[Federal Register Volume 84, Number 229 (Wednesday, November 27, 2019)]
[Proposed Rules]
[Pages 65316-65322]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-25554]
�========================================================================
�Proposed Rules
� Federal Register
�________________________________________________________________________
�
�This section of the FEDERAL REGISTER contains notices to the public of
�the proposed issuance of rules and regulations. The purpose of these
�notices is to give interested persons an opportunity to participate in
�the rule making prior to the adoption of the final rules.
�
�========================================================================
�
��Federal Register / Vol. 84 , No. 229 / Wednesday, November 27, 2019 /
Proposed Rules��
[[Page 65316]]
DEPARTMENT OF COMMERCE
15 CFR Part 7
[Docket No. 191119-0084]
RIN 0605-AA51
Securing the Information and Communications Technology and
Services Supply Chain
AGENCY: U.S. Department of Commerce.
ACTION: Proposed rule; request for comments.
-----------------------------------------------------------------------
SUMMARY: Pursuant to an Executive order of May 15, 2019, entitled
``Securing the Information and Communications Technology and Services
Supply Chain,'' the Department of Commerce (the Department) proposes to
implement regulations that would govern the process and procedures that
the Secretary of Commerce (Secretary) will use to identify, assess, and
address certain information and communications technology and services
transactions that pose an undue risk to critical infrastructure or the
digital economy in the United States, or an unacceptable risk to U.S.
national security or the safety of United States persons.
DATES: Written comments must be received on or before December 27,
2019.
ADDRESSES: All comments must be submitted by one of the following
methods:
By the Federal eRulemaking Portal: http://www.regulations.gov at docket number DOC-2019-0005.
By email directly to: [email protected]. Include
``RIN 0605-AA51'' in the subject line.
By mail or hand delivery to: Henry Young, U.S. Department
of Commerce, ATTN: RIN 0605-AA51, 1401 Constitution Avenue NW,
Washington, DC 20230.
Instructions: Comments sent by any other method, to any
other address or individual, or received after the end of the comment
period, may not be considered. For those seeking to submit confidential
business information (CBI), please submit such information by email or
mail or hand delivery as instructed above. Each CBI submission must
also contain a summary of the CBI in sufficient detail to permit a
reasonable understanding of the substance of the information for public
consumption. Such summary information will be posted on
regulations.gov.
FOR FURTHER INFORMATION CONTACT: Henry Young, U.S. Department of
Commerce, 1401 Constitution Avenue NW, Washington, DC 20230; telephone:
202-482-0224. For media inquiries: Rebecca Glover, Director, Office of
Public Affairs, U.S. Department of Commerce, 1401 Constitution Avenue
NW, Washington, DC 20230; telephone: (202) 482-4883.
SUPPLEMENTARY INFORMATION:
I. Background
The information and communications technology and services (ICTS)
supply chain is critical to nearly every aspect of U.S. national
security. It underpins our economy; supports critical infrastructure
and emergency services; and facilitates the nation's ability to store,
process, and transmit vast amounts of data, including sensitive
information, that is used for personal, commercial, government, and
national security purposes. The ICTS supply chain must be secure to
protect our national security, including the economic strength that is
an essential element of our national security. However, the ICTS supply
chain has become increasingly vulnerable to exploitation and is an
attractive target for espionage, sabotage, and foreign interference
activity. ICTS that are designed, developed, manufactured, or supplied
by persons owned by, controlled by, or subject to the jurisdiction or
direction of a foreign adversary augment our adversaries' ability to
create or exploit vulnerabilities in ICTS to potentially catastrophic
effect. The President has determined that the unrestricted acquisition
or use of such ICTS causes an unusual and extraordinary threat to the
national security, foreign policy, and economy of the United States.
Executive Order 13873 of May 15, 2019, ``Securing the Information
and Communications Technology and Services Supply Chain'' (84 FR 22689)
(Executive order), was issued pursuant to the President's authority
under the Constitution and the laws of the United States, including the
International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.)
(IEEPA), the National Emergencies Act (50 U.S.C. 1601 et seq.), and
section 301 of Title 3, United States Code. The Executive order grants
the Secretary of Commerce (Secretary) the authority to prohibit any
acquisition, importation, transfer, installation, dealing in, or use of
any information and communications technology or service (a
``transaction'') subject to United States' jurisdiction where the
Secretary, in consultation with other relevant agency heads, determines
that the transaction: (i) Involves property in which a foreign country
or national has an interest; (ii) includes information and
communications technology or services designed, developed,
manufactured, or supplied by persons owned by, controlled by, or
subject to the jurisdiction or direction of a foreign adversary; and
(iii) poses certain undue risks to critical infrastructure or the
digital economy in the United States or certain unacceptable risk to
U.S. national security or U.S. persons. (84 FR 22689).
