Securing the Information and Communications Technology and Services Supply Chain; Connected Software Applications, 67379-67383 [2021-25329]
Download as PDF
<![CDATA[
Federal Register / Vol. 86, No. 225 / Friday, November 26, 2021 / Proposed Rules
VOR/DME and the Appleton, OH,
VORTAC.
All of the navigational aid radials in
the airway descriptions below are stated
in True degrees.
Domestic VOR Federal airways are
published in paragraph 6010(a) of FAA
Order JO 7400.11F, dated August 10,
2021, and effective September 15, 2021,
which are incorporated by reference in
14 CFR 71.1. The VOR Federal airways
listed in this document would be
published subsequently in FAA JO
7400.11.
FAA Order JO 7400.11, Airspace
Designations and Reporting Points, is
published yearly and effective on
September 15.
Regulatory Notices and Analyses
The FAA has determined that this
proposed regulation only involves an
established body of technical
regulations for which frequent and
routine amendments are necessary to
keep them operationally current. It,
therefore: (1) Is not a ‘‘significant
regulatory action’’ under Executive
Order 12866; (2) is not a ‘‘significant
rule’’ under Department of
Transportation (DOT) Regulatory
Policies and Procedures (44 FR 11034;
February 26, 1979); and (3) does not
warrant preparation of a regulatory
evaluation as the anticipated impact is
so minimal. Since this is a routine
matter that will only affect air traffic
procedures and air navigation, it is
certified that this proposed rule, when
promulgated, will not have a significant
economic impact on a substantial
number of small entities under the
criteria of the Regulatory Flexibility Act.
§ 71.1
[Amended]
2. The incorporation by reference in
14 CFR 71.1 of FAA Order JO 7400.11F,
Airspace Designations and Reporting
Points, dated August 10, 2021, and
effective September 15, 2021, is
amended as follows:
■
Paragraph 6010(a), Domestic VOR Federal
airways.
*
*
*
*
*
V–7 [Amended]
From Dolphin, FL; INT Dolphin 299° and
Lee County, FL, 120° radials; Lee County;
Lakeland, FL; Cross City, FL; Seminole, FL;
Wiregrass, AL; INT Wiregrass 333° and
Montgomery, AL, 129° radials; Montgomery;
Vulcan, AL; to Muscle Shoals, AL. From
Pocket City, IN; INT Pocket City 016° and
Terre Haute, IN, 191° radials; Terre Haute;
Boiler, IN; Chicago Heights, IL; to INT
Chicago Heights 358° and Badger, WI, 117°
radials.
*
*
*
*
*
V–341 [Amended]
From Cedar Rapids, IA; Dubuque, IA;
Madison, WI; Oshkosh, WI; to Green Bay, WI.
From Iron Mountain, MI; Sawyer, MI; to
Houghton, MI.
*
*
*
*
*
*
*
*
*
*
Issued in Washington, DC.
Michael R. Beckles,
Acting Manager, Rules and Regulations
Group.
[FR Doc. 2021–25608 Filed 11–24–21; 8:45 am]
This proposal will be subject to an
environmental analysis in accordance
with FAA Order 1050.1F,
‘‘Environmental Impacts: Policies and
Procedures’’ prior to any FAA final
regulatory action.
BILLING CODE 4910–13–P
DEPARTMENT OF COMMERCE
15 CFR Part 7
[Docket No. 211115–0230]
Airspace, Incorporation by reference,
Navigation (air).
The Proposed Amendment
In consideration of the foregoing, the
Federal Aviation Administration
proposes to amend 14 CFR part 71 as
follows:
PART 71—DESIGNATION OF CLASS A,
B, C, D, AND E AIRSPACE AREAS; AIR
TRAFFIC SERVICE ROUTES; AND
REPORTING POINTS
1. The authority citation for part 71
continues to read as follows:
■
VerDate Sep<11>2014
16:58 Nov 24, 2021
Jkt 256001
RIN 0605–AA62
Securing the Information and
Communications Technology and
Services Supply Chain; Connected
Software Applications
U.S. Department of Commerce.
Notice of Proposed Rulemaking.
AGENCY:
ACTION:
To implement provisions of
Executive Order 14034, ‘‘Protecting
Americans’ Sensitive Data from Foreign
Adversaries’’ (E.O. 14034), the
Department of Commerce is proposing
to amend its Interim Final Rule on
Securing the Information and
SUMMARY:
PO 00000
Frm 00018
Fmt 4702
Sfmt 4702
Communications Technology and
Services Supply Chain (Supply Chain
Rule), which was published on January
19, 2021, 86 FR 4909. Specifically, this
proposed rule would amend the Supply
Chain Rule to provide for additional
criteria that the Secretary of Commerce
(the Secretary) may consider specifically
when determining whether ICTS
Transactions (as defined in the Supply
Chain Rule) that involve connected
software applications present an undue
or unacceptable risk. The rule also
makes conforming changes by revising
the definition of ICTS to expressly
include ‘‘connected software
applications’’ and adding a definition of
‘‘connected software application’’ that is
consistent with that used in E.O. 14034.
The Department is interested in the
public’s views on the additional criteria
for connected software applications,
including whether they should be
applied to all ICTS Transaction reviews,
whether there are other criteria that
should be applied, and how the
Secretary should apply the criteria to
ICTS Transactions involving connected
software applications.
Comments to this proposed rule
must be received on or before December
27, 2021.
DATES:
All comments must be
submitted by one of the following
methods:
• By the Federal eRulemaking Portal:
https://www.regulations.gov at docket
number DOC–2021–0005.
• By email directly to:
ICTsupplychain@doc.gov. Include ‘‘RIN
0605–AA62’’ in the subject line.
• Instructions: Comments sent by any
other method, to any other address or
individual, or received after the end of
the comment period, may not be
considered. For those seeking to submit
confidential business information (CBI),
please clearly mark such submissions as
CBI and submit by email, as instructed
above. Each CBI submission must also
contain a summary of the CBI, clearly
marked as public, in sufficient detail to
permit a reasonable understanding of
the substance of the information for
public consumption. Such summary
information will be posted on
regulations.gov.
ADDRESSES:
V–493 [Amended]
From Livingston, TN; Lexington, KY; York,
KY; INT York 030° and Appleton, OH, 183°
radials; to Appleton.
Environmental Review
List of Subjects in 14 CFR Part 71
jspears on DSK121TN23PROD with PROPOSALS1
Authority: 49 U.S.C. 106(f), 106(g); 40103,
40113, 40120; E.O. 10854, 24 FR 9565, 3 CFR,
1959–1963 Comp., p. 389.
