head of any other Government department, agency, governmental body, 
or the Federal Acquisition Security Council (FASC). A request from 
other Government departments, agencies, governmental body, or FASC for 
an evaluation shall be in writing provided from the head of the 
requesting agency, or their designee, to the Secretary; or
    (c) Based on information submitted to the Secretary by private 
parties that the Secretary determines to be credible. Information from 
private parties may be submitted to the Secretary via a web portal to 
be made available on https://www.commerce.gov/issues/ict-supply-chain.


Sec.  7.101   Criteria to assess the effect of a transaction.

    (a) To determine the effect of a transaction subject to evaluation, 
the Secretary, in consultation with the Secretary of the Treasury, the 
Secretary of State, the Secretary of Defense, the Attorney General, the 
Secretary of Homeland Security, the United States Trade Representative, 
the Director of National Intelligence, the Administrator of General 
Services, the Chairman of the Federal Communications Commission, and, 
as appropriate, the heads of other executive departments and agencies, 
shall consider whether:
    (1) The transaction is subject to the jurisdiction of the United 
States;
    (2) The transaction involves any property in which any foreign 
country or a national thereof has an interest (including through an 
interest in a contract for the provision of the technology or service);
    (3) The transaction was initiated, is pending, or will be completed 
after May 15, 2019, regardless of when any contract applicable to the 
transaction was entered into, dated, or signed or when any license, 
permit, or authorization applicable to such transaction was granted;
    (4) The transaction involves information and communications 
technology or services designed, developed, manufactured, or supplied, 
by persons owned by, controlled by, or subject to the jurisdiction or 
direction of a foreign adversary; and
    (5) The transaction:
    (i) Poses an undue risk of sabotage to or subversion of the design, 
integrity, manufacturing, production, distribution, installation, 
operation, or maintenance of information and communications technology 
or services in the United States;
    (ii) Poses an undue risk of catastrophic effects on the security or 
resiliency of United States critical infrastructure or the digital 
economy of the United States; or
    (iii) Otherwise poses an unacceptable risk to the national security 
of the United States or the security and safety of United States 
persons.
    (b) In determining whether a transaction involves an information 
and communications technology or service designed, developed, 
manufactured, or supplied, by persons ``owned by, controlled by, or 
subject to the jurisdiction or direction of a foreign adversary,'' the 
Department will consider a number of factors, including, but not 
limited to the laws and practices of the foreign adversary; equity 
interest, access rights, seats on a board of directors or other 
governing body, contractual arrangements, voting rights, and control 
over design plans, operations, hiring decisions, or business plan 
development.


Sec.  7.102   Conduct of an evaluation.

    In conducting an evaluation of whether a transaction meets the 
criteria described in Sec.  7.101, the Secretary:
    (a) Shall, as appropriate, seek information and advice from, and 
consult with, appropriate officers of the United States or their 
designees. Information received from agencies of the U.S. Government, 
state, local, tribal, or territorial governments, or business 
confidential or other trade secret information will not be made 
available for public inspection except as otherwise required by law;
    (b) May use all appropriate tools available to collect information, 
including but not limited to the following:
    (1) Relevant publicly available, business confidential or 
proprietary information, and classified information as part of an 
evaluation;
    (2) Information from foreign governments as a part of an 
evaluation; and
    (3) Information from parties to a transaction as part of an 
evaluation, including records related to such transaction that any 
party keeps or uses, or would be expected to keep or use, in their 
ordinary course of business for such a transaction. Parties notified 
that one of their transactions is being evaluated must immediately take 
steps to retain any and all records relating to such transaction, 
regardless of whether those records would normally be retained prior to 
receiving such notice; and
    (c) May consolidate any referral, or materials that are filed while 
an evaluation is in progress, concerning transactions of the same or 
related class and raising similar issues.


Sec.  7.103   Written determinations; adjustment of transactions; 
signature, date, and public availability.

    (a) Upon a preliminary determination by the Secretary that a 
transaction meets the criteria set forth in Sec.  7.101, the Secretary 
shall, when consistent with national security, provide written notice 
to the parties of the transaction advising that:
    (1) The Secretary has reached a preliminary determination;
    (2) An explanation of the basis for such preliminary determination 
to the extent such explanation can be provided consistent with national 
security; and
    (3) Within 30 days after receipt of the notice, the specific party 
may submit an opposition and information in support of such opposition 
to the preliminary determination or information on proposed measures 
for mitigation.
    (b) The Secretary shall take into consideration any comments 
received pursuant to the process set forth in paragraph (a) of this 
section in making a final determination. Within 30 days of receipt of 
any information received pursuant to paragraph (a)(3) of this section, 
the Secretary will issue a final determination.
    (c) In making a final determination, the Secretary may:
    (1) Determine the transaction is prohibited;
    (2) Determine the transaction is not prohibited; or
    (3) At the Secretary's discretion and in consultation with the 
heads of other agencies as appropriate, require measures and specific 
timeframes to mitigate risks identified during an evaluation as a 
precondition of approving a transaction that may otherwise be 
prohibited.
    (d) A final determination shall be in writing and shall describe 
whether the transaction is prohibited; the transaction is not 
prohibited; or an otherwise