The Department is proposing regulations that would implement the
terms of the Executive order by establishing a process by which the
Secretary will determine whether a particular transaction should be
prohibited. A transaction that meets the following conditions will be
subject to review by the Secretary and may require mitigation,
prohibition, or an unwinding of the transaction if determined to be
prohibited: (1) The transaction is conducted by any person subject to
the jurisdiction of the United States or involves property subject to
the jurisdiction of the United States; (2) the transaction involves any
property in which any foreign country or a national thereof has an
interest (including through an interest in a contract for the provision
of the technology or service); and (3) the transaction was initiated,
pending, or completed after May 15, 2019, regardless of when any
contract applicable to the transaction was entered into, dated or
signed, or when any license, permit, or authorization applicable to
such transaction was
[[Page 65317]]
granted. Transactions involving certain ongoing activities, including
but not limited to managed services, software updates, or repairs,
would constitute transactions that was completed on or after May 15,
2019 even if a contract was entered into prior to May 15, 2019.
To assist the Department in the execution and implementation of the
Executive order, Section 5 of the Executive order requires the Office
of the Director of National Intelligence (ODNI) and the Department of
Homeland Security (DHS) to produce an initial threat assessment and
vulnerability assessment, respectively. Pursuant to Section 5(a) of the
Executive order, the Director of National Intelligence produced an
initial, classified threat assessment setting forth the threats to the
United States and its people from ICTS designed, developed,
manufactured, or supplied by persons owned by, controlled by, or
subject to the jurisdiction or direction of a foreign adversary.
Pursuant to Section 5(b) of the Executive order, DHS provided to
the Department an initial vulnerabilities assessment identifying and
assessing ICTS hardware, software, and services that present
vulnerabilities in the United States. The Department will use this
vulnerability assessment as one of the available sources of information
to inform its analysis of risks and will use the categories of ICTS
identified in the assessment as an analytical tool to assist in
evaluating transactions within the Executive order's scope.
The Secretary herein adopts a case-by-case, fact-specific approach
to determine those transactions that meet the requirements set forth in
the Executive order and are therefore prohibited or must be mitigated.
A case-by-case process allows for the deliberative application of the
authority granted to the Secretary by the President in the Executive
order as the Secretary seeks to calibrate properly the application of
this new authority. A case-by-case application of this authority would
allow the Secretary to target and prohibit transactions that meet the
Executive order criteria, without unintentionally prohibiting other
transactions involving similar ICTS that may not rise to the level of
presenting an undue risk to critical infrastructure or the digital
economy in the United States or an unacceptable risk to national
security or the safety of U.S. persons. This approach would also ensure
that the Department does not inadvertently preclude innovation or
access to technology in the United States.
II. Prohibited Transactions
The Executive order proscribes transactions, which involve the
acquisition, importation, transfer, installation, dealing in or use of
ICTS by any person where the transaction (i) involves any property in
which a foreign country or a national thereof has any interest, (ii)
involves any ICTS ``designed, developed, manufactured, or supplied'' by
entities ``owned by, controlled by, or subject to the jurisdiction or
direction of a foreign adversary,'' and (iii) poses ``an undue risk''
of several specified adverse consequences, or ``an unacceptable risk''
to national security or the safety of U.S. persons.
In implementing the Executive order, the Secretary will decide
whether the particular circumstances of a potentially prohibited
transaction may meet this standard. The Secretary, upon the Secretary's
own motion or upon referral of a particular transaction from another
Federal agency, will evaluate transactions the Secretary believes may
be covered by the Executive order and determine, in consultation with
the heads of other agencies as appropriate, whether any such
transaction should be prohibited or mitigated.
Under the procedures set forth in the proposed rule the Secretary
would provide, as appropriate, direct notice to the parties of a
transaction that an evaluation of a transaction is being conducted and
that he has reached a preliminary determination regarding a
transaction. In making determinations, the Secretary, in consultation
with other Federal agencies, would assess, for example, whether a party
to a transaction is owned by, controlled by, or subject to the
jurisdiction or direction of a foreign adversary, and whether the use
of a certain class of ICTS or transactions by particular classes of
users present an undue or unacceptable risk. Parties notified of an
evaluation and preliminary determination would have an opportunity to
submit an opposition and information in support of their opposition,
which may include proposed measures for mitigation, prior to the
Secretary issuing a final determination.