67379
FOR FURTHER INFORMATION CONTACT:
Joseph Bartels, U.S. Department of
Commerce, telephone: (202) 482–0224.
For media inquiries: Brittany Caplin,
Deputy Director of Public Affairs and
Press Secretary, U.S. Department of
Commerce, telephone: (202) 482–4883,
email: PublicAffairs@doc.gov.
SUPPLEMENTARY INFORMATION:
E:\FR\FM\26NOP1.SGM
26NOP1
jspears on DSK121TN23PROD with PROPOSALS1
67380
Federal Register / Vol. 86, No. 225 / Friday, November 26, 2021 / Proposed Rules
Background
On January 19, 2021, the Department
published an interim final rule in the
Federal Register on ‘‘Securing the
Information and Communications
Technology and Services Supply
Chain.’’ 86 FR 4909. The Supply Chain
Rule implemented Executive Order
13873, ‘‘Securing the Information and
Communications Technology and
Services Supply Chain’’ (84 FR 22689),
including by setting out procedures by
which the Secretary of Commerce, in
consultation with the appropriate heads
of other administrative agencies, would
review ICTS Transactions for whether
they present an undue or unacceptable
risk due to a foreign adversary’s
involvement. The Supply Chain Rule
defines ‘‘ICTS’’ as ‘‘any hardware,
software, or other product or service,
including cloud-computing services,
primarily intended to fulfill or enable
the function of information or data
processing, storage, retrieval, or
communication by electronic means
(including electromagnetic, magnetic,
and photonic), including through
transmission, storage, or display.’’ The
Supply Chain Rule further provides that
an ‘‘ICTS Transaction’’ is, ‘‘any
acquisition, importation, transfer,
installation, dealing in, or use of any
information and communications
technology or service, including
ongoing activities, such as managed
services, data transmission, software
updates, repairs, or the platforming or
data hosting of applications for
consumer download. An ICTS
Transaction includes any other
transaction, the structure of which is
designed or intended to evade or
circumvent the application of E.O.
13873. The term ICTS Transaction
includes a class of ICTS Transactions.’’
On June 9, 2021, the President issued
E.O. 14034 to ‘‘elaborate upon measures
to address the national emergency with
respect to the information and
communications technology and
services supply chain that was declared
in Executive Order 13873 of May 15,
2019, ‘Securing the Information and
Communications Technology and
Services Supply Chain.’ ’’ E.O. 14034
sets out the finding ‘‘that the increased
use in the United States of certain
connected software applications
designed, developed, manufactured, or
supplied by persons owned or
controlled by, or subject to the
jurisdiction or direction of, a foreign
adversary, which the Secretary of
Commerce acting pursuant to E.O.
13873 has defined to include the
People’s Republic of China, among
others, continues to threaten the
VerDate Sep<11>2014
16:58 Nov 24, 2021
Jkt 256001
national security, foreign policy, and
economy of the United States.’’ This
rule would implement E.O. 14034 by
specifically adding the term ‘‘connected
software applications’’ and the
accompanying criteria, which do not
appear in E.O. 13873, to the Supply
Chain Rule to ensure the rule clearly
and consistently identifies the ICTS that
is threatened.
E.O. 14034 orders the Secretary to
‘‘evaluate on a continuing basis
transactions involving connected
software applications that may pose an
undue risk of sabotage or subversion of
the design, integrity, manufacturing,
production, distribution, installation,
operation, or maintenance of
information and communications
technology or services in the United
States; pose an undue risk of
catastrophic effects on the security or
resiliency of the critical infrastructure or
digital economy of the United States; or
otherwise pose an unacceptable risk to
the national security of the United
States or the security and safety of
United States persons.’’
E.O. 14034 further sets out certain
factors, consistent with the criteria
established in E.O. 13873 and in
addition to those set forth in the Supply
Chain Rule, that should be considered
in evaluating the risks of a transaction
involving connected software
applications. Specifically, E.O. 14034
lists the following as potential
indicators of risk related to connected
software applications: ‘‘ownership,
control, or management by persons that
support a foreign adversary’s military,
intelligence, or proliferation activities;
use of the connected software
application to conduct surveillance that
enables espionage, including through a
foreign adversary’s access to sensitive or
confidential government or business
information, or sensitive personal data;
ownership, control, or management of
connected software applications by
persons subject to coercion or cooption
by a foreign adversary; ownership,
control, or management of connected
software applications by persons
involved in malicious cyber activities; a
lack of thorough and reliable third-party
auditing of connected software
applications; the scope and sensitivity
of the data collected; the number and
sensitivity of the users of the connected
software application; and the extent to
which identified risks have been or can
be addressed by independently
verifiable measures.’’
This proposed rule incorporates these
potential indicators of risk as criteria to
be considered by the Secretary when
assessing whether an ICTS Transaction
involving connected software
PO 00000
Frm 00019
Fmt 4702
Sfmt 4702
applications poses an undue or
unacceptable risk. The Department
seeks public comments on these criteria,
including how the Secretary should
apply these to ICTS Transactions
involving connected software
applications, and whether there are
additional criteria that should be
considered by the Secretary with respect
to connected software applications. The
Department is also interested in the
public’s views as to whether these
criteria should be applied to all ICTS
Transaction reviews or just those that
involve connected software
applications. In addition, the
Department seeks comment on any
other considerations the Secretary
should take into account when
determining whether an ICTS
Transaction involving connected
software applications should, consistent
with the authority and procedures of
E.O. 13873 and the Supply Chain Rule,
be allowed, mitigated, or prohibited.
Additionally, consistent with E.O.
14034’s recognition of the ongoing
threat, identified in E.O. 13873, by
foreign adversaries to steal or otherwise
obtain data through connected software
applications, the Department notes that
the term ‘‘information and
communications technology and
services’’ encompasses ‘‘connected
software applications’’ and is proposing
to revise the definition of ICTS
accordingly to expressly so specify. This
rule would also make a conforming
revision to the term ‘‘ICTS Transaction,’’
and would define ‘‘connected software
applications’’ as ‘‘software, a software
program, or a group of software
programs, that is designed to be used on
an end-point computing device and
includes as an integral functionality, the
ability to collect, process, or transmit
data via the internet.’’
Section 7.1 Scope
The Department proposes to add the
phrase ‘‘connected software
applications’’ to section 7.1 of Title 15
of the Code of Federal Regulations
(CFR).
Section 7.2 Definitions
As noted above, consistent with E.O.