[[Page 65322]]

prohibited transaction is permitted pursuant to the adoption of 
mitigation measures. Any determination to permit an otherwise 
prohibited transaction based on mitigation measures shall also provide 
a description of the mitigation measures adopted. A final determination 
shall be sent to the parties of the transaction by registered U.S. 
mail.
    (e) Any determination to either prohibit a transaction or permit an 
otherwise prohibited transaction based on mitigation measures shall 
also provide a clear statement of the penalties set forth in Sec.  
7.200 that parties will face if they fail to comply fully with either 
the prohibition or those mitigation measures.
    (f) The Secretary may commence an evaluation and make a new 
determination of any transaction, subject to this part, if 
circumstances, technology, or available information has materially 
changed.
    (g) All determinations by the Secretary shall be signed and dated.
    (h) Such final determination with respect to a transaction shall 
constitute final agency action.
    (i) A summary of the Secretary's final determination will be made 
public through posting on https://www.commerce.gov/issues/ict-supply-chain and publication in the Federal Register.
    (j) Deadlines set forth in this section may be extended at the 
Secretary discretion.


Sec.  7.104   Emergency action.

    It is the intent of the Secretary to follow the procedures set 
forth in this part unless, when public harm is likely to occur if the 
procedures are followed or national security interests require it, then 
the Secretary may vary or dispense with any or all of the procedures 
set forth in this part. In such an instance, in a manner consistent 
with national security interests, the Secretary shall provide as part 
of the final written determination the basis for the decision to engage 
in emergency action under this section.

Subpart C--Enforcement


Sec.  7.200  Penalties.

    (a) Subject to IEEPA, 50 U.S.C. 1705, any person who, after 
[effective date of final rule], violates, attempts to violate, 
conspires to violate, or causes a violation of any determination, 
regulation, prohibition, or other action issued under this part, or 
makes any false or misleading representation, statement, or 
certification, or falsifies or conceals any material fact, either 
directly to the Department of Commerce, the Bureau of Industry and 
Security, United States Customs and Border Protection, or an official 
of any other United States agency, or indirectly through any other 
person in the course of any action under this part may be liable to the 
United States for a civil penalty up to $302,584, as adjusted annually 
for inflation under 15 CFR 6.5, or an amount that is twice the amount 
of the transaction that is the basis of the violation with respect to 
which the penalty is imposed. The amount of the penalty assessed for a 
violation shall be based on the nature of the violation.
    (b) Any person who, after [effective date of final rule], violates 
a material provision of a mitigation measure or a material condition 
imposed by the United States under Sec.  7.103 or Sec.  7.104 may be 
liable to the United States for a civil penalty under 50 U.S.C. 1705, 
not to exceed $302,584, as adjusted annually for inflation under 15 CFR 
6.5, per violation or the value of the transaction. Any penalty 
assessed under this paragraph (b) shall be based on the nature of the 
violation and shall be separate and apart from any damages sought 
pursuant to a mitigation measure or any action taken under Sec.  7.103.
    (c) A determination to impose penalties under paragraph (a) or (b) 
of this section will be made by the Secretary. Notice of the penalty, 
including a written explanation of the penalized conduct and the amount 
of the penalty, shall be sent to the penalized party by registered U.S. 
mail.
    (d) Upon receiving notice of the imposition of a penalty under 
paragraph (a) or (b) of this section, the penalized party may, within 
15 days of receipt of the notice of the penalty, submit a petition for 
reconsideration to the Secretary, including a defense, justification, 
or explanation for the penalized conduct. The Secretary will review the 
petition and issue a final decision within 30 days of receipt of the 
petition.
    (e) The penalties authorized in paragraphs (a) and (b) of this 
section may be recovered in a civil action brought by the United States 
in Federal district court.
    (f) The penalties available under this section are without 
prejudice to other penalties, civil or criminal, available under law.
    (g) Section 1001 of title 18, United States Code, shall apply to 
all information provided to the Secretary under this part by any party 
to a transaction.

    Dated: November 19, 2019.
Wilbur L. Ross,
Secretary of Commerce.
[FR Doc. 2019-25554 Filed 11-26-19; 8:45 am]
 BILLING CODE 3510-20-P