Upon completion of the evaluation, the Secretary would issue an
unclassified, written final determination to the parties engaged in the
transaction, and, as appropriate, to the public, that would summarize
the elements of the evaluation and explain how the Secretary's
determination is consistent with the terms of the Executive order and
its implementing regulations. In the event that classified or any other
protected information is used or relied upon by the Secretary in making
a determination, such information would not be made available except as
required by law. If the Secretary determines that a transaction
presents an undue or unacceptable risk, the Secretary may require
measures to mitigate the transaction's identified risks or may prohibit
the transaction, including by requiring that the parties engaged in the
transaction immediately cease the use of the ICTS that poses the undue
or unacceptable risk, even if such ICTS has been installed or was in
operation prior to the Secretary's determination. The Secretary will
not issue an advisory opinion or a declaratory ruling with respect to
any particular transaction.
The Executive order also authorizes the Secretary to exempt certain
classes of transactions from the Executive order's restrictions if the
Secretary determines (for example, because of the nature or
capabilities of the ICTS involved or the characteristics of the
purchaser or ultimate user) that such transactions do not present an
undue or unacceptable risk or are outside the scope of the Executive
order. The Executive order also authorizes the Secretary to prohibit
transactions as a class if the Secretary determines that such class of
transactions pose an undue or unacceptable risk. The proposed rule does
not recognize particular technologies or particular participants in the
market for ICTS as categorically included or excluded from the
prohibitions established by the Executive order. If, in the future, the
Secretary determines that it is appropriate to designate classes of
transactions for categorical inclusion or exclusion, further guidance
will be issued at that time.
It is expected that parties engaging in any transaction subject to
the Executive order will maintain records related to such transaction
in a manner consistent with the recordkeeping practices used in their
ordinary course of business for such a transaction. Any parties
notified that a transaction is being evaluated will be advised by that
notice to immediately take steps to retain any and all records relating
to such transaction.
III. Request for Comment
The Department invites comment on all aspects of the proposed
regulation but notes that the determination of a ``foreign adversary''
for purposes of implementing the Executive order is a matter of
executive branch discretion and will be made by the Secretary in
consultation with the Secretary of the Treasury, the Secretary of
State, the Secretary of Defense, the Attorney
[[Page 65318]]
General, the Secretary of Homeland Security, the United States Trade
Representative, the Director of National Intelligence, the
Administrator of General Services, the Chairman of the Federal
Communications Commission, and, as appropriate, the heads of other
executive departments and agencies (agencies).
As noted above, the Secretary would initially engage in a
case-by-case analysis of specific transactions, as facts become known
to the Secretary to determine if they are prohibited by the Executive
order. Are there instances where the Secretary should consider
categorical exclusions? Are there classes of persons whose use of ICTS
can never violate the Executive order? If so, please provide a detailed
explanation of why the commenter believes a particular transaction can
never meet the requirements of the Executive order.
Are there transactions involving types or classes of ICTS
where the acquisition or use in the United States or by U.S. parties
would fall within the terms of the Executive order's prohibited
transactions because the transaction could present an undue or
unacceptable risk, but that risk could be reliably and adequately
mitigated to prevent the undue or unacceptable risk? If the commenter
believes the risks of a prohibited transaction can be mitigated, what
form could such mitigation measures take?
If mitigation measures are adopted for a transaction
otherwise prohibited by the Executive order, how should the Secretary
ensure that parties to such transaction consistently execute and comply
with the agreed-upon mitigation measures that make an otherwise
prohibited transaction permissible? How best could the Secretary be
made aware of changes in factual circumstances, including technology
developments, that could render mitigation measures obsolete, no longer
effective, or newly applicable?
Section 1(a) of the Executive order and the definition of
``transaction'' that the proposed rule would implement refer to
``acquisition, importation, transfer, installation, dealing in, or use
of any information and communications technology or service.'' How are
these terms, in particular ``dealing in'' and ``use of,'' best
interpreted?
As discussed above, the Secretary expects persons engaged
in transactions will maintain records of those transactions in the
ordinary course of business. Should the Department require additional
recordkeeping requirements for information related to transactions? Any
non-public oral communication to Department officials regarding the
substance of the proposed rule would be considered an ex parte
presentation, and a summary of the substance of the ex parte
presentation will be placed on the public record and become part of
this docket. No later than two (2) business days after an oral
communication or meeting, the party which engaged in such communication
or meeting must submit a memorandum to the Department summarizing the
substance of the communication. The Department reserves the right to
supplement the memorandum with additional information as necessary, or
to request that the party making the filing do so, if a Department
official believes that important information was omitted or
characterized incorrectly. Any written presentation provided in support
of the oral communication or meeting will also be placed on the public
record and become part of this docket. Such ex parte communications
must be submitted to this docket as provided in the ADDRESSES section
above and clearly labeled as an ex parte presentation. Federal entities
are not subject to these procedures.