14034’s recognition of the ongoing
threat by foreign adversaries to steal,
otherwise obtain, or disrupt data
through connected software
applications, this rule would expressly
specify that the term ‘‘information and
communications technology and
services or ICTS’’ encompasses
‘‘connected software applications.’’ The
proposed definition of ‘‘connected
software applications’’ is taken from
E.O. 14034: ‘‘software, a software
E:\FR\FM\26NOP1.SGM
26NOP1
Federal Register / Vol. 86, No. 225 / Friday, November 26, 2021 / Proposed Rules
program, or a group of software
programs, that is designed to be used on
an end-point computing device and
includes as an integral functionality, the
ability to collect, process, or transmit
data via the internet.’’
The Department welcomes comment
on whether this definition is sufficient
to identify fully this category of ICTS, or
whether further clarification or
elaboration is needed. For instance, are
there technical aspects to the definition
that are used in industry or engineering
that should be incorporated into the
definition? Should the Department
include other devices, such as those that
communicate through short message
service (SMS) messages, or low-power
radio protocols? Should the definition
be extended from ‘‘end-point’’ devices
to ‘‘end-to-end’’ technology, and is
‘‘end-to-end’’ a term of art that we
should employ? Are there other means
of communication or transmission that
are not encompassed by this definition
but should be included?
jspears on DSK121TN23PROD with PROPOSALS1
Section 7.3 Scope of Covered
Transactions
Further, the Department proposes to
add new § 7.3(a)(4)(v)(E) regarding the
types of software ‘‘designed primarily
for connecting with and communicating
via the internet that is used by greater
than one million U.S. persons’’ involved
in ICTS Transactions that are subject to
the Secretary’s review.
Section 7.103 Initial Review of ICTS
Transactions
To incorporate the new criteria for
determining whether a transaction
involving connected software
applications poses an undue or
unacceptable risk, as defined in the
Supply Chain Rule, this rule would
amend § 7.103 to add the criteria from
E.O. 14034 in a new paragraph. Notably,
these criteria complement, and are in
addition to, the criteria already in
7.103(c) for determining whether an
ICTS Transaction poses an undue or
unacceptable risk. In making this
determination for connected software
applications, the Secretary would
evaluate both the criteria in 7.103(c) and
in the new paragraph. Specifically, the
Department would redesignate current
paragraph 7.103(d) as 7.103(e) and add
new paragraph 7.103(d) to include the
following criteria:
• Ownership, control, or management
by persons that support a foreign
adversary’s military, intelligence, or
proliferation activities;
• use of the connected software
application to conduct surveillance that
enables espionage, including through a
foreign adversary’s access to sensitive or
VerDate Sep<11>2014
16:58 Nov 24, 2021
Jkt 256001
confidential government or business
information, or sensitive personal data;
• ownership, control, or management
of connected software applications by
persons subject to coercion or cooption
by a foreign adversary;
• ownership, control, or management
of connected software applications by
persons involved in malicious cyber
activities;
• a lack of thorough and reliable
third-party auditing of connected
software applications;
• the scope and sensitivity of the data
collected;
• the number and sensitivity of the
users of the connected software
application; and
• the extent to which identified risks
have been or can be addressed by
independently verifiable measures.
As noted above, while the proposed
regulatory text below adds these criteria
in a new sub-paragraph applicable only
to ICTS Transactions involving
connected software applications, the
Department is also inviting comments
on whether these criteria are sufficient
or whether others should be added. For
example, should the Department add a
criterion such as whether the software
has any embedded out-going network
calls or web server references, regardless
of the ownership, control, or
management of the software? The
Department also seeks comments on
whether the criteria should be more
generally applicable to ICTS
Transactions.
With regard to the phrase ‘‘ownership,
control or management,’’ should it be
understood to include both continuous
control/management and sporadic
control/management (e.g., when a thirdparty must be temporally granted access
to apply updates/upgrades/patches/
etc.), or should this phrase be further
clarified?
Additionally, the Department seeks
comment on whether and how the
Department should specifically define
the terms ‘‘reliable third-party’’ and
‘‘independently verifiable measures,’’
and, if so, whether there are generally
accepted definitions or terms of art that
the Department should consider
adopting. The Department is also
interested in whether the reference to
‘‘third-party auditing of connected
software applications’’ is sufficiently
clear or whether it needs further
definition. For example, would it be
understood to apply to audits by a third
party of only the connected software
applications, or to audits of the
organizations implementing the
software applications as well? Also,
should the requirement to audit
applications be revised to make clear
PO 00000
Frm 00020
Fmt 4702
Sfmt 4702
67381
that auditing is a continuous process
through the development and
deployment life cycle of the
application? And would the
requirement to audit applications be
understood to refer only to source-code
examination and verification, or would
it also include monitoring of logs or
other data that the application collects?
Classification
A. Executive Order 12866 (Regulatory
Policies and Procedures)
Pursuant to the procedures
established to implement Executive
Order 12866, the Office of Management
and Budget has determined that this
rule is significant but not economically
significant.
C. Regulatory Flexibility Analysis
The Chief Counsel for Regulation of
the Department of Commerce certifies to
the Chief Counsel for Advocacy of the
Small Business Administration that this
proposed rule would not have a
significant economic impact on a
substantial number of small entities.
The factual determination for this
determination is as follows.
This proposed rule would update the
regulations at 15 CFR part 7 that
implement E.O. 13873 to revise the term
ICTS to specifically include ‘‘connected
software applications,’’ as well as to
affirm that a transaction involving
connected software applications is an
ICTS Transaction. It would add criteria
the Secretary and the appropriate
agency heads may use in making
determinations about the risks
potentially posed by ICTS Transactions
involving connected software
applications. The rule would also make
conforming changes.
Accordingly, this proposed rule does
not increase the scope of applicability of
the existing regulations, the economic
effects of which were evaluated in the
regulatory impact analysis (RIA)
associated with the Supply Chain Rule,
at 86 FR 4909. (The RIA can be found
online at reginfo.gov, and at
regulations.gov, with a search for RIN
0605–AA51.) This proposed rule, once
implemented, will not add any costs or
burdens to any entity, small or large,
because it does not expand the
application scope of the Supply Chain
Rule. Because this proposed rule neither
increases the number of entities to
which the Supply Chain Rule applies,
nor increases the cost and burdens on
those entities, it would not have a
significant economic impact on a
substantial number of small businesses.
