Commerce Department’s New Technology Supply Chain Rules Leave Many Unanswered Questions

One of the Trump Administration’s final acts at the Department of Commerce (“Commerce”) was the issuance of the long-awaited Interim Final Rule (“IFR”) implementing President Trump’s May 2019 Executive Order on Securing the Information and Communications Technology and Services Supply Chain (“EO 13873”). While the IFR provides far more detail than the November 2019 proposed rule, it leaves many questions regarding scope, process, and enforcement unanswered. In its current iteration, it could have potentially profound impacts on US business.

The IFR is currently slated to go into effect March 22, 2021. Commerce may delay implementation of the rule pursuant to the January 20, 2021 Memorandum from the President’s Chief of Staff, but the Biden Administration has signaled support for measures that focus on threats posed by foreign information and communications technology and services (“ICTS”). Most notably, Secretary of Commerce Nominee Gina Raimondo stated in her confirmation hearing that she “will use the full toolkit at [her] disposal to the fullest extent possible to protect Americans and our networks from Chinese interference.” Accordingly, whether Commerce will proceed with the current version of the rule and how Commerce will wield its expansive authorities under EO 13873 remains to be seen. In the meantime, we provide an overview of the rule and address some of the key questions posed by the IFR.

Q: What does the IFR regulate?

The IFR empowers Commerce to review and block the sale or use of ICTS products and services that are deemed to be subject to foreign influence and that pose an undue or unacceptable threat to national security. The IFR creates a review process similar to the Committee on Foreign Investment in the United States (“CFIUS”) through which the government will review transactions involving ICTS that are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.

The impact of such a review on the choices companies make is potentially significant, as Commerce can block US companies and companies operating in the United States from acquiring or using foreign-influenced technology or services if it determines the technology or service causes:

• An undue risk of sabotage to or subversion of the US ICTS sector;
• An undue risk of catastrophic effects on the security or resiliency of US critical infrastructure or the US digital economy; or
• An unacceptable risk to US national security or the security and safety of US persons.

Q: What is a “transaction” covered by the IFR?

The IFR defines an ICTS transaction as “any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service, including ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download.” The definition goes beyond investments or purchases of ICTS, to cover a broad array of services, as well as the mere “use” of ICTS.

Q: What types of transactions are subject to review?

The scope of products and services potentially impacted by the rule is very broad. It extends to any transaction involving ICTS that is “designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.” Commerce designated China, Russia, Iran, North Korea, Cuba, and Venezuelan politician Nicolas Maduro as “foreign adversaries.” The Secretary of Commerce also has discretion to designate additional foreign adversaries without prior notice and comment. The rule will likely have little effect with regards to adversaries already subject to broad economic sanctions (Iran, North Korea, Cuba and Venezuela), but could have a significant impact with regard to China and Russia.

The IFR’s reach is not limited to suppliers domiciled in foreign adversary countries, as it includes not only citizens, residents and companies from such countries, but also includes any person acting at the direction of a foreign adversary, wherever located.

Illustrative examples of the types of transactions potentially impacted by this rule are:

• A US financial services company’s use of a cloud service provided by a company located in China.
• A US technology manufacturer’s use of network management software provided by a Russian citizen, even if that provider resides outside of Russia.
• A large online US retailer’s purchase of customer management technology manufactured by a French company in China.

The IFR, however, exempts from its purview transactions that:

• Are part of a US Government-industrial security program; or
• CFIUS is actively reviewing or has reviewed, provided the ICTS transaction was part of that review.

Q: What about transactions entered into prior to the rule?

While the IFR applies only to transactions initiated, pending, or completed after January 19, 2021, it could potentially reach the provision of services based upon purchases prior to that date. As the definition of transaction includes “use,” the rule could potentially reach a company’s current use of a cloud service or software updates for a product purchased before the issuance of the rule.

The rule does not explicitly include a requirement to “rip and replace,” as we have seen in the context of Federal Communications Commission actions, but the practical consequence of not being able to use identified ICTS could result in companies having to remove previously installed equipment. Likewise, the removal of identified ICTS from systems that the government considers to pose a threat could be a possible mitigation measure.

Q: What triggers a review under the IFR?

The rule does not include an objective set of conditions that trigger review. Commerce’s review is triggered either on its own initiative, or by a referral from another agency. Commerce will then evaluate any information available to the government to determine whether a transaction likely involves foreign-influenced technology or services that would pose an undue or unacceptable threat to national security. Companies may thus not know whether their particular transaction is drawing the attention of Commerce until they receive notification that Commerce has made an initial determination that the transaction should be blocked or subject to mitigation measures. Companies’ assessment of whether a given transaction is likely to trigger a review will thus need to be informed by the rule’s stated purpose. As discussed below, a forthcoming licensing process may also allow companies to address uncertainty.

Q: What types of ICTS is the IFR focused on?