IV. Classification
A. Executive Order 12866 (Regulatory Policies and Procedures)
This rulemaking has been determined to be a significant action
under Executive Order 12866.
B. Executive Order 13771 (Reducing Regulation and Controlling
Regulatory Costs)
This rulemaking is exempt from the requirements of Executive Order
13771 because it involves a national security matter.
C. Regulatory Flexibility Act
In compliance with section 603 of the Regulatory Flexibility Act
(RFA), the Department has prepared the below initial regulatory
flexibility analysis (IRFA) for this proposed rule. The IRFA describes
the economic impacts the proposed action may have on small entities.
The Department seeks comment on all aspects of the IRFA, including the
categories and numbers of small entities that may be directly impacted
by this proposed rule.
(1) A statement of the need for, objectives, and the legal basis of
the proposed rule. The description of the action, why it is being
considered, and the legal basis for the proposed rule are contained in
the preamble.
(2) A description of, and where feasible, an estimate of the number
of small entities to which the proposed rule will apply. The proposed
rule defines ``information and communications technology or services''
as ``any hardware, software, or other product or service primarily
intended to fulfill or enable the function of information or data
processing, storage, retrieval, or communication by electronic means,
including through transmission, storage, or display.'' A majority of
entities today, large or small, utilize some manner of ICTS, therefore
it is extremely difficult to obtain a determination of the kind and
number of small entities impacted by the proposed rule. The Department
acknowledges that actions taken pursuant to this proposed rule may
affect small entities or groups that are not easily categorized at
present. We therefore describe here, at the outset, three broad groups
of small entities that utilize ICTS that could be directly affected
herein. The Department understands that the groups set forth here do
not encompass all of the small entities or groups that utilize ICTS and
could potentially be impacted by the proposed rule. The Department
invites comment on other small entities or groups that should be
identified as potentially impacted by the proposed rule.
1. Telecommunications and Information Technology Equipment and Service
Providers
i. Telecommunications Service Providers
1. Incumbent Local Exchange Carriers (LECs)
2. Interchange Carriers (IXCs)
3. Competitive Access Providers
4. Operator Service Providers (OSPs)
5. Local Resellers
6. Toll Resellers
7. Wired Telecommunications Carriers
8. Wireless Telecommunications Carrier (except Satellite)
9. Common Carrier Paging
10. Wireless Telephony
11. Satellite Telecommunications
12. All Other Telecommunications
ii. Internet and Digital Service Providers
1. Internet Service Providers (Broadband)
2. Internet Service Providers (Non-Broadband)
3. Cloud Providers
4. Data Center Service Providers
5. Managed Security Service Providers
6. Internet Application Operators/Developers
7. Software Providers (platform as a service, software as a
service, etc.)
iii. Vendors and Equipment Manufacturers
1. Vendors of Infrastructure
[[Page 65319]]
Development or ``Network Buildout''
2. Telephone Apparatus Manufacturing
3. Radio and Television Broadcasting and Wireless Communications
Equipment
4. Information Technology Equipment Manufacturers
5. Connected Device Manufacturers (e.g., connected video cameras,
health monitoring devices)
6. Other Communications Equipment Manufacturing
(3) A description of the projected reporting, recordkeeping and
other compliance requirements of the proposed rule, including an
estimate of the classes of small entities that will be subject to the
requirement and the type of professional skills necessary for
preparation of the report or record. This proposed rule would not
mandate any reporting, recordkeeping, or other compliance requirements
unless an entity receives direct notice that an evaluation into a
transaction to which such entity is a party is being conducted. If a
small entity receives such notice, the entity will need to retain and
provide requested information. The Department does not anticipate that
any specific professional skills will be required to retain and provide
such information. As discussed above, the Department anticipates a
broad range of small entities or groups involved in ICTS that may be
impacted by the proposed rule, thus making it difficult to determine
the kind and number of small entities that may be impacted. However, as
a part of the initial analysis to determine the kind and number of
small entities that may be impacted by the proposed rule, the
Department has identified the three broad groups of small entities
listed above that utilize ICTS and may be subject under the proposed
rule to an evaluation of a transaction to which such small entities may
be a party.
(4) An identification, to the extent practicable, of all relevant
Federal rules that may duplicate, overlap or conflict with the proposed
rule. This rule does not duplicate or conflict with any Federal rules.
(5) A description of any significant alternatives to the proposed
rule that accomplish the stated objectives of Executive Order 13873 and
applicable statutes and that would minimize any significant economic
impact of the proposed rule on small entities.