E:\FR\FM\26NOP1.SGM
26NOP1
67382
Federal Register / Vol. 86, No. 225 / Friday, November 26, 2021 / Proposed Rules
D. Paperwork Reduction Act
The Paperwork Reduction Act of 1995
(44 U.S.C. 3501 et seq.) (PRA) provides
that an agency generally cannot conduct
or sponsor a collection of information,
and no person is required to respond to
nor be subject to a penalty for failure to
comply with a collection of information,
unless that collection has obtained
Office of Management and Budget
(OMB) approval and displays a
currently valid OMB Control Number.
This proposed rule does not contain a
collection of information requirement
subject to review and approval by OMB
under the PRA.
E. Unfunded Mandates Reform Act of
1995
This proposed rule would not create
a Federal mandate (under the regulatory
provisions of Title II of the Unfunded
Mandates Reform Act of 1995) for State,
local, and tribal governments or the
private sector.
F. Executive Order 13132 (Federalism)
This proposed rule does not contain
policies having federalism implications
requiring preparations of a Federalism
Summary Impact Statement.
G. Executive Order 12630
(Governmental Actions and Interference
With Constitutionally Protected Property
Rights)
This rule does not contain policies
that have unconstitutional takings
implications.
H. Executive Order 13175 (Consultation
and Coordination With Indian Tribes)
The Department has analyzed this
proposed rule under Executive Order
13175 and has determined that the
action would not have a substantial
direct effect on one or more Indian
tribes, would not impose substantial
direct compliance costs on Indian tribal
governments, and would not preempt
tribal law.
jspears on DSK121TN23PROD with PROPOSALS1
I. National Environmental Policy Act
The Department has reviewed this
rulemaking action for the purposes of
the National Environmental Policy Act
(42 U.S.C. 4321 et. seq). It has
determined that this proposed rule
would not have a significant impact on
the quality of the human environment.
List of Subjects in 15 CFR Part 7
Administrative practice and
procedure, Business and industry,
Communications, Computer technology,
Critical infrastructure, Executive orders,
Foreign persons, Investigations,
National security, Penalties,
Technology, Telecommunications.
VerDate Sep<11>2014
16:58 Nov 24, 2021
Jkt 256001
Dated: November 16, 2021.
Trisha Anderson,
Deputy Assistant Secretary for Intelligence
and Security, U.S. Department of Commerce.
PART 7—SECURING THE
INFORMATION AND
COMMUNICATIONS TECHNOLOGY
AND SERVICES SUPPLY CHAIN
1. The authority citation for part 7
continues to read as follows:
■
Authority: 50 U.S.C. 1701 et seq.; 50 U.S.C.
1601 et seq.; E.O. 13873, 84 FR 22689.
■
2. Revise § 7.1 to read as follows:
Subpart A—General
§ 7.1
Purpose.
(a) These regulations set forth the
procedures by which the Secretary may:
(1) Determine whether any
acquisition, importation, transfer,
installation, dealing in, or use of any
information and communications
technology or service (ICTS
Transaction), including connected
software applications, that has been
designed, developed, manufactured, or
supplied by persons owned by,
controlled by, or subject to the
jurisdiction or direction of foreign
adversaries poses certain undue or
unacceptable risks as identified in the
Executive Order;
(2) Issue a determination to prohibit
an ICTS Transaction;
(3) Direct the timing and manner of
the cessation of the ICTS Transaction;
and
(4) Consider factors that may mitigate
the risks posed by the ICTS Transaction.
(b) The Secretary will evaluate ICTS
Transactions under this rule, which
include classes of transactions, on a
case-by-case basis. The Secretary, in
consultation with appropriate agency
heads specified in Executive Order
13873 and other relevant governmental
bodies, as appropriate, shall make an
initial determination as to whether to
prohibit a given ICTS Transaction or
propose mitigation measures, by which
the ICTS Transaction may be permitted.
Parties may submit information in
response to the initial determination,
including a response to the initial
determination and any supporting
materials and/or proposed measures to
remediate or mitigate the risks
identified in the initial determination as
posed by the ICTS Transaction at issue.
Upon consideration of the parties’
submissions, the Secretary will issue a
final determination prohibiting the
transaction, not prohibiting the
transaction, or permitting the
transaction subject to the adoption of
measures determined by the Secretary to
PO 00000
Frm 00021
Fmt 4702
Sfmt 4702
sufficiently mitigate the risks associated
with the ICTS Transaction. The
Secretary shall also engage in
coordination and information sharing,
as appropriate, with international
partners on the application of these
regulations.
■ 3. Amend § 7.2 by adding, in
alphabetical order, the definition for
‘‘Connected software application’’ and
revising the definition of ‘‘Information
and communications technology or
services or ICTS’’ to read as follows:
§ 7.2
Definitions.
*
*
*
*
*
Connected software application
means software, a software program, or
a group of software programs, that is
designed to be used on an end-point
computing device and includes as an
integral functionality, the ability to
collect, process, or transmit data via the
internet.
*
*
*
*
*
Information and communications
technology or services or ICTS means
any hardware, software, including
connected software applications, or
other product or service, including
cloud-computing services, primarily
intended to fulfill or enable the function
of information or data processing,
storage, retrieval, or communication by
electronic means (including
electromagnetic, magnetic, and
photonic), including through
transmission, storage, or display.
*
*
*
*
*
■ 4. Amend § 7.3 by adding paragraph
(a)(4)(v)(E) to read as follows:
§ 7.3
Scope of Covered ICTS Transactions.
(a) * * *
(4) * * *
(v) * * *
(E) Connected software applications;
or
*
*
*
*
*
■ 5. In § 7.103, redesignate paragraph
(d) as paragraph (e) and add new
paragraph (d) to read as follows:
§ 7.103
Initial review of ICTS Transactions.
*
*
*
*
*
(d) For ICTS Transactions involving
connected software applications that are
accepted for review, the Secretary’s
assessment of whether the ICTS
Transaction poses an undue or
unacceptable risk may be determined by
evaluating the criteria in paragraph (c)
of this section as well as the following
additional criteria:
(1) Ownership, control, or
management by persons that support a
foreign adversary’s military,
intelligence, or proliferation activities;
E:\FR\FM\26NOP1.SGM
26NOP1
Federal Register / Vol. 86, No. 225 / Friday, November 26, 2021 / Proposed Rules
(2) Use of the connected software
application to conduct surveillance that
enables espionage, including through a
foreign adversary’s access to sensitive or
confidential government or business
information, or sensitive personal data;
(3) Ownership, control, or
management of connected software
applications by persons subject to
coercion or cooption by a foreign
adversary;
(4) Ownership, control, or
management of connected software
applications by persons involved in
malicious cyber activities;
(5) A lack of thorough and reliable
third-party auditing of connected
software applications;
(6) The scope and sensitivity of the
data collected;
(7) The number and sensitivity of the
users of the connected software
application; and
(8) The extent to which identified
risks have been or can be addressed by
independently verifiable measures.