The IFR focuses on six broad categories of ICTS:

• Transactions involving ICTS that will be used in a critical infrastructure sector as designated pursuant to Presidential Policy Directive 21. It is important to note that these sectors are very broad and there is a lack of clear guidance as to which companies may fall within them. For example, the commercial facilities sector potentially includes hotels, office and apartment buildings, shopping malls, and sports leagues.
• ICTS transactions involving products or services integral to wireless local area networks, mobile networks, satellite payloads, satellite operations and control, cable access points, wireline access points, core networking systems, and long- and short-haul networks.
• ICTS transactions involving products or services that are integral to data hosting or computing services that use, process, or retain, or is expected to use, process, or retain, sensitive personal data on greater than one million US persons at any point over the 12 months preceding the ICTS transaction. This would include internet hosting services, cloud services, and managed services.
• A transaction involving any of the following products if more than one million units have been sold to US persons at any point over the twelve months prior to the ICTS transaction: internet-enabled sensors, webcams, and any other end point surveillance or monitoring device; home networking devices; and drones.
• ICTS transactions involving software designed primarily for connecting with and communicating via the internet that is used by more than one million US persons at any point over the 12 months preceding the ICTS transaction.
• ICTS transactions integral to artificial intelligence and machine learning, quantum key distribution, quantum computing, drones, autonomous systems, or advanced robotics.

These categories are broad, leaving the government significant leeway to identify and take action against actors, companies, and technology it perceives as a risk.

Q: What is the review process?

The IFR establishes a complex process by which Commerce will determine whether any ICTS transaction should be permitted, prohibited, or subject to mitigation. If, after an initial review to evaluate whether the transaction potentially falls within the scope of the IFR, Commerce determines that the transaction poses an undue or unacceptable risk, Commerce will notify the parties to the transaction.

The parties will then have 30 days to respond with arguments or evidence that establish that Commerce had an insufficient basis for the initial determination, or proposals to remediate or negate the basis for the initial determination. Submissions must be made in writing, and Commerce may, but is not required, to meet with the parties. Upon notification that a transaction is under review or that an initial determination concerning a transaction has been made, a notified party must immediately take steps to retain any and all records relating to such transaction.

After reviewing any submission from the parties, the Secretary will then consult with appropriate agency heads, including the Attorney General, the Secretary of the Treasury, the Secretary of Homeland Security, and the Secretary of Defense, or their designees, to seek consensus on whether the transaction should be permitted, prohibited, or permitted pursuant to the adoption of negotiated mitigation measures. If consensus amongst the agency heads cannot be reached, the Secretary shall notify the President of the United States, who may direct resolution of the issue.

Commerce will issue a final determination within 180 days of commencing the initial review, unless it determines in writing that additional time is needed. The final determination will indicate whether the transaction is permitted, prohibited, or permitted pursuant to the adoption of negotiated mitigation measures. If the transaction is prohibited, the Secretary has the discretion to direct the “least restrictive means necessary to tailor the prohibition to address the undue or acceptable risk posed by the ICTS transaction.”

The final determination will be written, signed, dated, and describe the basis for the Secretary’s determination, address information provided by the parties, and, if applicable, describe the mitigation measures agreed upon by the parties to the ICTS transaction and the Secretary.

Q: How can companies engage Commerce to determine whether their transactions are at risk?

At present, there is no mechanism for companies to seek advance clearance. However, Commerce indicated that it intends to establish a licensing process by which entities can seek pre-approval of their ICTS transactions. This process would be “similar to the process by which entities may inform [CFIUS] . . . and obtain ‘safe harbor’ for those transactions.” Commerce intends to issue procedures for the licensing process by March 21, 2021, and to implement the process by May 19, 2021, subject to any pause on regulatory activity by the Biden Administration. It is important to be mindful that the potential scope of ICTS covered by the IFR is enormous, and the Commerce has limited resources to stand up this new effort. Consequently, the licensing program is unlikely to be robust and responsive at inception. In the meantime, Commerce is accepting public comments on the IFR.

Q: How will Commerce address ICTS that is broadly used?

The IFR focuses on parties to a transaction, which includes a person acquiring ICTS as well as the person providing ICTS. Although a lay understanding of transaction involves just two parties, because the definition of transaction includes “use,” Commerce could potentially prohibit the use of certain foreign technology by all users of that technology who are subject to US jurisdiction.

Decisions for the Biden Administration

Significant questions remain as to what transactions the government will target, how time- and resource-intensive the review process will be, and how prohibitions, mitigation agreements, and the licensing process will be implemented. The CFIUS process may serve as a guide, as it also identifies national security threats from transactions with countries of concern and many of the agencies and personnel involved in CFIUS will be involved in this new ICTS review process. But uncertainty remains, both because this is a broad and novel regime, and because the Biden Administration will have its own views on how to shape this process.

A number of major trade associations have already raised concerns about the new rule, and there is certain to be extensive additional public comments. With new leadership, Commerce may be more receptive to modifying the rule in response to the comments, though the Biden Administration is unlikely to entirely abandon the rule given its stated intention to address the threats posed by foreign technology and intellectual property theft. Consequently, companies should expect some iteration of this rule to move forward and should consider evaluating whether they or their vendors fall within the scope of the rule.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Greta Lichtenbaum, an O'Melveny partner licensed to practice law in the District of Columbia, Tod Cohen, an O'Melveny partner licensed to practice law in the District of Columbia, John Dermody, an O'Melveny counsel licensed to practice law in California and the District of Columbia, and David J. Ribner, an O'Melveny counsel licensed to practice law in the District of Columbia and New York, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2021 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.