No-action alternative: Not implementing a rule under the
Executive order is not a viable alternative because of the national
security concerns associated with transactions involving information
and communications technology or services designed, developed,
manufactured, or supplied by persons owned by, controlled by, or
subject to the jurisdiction or direction of a foreign adversary.
Alternative that would categorically exclude small
entities or groups of small entities: This alternative would also not
achieve the objectives of Executive Order 13873 of alleviating the
national security concerns associated with certain transactions
because, due to the nature of ICTS networks, transactions by small
entities or groups of information and communications technology or
services designed, developed, manufactured, or supplied by persons
owned by, controlled by, or subject to the jurisdiction or direction of
a foreign adversary may pose an undue risk to critical infrastructure
or the digital economy in the United States or an unacceptable risk to
national security or U.S. persons, and as such, should be evaluated in
order to determine whether they should be mitigated, prohibited, or
require an unwinding of the transaction.
Preferred alternative: The proposed rule is the preferred
alternative. It would achieve the objectives of Executive Order 13873
by implementing a procedure that would allow the Secretary to apply a
case-by-case, fact-specific process to identify, assess, and address
any and all transactions that pose an undue risk to critical
infrastructure or the digital economy in the United States or an
unacceptable risk to national security or U.S. persons.
D. Paperwork Reduction Act
The Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.) (PRA)
provides that an agency generally cannot conduct or sponsor a
collection of information, and no person is required to respond to nor
be subject to a penalty for failure to comply with a collection of
information, unless that collection has obtained Office of Management
and Budget (OMB) approval and displays a currently valid OMB Control
Number. This rulemaking does not contain a collection of information
requirement subject to review and approval by OMB under the PRA; the
rule would require only that parties engaging in any transaction
subject to Executive Order 13873 shall maintain records related to such
transaction in a manner consistent with the recordkeeping practices
used in their ordinary course of business.
E. Unfunded Mandates Reform Act of 1995
This proposed rule would not produce a Federal mandate (under the
regulatory provisions of Title II of the Unfunded Mandates Reform Act
of 1995) for State, local, and tribal governments or the private
sector.
F. Executive Order 13132 (Federalism)
This proposed rule does not contain policies having federalism
implications requiring preparations of a Federalism Summary Impact
Statement.
G. Executive Order 12630 (Governmental Actions and Interference With
Constitutionally Protected Property Rights)
This proposed rule does not contain policies that have takings
implications.
H. Executive Order 13175 (Consultation and Coordination With Indian
Tribes)
The Department has analyzed this proposed rule under Executive
Order 13175 and has determined that the action would not have a
substantial direct effect on one or more Indian tribes, would not
impose substantial direct compliance costs on Indian tribal
governments, and would not preempt tribal law.
I. National Environmental Policy Act
The Department has reviewed this rulemaking action for the purposes
of the National Environmental Policy Act (42 U.S.C. 4321 et seq.). It
has determined that this proposed rule would not have a significant
impact on the quality of the human environment.
List of Subjects in 15 CFR Part 7
Administrative practice and procedure, Business and industry,
Communications, Computer technology, Critical infrastructure, Executive
orders, Foreign persons, Investigations, National security, Penalties,
Technology, Telecommunications.
For the reasons set out in the preamble, 15 CFR part 7 is proposed
to be added to read as follows:
PART 7--SECURING THE INFORMATION AND COMMUNICATIONS TECHNOLOGY AND
SERVICES SUPPLY CHAIN
Subpart A--General
Sec.
7.1 Scope.
7.2 Definitions.
7.3 Purpose.
7.4 Effect on other law.
7.5 Amendment, modification, or revocation.
7.6 Public disclosure of records.
[[Page 65320]]
7.7 No advisory opinions or declaratory rulings.
7.8 No categorical inclusions or exclusions.
Subpart B--Implementation for Evaluations
7.100 Commencement of an evaluation of a transaction.
7.101 Criteria to assess the effect of a transaction.
7.102 Conduct of an evaluation.
7.103 Written determinations; adjustment of transactions; signature,
date, and public availability.
7.104 Emergency action.
Subpart C--Enforcement
7.200 Penalties.
Authority: 50 U.S.C. 1701 et seq.; 50 U.S.C. U.S.C. 1601 et
seq.; E.O. 13873, 84 FR 22689.
Subpart A--General
Sec. 7.1 Scope.