*
*
*
*
*
[FR Doc. 2021–25329 Filed 11–24–21; 8:45 am]
BILLING CODE 3510–DT–P
SECURITIES AND EXCHANGE
COMMISSION
17 CFR Part 240
[Release No. 34–93595; File No. S7–17–21]
RIN 3235–AM92
Proxy Voting Advice
Securities and Exchange
Commission.
ACTION: Proposed rule.
AGENCY:
The Securities and Exchange
Commission (‘‘Commission’’) is
proposing amendments to the Federal
proxy rules governing proxy voting
advice. The Commission is proposing
these amendments in light of feedback
from market participants on those rules
and certain developments in the market
for proxy voting advice. The proposed
amendments would remove a condition
to the availability of certain exemptions
from the information and filing
requirements of the Federal proxy rules
for proxy voting advice businesses. In
addition, the proposed amendments
would remove a note that provides
examples of situations in which the
failure to disclose certain information in
proxy voting advice may be considered
misleading within the meaning of the
Federal proxy rules’ prohibition on
material misstatements or omissions.
Finally, the release includes a
discussion regarding the application of
jspears on DSK121TN23PROD with PROPOSALS1
SUMMARY:
VerDate Sep<11>2014
16:58 Nov 24, 2021
Jkt 256001
that prohibition to proxy voting advice,
in particular with respect to statements
of opinion.
DATES: Comments should be received by
December 27, 2021.
ADDRESSES: Comments may be
submitted by any of the following
methods:
Electronic Comments
• Use the Commission’s internet
comment form (https://www.sec.gov/
rules/submitcomments.htm); or
• Send an email to rule-comments@
sec.gov. Please include File Number S7–
17–21 on the subject line.
Paper Comments
• Send paper comments to Vanessa
A. Countryman, Secretary, Securities
and Exchange Commission, 100 F Street
NE, Washington, DC 20549–1090.
All submissions should refer to File
Number S7–17–21. To help the
Commission process and review your
comments more efficiently, please use
only one method of submission. The
Commission will post all submitted
comments on its website (https://
www.sec.gov/rules/proposed.shtml).
Typically, comments also are available
for website viewing and printing in the
Commission’s Public Reference Room,
100 F Street NE, Washington, DC 20549,
on official business days between the
hours of 10 a.m. and 3 p.m. Operating
conditions may limit access to the
Commission’s public reference room.
All comments received will be posted
without change. Persons submitting
comments are cautioned that we do not
redact or edit personal identifying
information. You should submit only
information that you wish to make
publicly available.
Studies, memoranda or other
substantive items may be added by the
Commission or staff to the comment file
during this rulemaking. A notification of
the inclusion in the comment file of any
such materials will be made available
on the Commission’s website. To ensure
direct electronic receipt of such
notifications, sign up through the ‘‘Stay
Connected’’ option at www.sec.gov to
receive notifications by email.
FOR FURTHER INFORMATION CONTACT:
Valian Afshar, Special Counsel, Office
of Mergers and Acquisitions, Division of
Corporation Finance, at (202) 551–3440,
U.S. Securities and Exchange
Commission, 100 F Street NE,
Washington, DC 20549.
SUPPLEMENTARY INFORMATION: We are
proposing amendments to 17 CFR
240.14a–2 (‘‘Rule 14a–2’’) and 17 CFR
240.14a–9 (‘‘Rule 14a–9’’) under the
PO 00000
Frm 00022
Fmt 4702
Sfmt 4702
67383
Securities Exchange Act of 1934 [15
U.S.C. 78a et seq.] (‘‘Exchange Act’’).1
Table of Contents
I. Introduction
II. Discussion of Proposed Amendments
A. Proposed Amendments to Rule 14a–
2(B)(9)
1. Background
2. Proposed Amendments
B. Proposed Amendment to Rule 14a–9
1. Background
2. Proposed Amendment
III. Economic Analysis
A. Economic Baseline
1. Affected Parties and Current Market
Practices
2. Current Regulatory Framework
B. Benefits and Costs
1. Benefits
2. Costs
C. Effects on Efficiency, Competition, and
Capital Formation
D. Reasonable Alternatives
1. Interpretive Guidance or No-Action
Relief on Whether Systems and
Processes Satisfy the 2020 Final Rules
2. Exempting Certain Parts of PVABs’
Proxy Voting Advice from Rule 14a–9
Liability
IV. Paperwork Reduction Act
A. Summary of the Collections of
Information
B. Incremental and Aggregate Burden and
Cost Estimates for the Proposed
Amendments
1. Impact on Affected Parties
2. Aggregate Burden Avoided as a Result of
the Proposed Amendments
3. Increase in Annual Responses Avoided
as a Result of the Proposed Amendments
4. Incremental Change in Compliance
Burden for Collection of Information
5. Program Change and Revised Burden
Estimates
V. Small Business Regulatory Enforcement
Fairness Act
VI. Initial Regulatory Flexibility Analysis
A. Reasons for, and Objectives of, the
Proposed Action
B. Legal Basis
C. Small Entities Subject to the Proposed
Amendments
D. Projected Reporting, Recordkeeping, and
Other Compliance Requirements
E. Duplicative, Overlapping, or Conflicting
Federal Rules
F. Significant Alternatives
VII. Statutory Authority
I. Introduction
The Commission recently adopted
final rules regarding proxy voting advice
(the ‘‘2020 Final Rules’’) provided by
proxy advisory firms, or proxy voting
1 Unless otherwise noted, when we refer to the
Exchange Act, or any paragraph of the Exchange
Act, we are referring to 15 U.S.C. 78a of the United
States Code, at which the Exchange Act is codified,
and when we refer to rules under the Exchange Act,
or any paragraph of these rules, we are referring to
title 17, part 240 of the Code of Federal Regulations
[17 CFR part 240], in which these rules are
published.
E:\FR\FM\26NOP1.SGM
26NOP1
]]>Agencies
[Federal Register Volume 86, Number 225 (Friday, November 26, 2021)]
[Proposed Rules]
[Pages 67379-67383]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-25329]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
15 CFR Part 7
[Docket No. 211115-0230]
RIN 0605-AA62
Securing the Information and Communications Technology and
Services Supply Chain; Connected Software Applications
AGENCY: U.S. Department of Commerce.
ACTION: Notice of Proposed Rulemaking.
-----------------------------------------------------------------------
SUMMARY: To implement provisions of Executive Order 14034, ``Protecting
Americans' Sensitive Data from Foreign Adversaries'' (E.O. 14034), the
Department of Commerce is proposing to amend its Interim Final Rule on
Securing the Information and Communications Technology and Services
Supply Chain (Supply Chain Rule), which was published on January 19,
2021, 86 FR 4909. Specifically, this proposed rule would amend the
Supply Chain Rule to provide for additional criteria that the Secretary
of Commerce (the Secretary) may consider specifically when determining
whether ICTS Transactions (as defined in the Supply Chain Rule) that
involve connected software applications present an undue or
unacceptable risk. The rule also makes conforming changes by revising
the definition of ICTS to expressly include ``connected software
applications'' and adding a definition of ``connected software
application'' that is consistent with that used in E.O. 14034. The
Department is interested in the public's views on the additional
criteria for connected software applications, including whether they
should be applied to all ICTS Transaction reviews, whether there are
other criteria that should be applied, and how the Secretary should
apply the criteria to ICTS Transactions involving connected software
applications.
DATES: Comments to this proposed rule must be received on or before
December 27, 2021.
ADDRESSES: All comments must be submitted by one of the following
methods:
By the Federal eRulemaking Portal: https://www.regulations.gov at docket number DOC-2021-0005.
By email directly to: [email protected]. Include
``RIN 0605-AA62'' in the subject line.
Instructions: Comments sent by any other method, to any
other address or individual, or received after the end of the comment
period, may not be considered. For those seeking to submit confidential
business information (CBI), please clearly mark such submissions as CBI
and submit by email, as instructed above. Each CBI submission must also
contain a summary of the CBI, clearly marked as public, in sufficient
detail to permit a reasonable understanding of the substance of the
information for public consumption. Such summary information will be
posted on regulations.gov.
FOR FURTHER INFORMATION CONTACT: Joseph Bartels, U.S. Department of
Commerce, telephone: (202) 482-0224. For media inquiries: Brittany
Caplin, Deputy Director of Public Affairs and Press Secretary, U.S.
Department of Commerce, telephone: (202) 482-4883, email:
[email protected].
SUPPLEMENTARY INFORMATION:
[[Page 67380]]
Background
On January 19, 2021, the Department published an interim final rule
in the Federal Register on ``Securing the Information and
Communications Technology and Services Supply Chain.'' 86 FR 4909. The
Supply Chain Rule implemented Executive Order 13873, ``Securing the
Information and Communications Technology and Services Supply Chain''
(84 FR 22689), including by setting out procedures by which the
Secretary of Commerce, in consultation with the appropriate heads of
other administrative agencies, would review ICTS Transactions for
whether they present an undue or unacceptable risk due to a foreign
adversary's involvement. The Supply Chain Rule defines ``ICTS'' as
``any hardware, software, or other product or service, including cloud-
computing services, primarily intended to fulfill or enable the
function of information or data processing, storage, retrieval, or
communication by electronic means (including electromagnetic, magnetic,
and photonic), including through transmission, storage, or display.''
The Supply Chain Rule further provides that an ``ICTS Transaction'' is,
``any acquisition, importation, transfer, installation, dealing in, or
use of any information and communications technology or service,
including ongoing activities, such as managed services, data
transmission, software updates, repairs, or the platforming or data
hosting of applications for consumer download. An ICTS Transaction
includes any other transaction, the structure of which is designed or
intended to evade or circumvent the application of E.O. 13873. The term
ICTS Transaction includes a class of ICTS Transactions.''
On June 9, 2021, the President issued E.O. 14034 to ``elaborate
upon measures to address the national emergency with respect to the
information and communications technology and services supply chain
that was declared in Executive Order 13873 of May 15, 2019, `Securing
the Information and Communications Technology and Services Supply
Chain.' '' E.O. 14034 sets out the finding ``that the increased use in
the United States of certain connected software applications designed,
developed, manufactured, or supplied by persons owned or controlled by,
or subject to the jurisdiction or direction of, a foreign adversary,
which the Secretary of Commerce acting pursuant to E.O. 13873 has
defined to include the People's Republic of China, among others,
continues to threaten the national security, foreign policy, and
economy of the United States.'' This rule would implement E.O. 14034 by
specifically adding the term ``connected software applications'' and
the accompanying criteria, which do not appear in E.O. 13873, to the
Supply Chain Rule to ensure the rule clearly and consistently
identifies the ICTS that is threatened.
E.O. 14034 orders the Secretary to ``evaluate on a continuing basis
transactions involving connected software applications that may pose an
undue risk of sabotage or subversion of the design, integrity,
manufacturing, production, distribution, installation, operation, or
maintenance of information and communications technology or services in
the United States; pose an undue risk of catastrophic effects on the
security or resiliency of the critical infrastructure or digital
economy of the United States; or otherwise pose an unacceptable risk to
the national security of the United States or the security and safety
of United States persons.''
E.O. 14034 further sets out certain factors, consistent with the
criteria established in E.O. 13873 and in addition to those set forth
in the Supply Chain Rule, that should be considered in evaluating the
risks of a transaction involving connected software applications.
Specifically, E.O. 14034 lists the following as potential indicators of
risk related to connected software applications: ``ownership, control,
or management by persons that support a foreign adversary's military,
intelligence, or proliferation activities; use of the connected
software application to conduct surveillance that enables espionage,
including through a foreign adversary's access to sensitive or
confidential government or business information, or sensitive personal
data; ownership, control, or management of connected software
applications by persons subject to coercion or cooption by a foreign
adversary; ownership, control, or management of connected software
applications by persons involved in malicious cyber activities; a lack
of thorough and reliable third-party auditing of connected software
applications; the scope and sensitivity of the data collected; the
number and sensitivity of the users of the connected software
application; and the extent to which identified risks have been or can
be addressed by independently verifiable measures.''
This proposed rule incorporates these potential indicators of risk
as criteria to be considered by the Secretary when assessing whether an
ICTS Transaction involving connected software applications poses an
undue or unacceptable risk. The Department seeks public comments on
these criteria, including how the Secretary should apply these to ICTS
Transactions involving connected software applications, and whether
there are additional criteria that should be considered by the
Secretary with respect to connected software applications. The
Department is also interested in the public's views as to whether these
criteria should be applied to all ICTS Transaction reviews or just
those that involve connected software applications. In addition, the
Department seeks comment on any other considerations the Secretary
should take into account when determining whether an ICTS Transaction
involving connected software applications should, consistent with the
authority and procedures of E.O. 13873 and the Supply Chain Rule, be
allowed, mitigated, or prohibited.