(a) Except as provided in paragraph (b) of this section, this part
applies only to any acquisition, importation, transfer, installation,
dealing in, or use of any information and communications technology or
service (a ``transaction''), that meets each of the following
conditions:
(1) The transaction is conducted by any person subject to the
jurisdiction of the United States or involves property subject to the
jurisdiction of the United States;
(2) The transaction involves any property in which any foreign
country or a national thereof has an interest (including through an
interest in a contract for the provision of the technology or service);
and
(3) The transaction was initiated, is pending, or will be completed
after May 15, 2019, regardless of when any contract applicable to the
transaction was entered into, dated, or signed or when any license,
permit, or authorization applicable to such transaction was granted.
Transactions involving certain ongoing activities, including but not
limited to managed services, software updates, or repairs, constitute
transactions that ``will be completed'' on or after May 15, 2019 even
if a contract was entered into prior to May 15, 2019. Such transactions
are subject to review by the Secretary and may require mitigation or an
unwinding of the transaction if determined to be prohibited.
(b) This part does not apply to any other acquisition, importation,
transfer, installation, dealing in or use of information communications
technology and services or any other goods or services.
Sec. 7.2 Definitions.
Entity means a partnership, association, trust, joint venture,
corporation, group, subgroup, or other organization.
Executive order means Executive Order 13873 of May 15, 2019.
Foreign adversary means any foreign government or foreign non-
government person determined by the Secretary to have engaged in a
long-term pattern or serious instances of conduct significantly adverse
to the national security of the United States or security and safety of
United States persons for the purposes of Executive Order 13783.
Information and communications technology or services means any
hardware, software, or other product or service primarily intended to
fulfill or enable the function of information or data processing,
storage, retrieval, or communication by electronic means, including
through transmission, storage, or display.
Person means an individual or entity.
Secretary means the Secretary of Commerce or the Secretary's
designee.
Transaction means any acquisition, importation, transfer,
installation, dealing in, or use of any information and communications
technology or service. Use of the term transaction in this part
includes a class of transactions.
United States person means any United States citizen, permanent
resident alien, entity organized under the laws of the United States or
any jurisdiction within the United States (including foreign branches),
or any person in the United States.
Sec. 7.3 Purpose.
The regulations in this part set forth the procedures by which the
Secretary shall commence and conduct evaluations to determine the
effect that any acquisition, importation, transfer, installation,
dealing in, or use of an information and communications technology or
service that has been designed, developed, manufactured, or supplied by
persons owned by, controlled by, or subject to the jurisdiction or
direction of foreign adversaries have on the national security, foreign
policy, and economy of the United States. The evaluations will address
transactions on a case-by-case, fact-specific basis. Based on the
evaluation findings, the Secretary, in consultation with relevant
agency heads specified in the Executive order and other relevant
governmental bodies, as appropriate shall make a decision for action or
inaction regarding adjustment of a transaction. Action regarding
adjustment of a transaction may include a prohibition or approval of an
otherwise prohibited transaction due to adoption of mitigation measures
determined by the Secretary to sufficiently mitigate the risks
associated with the transaction. The Secretary shall also engage in
coordination and information sharing, as appropriate, with
international partners on the application of the regulations in this
part.
Sec. 7.4 Effect on other law.
Nothing in this part shall be construed as altering or affecting
any other authority, process, regulation, investigation, enforcement
measure, or review provided by or established under any other provision
of Federal law, including prohibitions under the National Defense
Authorization Act of 2019, the Federal Acquisition Regulations, or the
International Emergency Economic Powers Act (IEEPA) (50 U.S.C. 1701 et
seq.), or any other authority of the President or the Congress under
the Constitution of the United States.
Sec. 7.5 Amendment, modification, or revocation.
Except as otherwise provided by law, the provisions of this part
and any determinations, orders, or decisions issued thereunder may be
amended, modified, or revoked, in whole or in part, at any time.
Sec. 7.6 Public disclosure of records.
Public requests for agency records related to this part will be
processed in accordance with the Department of Commerce's Freedom of
Information Act regulations, 15 CFR part 4, or other applicable law and
regulation.
Sec. 7.7 No advisory opinions or declaratory rulings.
The Secretary will not issue an advisory opinion or a declaratory
ruling with respect to any particular transaction.
Sec. 7.8 No categorical inclusions or exclusions.
The Secretary has declined to identify classes of transactions that
are subject to prohibition or are excluded from prohibition.
Determination of transactions prohibited by the Executive order will be
made on a case-by-case basis. Should the Secretary determine based on a
particular case that a class of transactions should be prohibited or
excluded, the Secretary will publish such determination and further
guidance or request for comment (if needed) in the Federal Register.
[[Page 65321]]
Subpart B--Implementation for Evaluations
Sec. 7.100 Commencement of an evaluation of a transaction.
The Secretary may commence an evaluation of a transaction in one of
three ways:
(a) At the Secretary's discretion;
(b) Upon request of the Secretary of the Treasury, the Secretary of
State, the Secretary of Defense, the Attorney General, the Secretary of
Homeland Security, the United States Trade Representative, the Director
of National Intelligence, the Administrator of General Services, or the
Chairman of the Federal Communications Commission, or, as appropriate,
the head of any other Government department, agency, governmental body,
or the Federal Acquisition Security Council (FASC). A request from
other Government departments, agencies, governmental body, or FASC for
an evaluation shall be in writing provided from the head of the
requesting agency, or their designee, to the Secretary; or
(c) Based on information submitted to the Secretary by private
parties that the Secretary determines to be credible. Information from
private parties may be submitted to the Secretary via a web portal to
be made available on https://www.commerce.gov/issues/ict-supply-chain.
Sec. 7.101 Criteria to assess the effect of a transaction.
(a) To determine the effect of a transaction subject to evaluation,
the Secretary, in consultation with the Secretary of the Treasury, the
Secretary of State, the Secretary of Defense, the Attorney General, the
Secretary of Homeland Security, the United States Trade Representative,
the Director of National Intelligence, the Administrator of General
Services, the Chairman of the Federal Communications Commission, and,
as appropriate, the heads of other executive departments and agencies,
shall consider whether:
(1) The transaction is subject to the jurisdiction of the United
States;
(2) The transaction involves any property in which any foreign
country or a national thereof has an interest (including through an
interest in a contract for the provision of the technology or service);
(3) The transaction was initiated, is pending, or will be completed
after May 15, 2019, regardless of when any contract applicable to the
transaction was entered into, dated, or signed or when any license,
permit, or authorization applicable to such transaction was granted;
(4) The transaction involves information and communications
technology or services designed, developed, manufactured, or supplied,
by persons owned by, controlled by, or subject to the jurisdiction or
direction of a foreign adversary; and
(5) The transaction:
(i) Poses an undue risk of sabotage to or subversion of the design,
integrity, manufacturing, production, distribution, installation,
operation, or maintenance of information and communications technology
or services in the United States;
(ii) Poses an undue risk of catastrophic effects on the security or
resiliency of United States critical infrastructure or the digital
economy of the United States; or
(iii) Otherwise poses an unacceptable risk to the national security
of the United States or the security and safety of United States
persons.
(b) In determining whether a transaction involves an information
and communications technology or service designed, developed,
manufactured, or supplied, by persons ``owned by, controlled by, or
subject to the jurisdiction or direction of a foreign adversary,'' the
Department will consider a number of factors, including, but not
limited to the laws and practices of the foreign adversary; equity
interest, access rights, seats on a board of directors or other
governing body, contractual arrangements, voting rights, and control
over design plans, operations, hiring decisions, or business plan
development.
Sec. 7.102 Conduct of an evaluation.
In conducting an evaluation of whether a transaction meets the
criteria described in Sec. 7.101, the Secretary:
(a) Shall, as appropriate, seek information and advice from, and
consult with, appropriate officers of the United States or their
designees. Information received from agencies of the U.S. Government,
state, local, tribal, or territorial governments, or business
confidential or other trade secret information will not be made
available for public inspection except as otherwise required by law;
(b) May use all appropriate tools available to collect information,
including but not limited to the following:
(1) Relevant publicly available, business confidential or
proprietary information, and classified information as part of an
evaluation;
(2) Information from foreign governments as a part of an
evaluation; and
(3) Information from parties to a transaction as part of an
evaluation, including records related to such transaction that any
party keeps or uses, or would be expected to keep or use, in their
ordinary course of business for such a transaction. Parties notified
that one of their transactions is being evaluated must immediately take
steps to retain any and all records relating to such transaction,
regardless of whether those records would normally be retained prior to
receiving such notice; and
(c) May consolidate any referral, or materials that are filed while
an evaluation is in progress, concerning transactions of the same or
related class and raising similar issues.
Sec. 7.103 Written determinations; adjustment of transactions;
signature, date, and public availability.
(a) Upon a preliminary determination by the Secretary that a
transaction meets the criteria set forth in Sec. 7.101, the Secretary
shall, when consistent with national security, provide written notice
to the parties of the transaction advising that:
(1) The Secretary has reached a preliminary determination;
(2) An explanation of the basis for such preliminary determination
to the extent such explanation can be provided consistent with national
security; and
(3) Within 30 days after receipt of the notice, the specific party
may submit an opposition and information in support of such opposition
to the preliminary determination or information on proposed measures
for mitigation.