Additionally, consistent with E.O. 14034's recognition of the
ongoing threat, identified in E.O. 13873, by foreign adversaries to
steal or otherwise obtain data through connected software applications,
the Department notes that the term ``information and communications
technology and services'' encompasses ``connected software
applications'' and is proposing to revise the definition of ICTS
accordingly to expressly so specify. This rule would also make a
conforming revision to the term ``ICTS Transaction,'' and would define
``connected software applications'' as ``software, a software program,
or a group of software programs, that is designed to be used on an end-
point computing device and includes as an integral functionality, the
ability to collect, process, or transmit data via the internet.''
Section 7.1 Scope
The Department proposes to add the phrase ``connected software
applications'' to section 7.1 of Title 15 of the Code of Federal
Regulations (CFR).
Section 7.2 Definitions
As noted above, consistent with E.O. 14034's recognition of the
ongoing threat by foreign adversaries to steal, otherwise obtain, or
disrupt data through connected software applications, this rule would
expressly specify that the term ``information and communications
technology and services or ICTS'' encompasses ``connected software
applications.'' The proposed definition of ``connected software
applications'' is taken from E.O. 14034: ``software, a software
[[Page 67381]]
program, or a group of software programs, that is designed to be used
on an end-point computing device and includes as an integral
functionality, the ability to collect, process, or transmit data via
the internet.''
The Department welcomes comment on whether this definition is
sufficient to identify fully this category of ICTS, or whether further
clarification or elaboration is needed. For instance, are there
technical aspects to the definition that are used in industry or
engineering that should be incorporated into the definition? Should the
Department include other devices, such as those that communicate
through short message service (SMS) messages, or low-power radio
protocols? Should the definition be extended from ``end-point'' devices
to ``end-to-end'' technology, and is ``end-to-end'' a term of art that
we should employ? Are there other means of communication or
transmission that are not encompassed by this definition but should be
included?
Section 7.3 Scope of Covered Transactions
Further, the Department proposes to add new Sec. 7.3(a)(4)(v)(E)
regarding the types of software ``designed primarily for connecting
with and communicating via the internet that is used by greater than
one million U.S. persons'' involved in ICTS Transactions that are
subject to the Secretary's review.
Section 7.103 Initial Review of ICTS Transactions
To incorporate the new criteria for determining whether a
transaction involving connected software applications poses an undue or
unacceptable risk, as defined in the Supply Chain Rule, this rule would
amend Sec. 7.103 to add the criteria from E.O. 14034 in a new
paragraph. Notably, these criteria complement, and are in addition to,
the criteria already in 7.103(c) for determining whether an ICTS
Transaction poses an undue or unacceptable risk. In making this
determination for connected software applications, the Secretary would
evaluate both the criteria in 7.103(c) and in the new paragraph.
Specifically, the Department would redesignate current paragraph
7.103(d) as 7.103(e) and add new paragraph 7.103(d) to include the
following criteria:
Ownership, control, or management by persons that support
a foreign adversary's military, intelligence, or proliferation
activities;
use of the connected software application to conduct
surveillance that enables espionage, including through a foreign
adversary's access to sensitive or confidential government or business
information, or sensitive personal data;
ownership, control, or management of connected software
applications by persons subject to coercion or cooption by a foreign
adversary;
ownership, control, or management of connected software
applications by persons involved in malicious cyber activities;
a lack of thorough and reliable third-party auditing of
connected software applications;
the scope and sensitivity of the data collected;
the number and sensitivity of the users of the connected
software application; and
the extent to which identified risks have been or can be
addressed by independently verifiable measures.
As noted above, while the proposed regulatory text below adds these
criteria in a new sub-paragraph applicable only to ICTS Transactions
involving connected software applications, the Department is also
inviting comments on whether these criteria are sufficient or whether
others should be added. For example, should the Department add a
criterion such as whether the software has any embedded out-going
network calls or web server references, regardless of the ownership,
control, or management of the software? The Department also seeks
comments on whether the criteria should be more generally applicable to
ICTS Transactions.
With regard to the phrase ``ownership, control or management,''
should it be understood to include both continuous control/management
and sporadic control/management (e.g., when a third-party must be
temporally granted access to apply updates/upgrades/patches/etc.), or
should this phrase be further clarified?
Additionally, the Department seeks comment on whether and how the
Department should specifically define the terms ``reliable third-
party'' and ``independently verifiable measures,'' and, if so, whether
there are generally accepted definitions or terms of art that the
Department should consider adopting. The Department is also interested
in whether the reference to ``third-party auditing of connected
software applications'' is sufficiently clear or whether it needs
further definition. For example, would it be understood to apply to
audits by a third party of only the connected software applications, or
to audits of the organizations implementing the software applications
as well? Also, should the requirement to audit applications be revised
to make clear that auditing is a continuous process through the
development and deployment life cycle of the application? And would the
requirement to audit applications be understood to refer only to
source-code examination and verification, or would it also include
monitoring of logs or other data that the application collects?
Classification
A. Executive Order 12866 (Regulatory Policies and Procedures)
Pursuant to the procedures established to implement Executive Order
12866, the Office of Management and Budget has determined that this
rule is significant but not economically significant.
C. Regulatory Flexibility Analysis
The Chief Counsel for Regulation of the Department of Commerce
certifies to the Chief Counsel for Advocacy of the Small Business
Administration that this proposed rule would not have a significant
economic impact on a substantial number of small entities. The factual
determination for this determination is as follows.
This proposed rule would update the regulations at 15 CFR part 7
that implement E.O. 13873 to revise the term ICTS to specifically
include ``connected software applications,'' as well as to affirm that
a transaction involving connected software applications is an ICTS
Transaction. It would add criteria the Secretary and the appropriate
agency heads may use in making determinations about the risks
potentially posed by ICTS Transactions involving connected software
applications. The rule would also make conforming changes.
Accordingly, this proposed rule does not increase the scope of
applicability of the existing regulations, the economic effects of
which were evaluated in the regulatory impact analysis (RIA) associated
with the Supply Chain Rule, at 86 FR 4909. (The RIA can be found online
at reginfo.gov, and at regulations.gov, with a search for RIN 0605-
AA51.) This proposed rule, once implemented, will not add any costs or
burdens to any entity, small or large, because it does not expand the
application scope of the Supply Chain Rule. Because this proposed rule
neither increases the number of entities to which the Supply Chain Rule
applies, nor increases the cost and burdens on those entities, it would
not have a significant economic impact on a substantial number of small
businesses.