(b) The Secretary shall take into consideration any comments
received pursuant to the process set forth in paragraph (a) of this
section in making a final determination. Within 30 days of receipt of
any information received pursuant to paragraph (a)(3) of this section,
the Secretary will issue a final determination.
(c) In making a final determination, the Secretary may:
(1) Determine the transaction is prohibited;
(2) Determine the transaction is not prohibited; or
(3) At the Secretary's discretion and in consultation with the
heads of other agencies as appropriate, require measures and specific
timeframes to mitigate risks identified during an evaluation as a
precondition of approving a transaction that may otherwise be
prohibited.
(d) A final determination shall be in writing and shall describe
whether the transaction is prohibited; the transaction is not
prohibited; or an otherwise
[[Page 65322]]
prohibited transaction is permitted pursuant to the adoption of
mitigation measures. Any determination to permit an otherwise
prohibited transaction based on mitigation measures shall also provide
a description of the mitigation measures adopted. A final determination
shall be sent to the parties of the transaction by registered U.S.
mail.
(e) Any determination to either prohibit a transaction or permit an
otherwise prohibited transaction based on mitigation measures shall
also provide a clear statement of the penalties set forth in Sec.
7.200 that parties will face if they fail to comply fully with either
the prohibition or those mitigation measures.
(f) The Secretary may commence an evaluation and make a new
determination of any transaction, subject to this part, if
circumstances, technology, or available information has materially
changed.
(g) All determinations by the Secretary shall be signed and dated.
(h) Such final determination with respect to a transaction shall
constitute final agency action.
(i) A summary of the Secretary's final determination will be made
public through posting on https://www.commerce.gov/issues/ict-supply-chain and publication in the Federal Register.
(j) Deadlines set forth in this section may be extended at the
Secretary discretion.
Sec. 7.104 Emergency action.
It is the intent of the Secretary to follow the procedures set
forth in this part unless, when public harm is likely to occur if the
procedures are followed or national security interests require it, then
the Secretary may vary or dispense with any or all of the procedures
set forth in this part. In such an instance, in a manner consistent
with national security interests, the Secretary shall provide as part
of the final written determination the basis for the decision to engage
in emergency action under this section.
Subpart C--Enforcement
Sec. 7.200 Penalties.
(a) Subject to IEEPA, 50 U.S.C. 1705, any person who, after
[effective date of final rule], violates, attempts to violate,
conspires to violate, or causes a violation of any determination,
regulation, prohibition, or other action issued under this part, or
makes any false or misleading representation, statement, or
certification, or falsifies or conceals any material fact, either
directly to the Department of Commerce, the Bureau of Industry and
Security, United States Customs and Border Protection, or an official
of any other United States agency, or indirectly through any other
person in the course of any action under this part may be liable to the
United States for a civil penalty up to $302,584, as adjusted annually
for inflation under 15 CFR 6.5, or an amount that is twice the amount
of the transaction that is the basis of the violation with respect to
which the penalty is imposed. The amount of the penalty assessed for a
violation shall be based on the nature of the violation.
(b) Any person who, after [effective date of final rule], violates
a material provision of a mitigation measure or a material condition
imposed by the United States under Sec. 7.103 or Sec. 7.104 may be
liable to the United States for a civil penalty under 50 U.S.C. 1705,
not to exceed $302,584, as adjusted annually for inflation under 15 CFR
6.5, per violation or the value of the transaction. Any penalty
assessed under this paragraph (b) shall be based on the nature of the
violation and shall be separate and apart from any damages sought
pursuant to a mitigation measure or any action taken under Sec. 7.103.
(c) A determination to impose penalties under paragraph (a) or (b)
of this section will be made by the Secretary. Notice of the penalty,
including a written explanation of the penalized conduct and the amount
of the penalty, shall be sent to the penalized party by registered U.S.
mail.
(d) Upon receiving notice of the imposition of a penalty under
paragraph (a) or (b) of this section, the penalized party may, within
15 days of receipt of the notice of the penalty, submit a petition for
reconsideration to the Secretary, including a defense, justification,
or explanation for the penalized conduct. The Secretary will review the
petition and issue a final decision within 30 days of receipt of the
petition.
(e) The penalties authorized in paragraphs (a) and (b) of this
section may be recovered in a civil action brought by the United States
in Federal district court.
(f) The penalties available under this section are without
prejudice to other penalties, civil or criminal, available under law.
(g) Section 1001 of title 18, United States Code, shall apply to
all information provided to the Secretary under this part by any party
to a transaction.
Dated: November 19, 2019.
Wilbur L. Ross,
Secretary of Commerce.
[FR Doc. 2019-25554 Filed 11-26-19; 8:45 am]
BILLING CODE 3510-20-P