[[Page 67382]]
D. Paperwork Reduction Act
The Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.) (PRA)
provides that an agency generally cannot conduct or sponsor a
collection of information, and no person is required to respond to nor
be subject to a penalty for failure to comply with a collection of
information, unless that collection has obtained Office of Management
and Budget (OMB) approval and displays a currently valid OMB Control
Number. This proposed rule does not contain a collection of information
requirement subject to review and approval by OMB under the PRA.
E. Unfunded Mandates Reform Act of 1995
This proposed rule would not create a Federal mandate (under the
regulatory provisions of Title II of the Unfunded Mandates Reform Act
of 1995) for State, local, and tribal governments or the private
sector.
F. Executive Order 13132 (Federalism)
This proposed rule does not contain policies having federalism
implications requiring preparations of a Federalism Summary Impact
Statement.
G. Executive Order 12630 (Governmental Actions and Interference With
Constitutionally Protected Property Rights)
This rule does not contain policies that have unconstitutional
takings implications.
H. Executive Order 13175 (Consultation and Coordination With Indian
Tribes)
The Department has analyzed this proposed rule under Executive
Order 13175 and has determined that the action would not have a
substantial direct effect on one or more Indian tribes, would not
impose substantial direct compliance costs on Indian tribal
governments, and would not preempt tribal law.
I. National Environmental Policy Act
The Department has reviewed this rulemaking action for the purposes
of the National Environmental Policy Act (42 U.S.C. 4321 et. seq). It
has determined that this proposed rule would not have a significant
impact on the quality of the human environment.
List of Subjects in 15 CFR Part 7
Administrative practice and procedure, Business and industry,
Communications, Computer technology, Critical infrastructure, Executive
orders, Foreign persons, Investigations, National security, Penalties,
Technology, Telecommunications.
Dated: November 16, 2021.
Trisha Anderson,
Deputy Assistant Secretary for Intelligence and Security, U.S.
Department of Commerce.
PART 7--SECURING THE INFORMATION AND COMMUNICATIONS TECHNOLOGY AND
SERVICES SUPPLY CHAIN
0
1. The authority citation for part 7 continues to read as follows:
Authority: 50 U.S.C. 1701 et seq.; 50 U.S.C. 1601 et seq.; E.O.
13873, 84 FR 22689.
0
2. Revise Sec. 7.1 to read as follows:
Subpart A--General
Sec. 7.1 Purpose.
(a) These regulations set forth the procedures by which the
Secretary may:
(1) Determine whether any acquisition, importation, transfer,
installation, dealing in, or use of any information and communications
technology or service (ICTS Transaction), including connected software
applications, that has been designed, developed, manufactured, or
supplied by persons owned by, controlled by, or subject to the
jurisdiction or direction of foreign adversaries poses certain undue or
unacceptable risks as identified in the Executive Order;
(2) Issue a determination to prohibit an ICTS Transaction;
(3) Direct the timing and manner of the cessation of the ICTS
Transaction; and
(4) Consider factors that may mitigate the risks posed by the ICTS
Transaction.
(b) The Secretary will evaluate ICTS Transactions under this rule,
which include classes of transactions, on a case-by-case basis. The
Secretary, in consultation with appropriate agency heads specified in
Executive Order 13873 and other relevant governmental bodies, as
appropriate, shall make an initial determination as to whether to
prohibit a given ICTS Transaction or propose mitigation measures, by
which the ICTS Transaction may be permitted. Parties may submit
information in response to the initial determination, including a
response to the initial determination and any supporting materials and/
or proposed measures to remediate or mitigate the risks identified in
the initial determination as posed by the ICTS Transaction at issue.
Upon consideration of the parties' submissions, the Secretary will
issue a final determination prohibiting the transaction, not
prohibiting the transaction, or permitting the transaction subject to
the adoption of measures determined by the Secretary to sufficiently
mitigate the risks associated with the ICTS Transaction. The Secretary
shall also engage in coordination and information sharing, as
appropriate, with international partners on the application of these
regulations.
0
3. Amend Sec. 7.2 by adding, in alphabetical order, the definition for
``Connected software application'' and revising the definition of
``Information and communications technology or services or ICTS'' to
read as follows:
Sec. 7.2 Definitions.
* * * * *
Connected software application means software, a software program,
or a group of software programs, that is designed to be used on an end-
point computing device and includes as an integral functionality, the
ability to collect, process, or transmit data via the internet.
* * * * *
Information and communications technology or services or ICTS means
any hardware, software, including connected software applications, or
other product or service, including cloud-computing services, primarily
intended to fulfill or enable the function of information or data
processing, storage, retrieval, or communication by electronic means
(including electromagnetic, magnetic, and photonic), including through
transmission, storage, or display.
* * * * *
0
4. Amend Sec. 7.3 by adding paragraph (a)(4)(v)(E) to read as follows:
Sec. 7.3 Scope of Covered ICTS Transactions.
(a) * * *
(4) * * *
(v) * * *
(E) Connected software applications; or
* * * * *
0
5. In Sec. 7.103, redesignate paragraph (d) as paragraph (e) and add
new paragraph (d) to read as follows:
Sec. 7.103 Initial review of ICTS Transactions.
* * * * *
(d) For ICTS Transactions involving connected software applications
that are accepted for review, the Secretary's assessment of whether the
ICTS Transaction poses an undue or unacceptable risk may be determined
by evaluating the criteria in paragraph (c) of this section as well as
the following additional criteria:
(1) Ownership, control, or management by persons that support a
foreign adversary's military, intelligence, or proliferation
activities;
[[Page 67383]]
(2) Use of the connected software application to conduct
surveillance that enables espionage, including through a foreign
adversary's access to sensitive or confidential government or business
information, or sensitive personal data;
(3) Ownership, control, or management of connected software
applications by persons subject to coercion or cooption by a foreign
adversary;
(4) Ownership, control, or management of connected software
applications by persons involved in malicious cyber activities;
(5) A lack of thorough and reliable third-party auditing of
connected software applications;
(6) The scope and sensitivity of the data collected;
(7) The number and sensitivity of the users of the connected
software application; and
(8) The extent to which identified risks have been or can be
addressed by independently verifiable measures.
* * * * *
[FR Doc. 2021-25329 Filed 11-24-21; 8:45 am]
BILLING CODE 3510-DT-P
