Not Your Parents' IT: New Interim Rule to Scrutinize Acquisition of IT Products and Services from Foreign Adversaries

Today, Commerce has published an interim final rule (IR) which, effective March 22, 2021, will implement the May 15, 2019 Executive Order 13873 that relied on the International Emergency Economic Powers Act (IEEPA) to authorize sweeping power to block or undo any transaction – including use, purchases or importation – of virtually any “information and communications technology or services [ICTS] designed, developed, manufactured, or supplied, by persons owned by, controlled by , or subject to the jurisdiction or direction of a foreign adversary.” The IR (15 C.F.R. Part 7) provides greater clarification than the November 27, 2019 proposed rule (discussed here), but fails to significantly reduce the breadth, ambiguity and uncertainty this new transaction review scheme will have on the global information technology supply chain. Some of the key elements of the IR are:

• Clarification that only transactions occurring after the effective date are covered but cautioning that any services (e.g., software updates and maintenance) received on or after the effective date would be a covered “ITCS Transaction.”
• An initial list of “foreign adversaries,” most significantly China (including Hong Kong) and Russia, whose technology or services (whether directly or indirectly obtained) can trigger a review and possible prohibition.
• A more specific description of the scope of “covered ICTS transactions” but still so broad as to capture virtually all information and communications technology (hardware and software) and services used in networks and cloud-based systems.
• Clarification that Commerce will not separately review ICTS transactions that the Committee on Foreign Investment in the U.S. (CFIUS) is actively reviewing or has reviewed under section 721 of the Defense Production Act, while cautioning that any ICTS transactions that were not part of the covered transaction reviewed by CFIUS remain subject to these new rules.

As true in the original proposed rule, there is no threshold for review of a covered ICTS transaction, and it can be commenced by the Secretary of Commerce at any time – even long after the transaction was consummated – upon receipt of information, whether from the parties to the transaction, competitors, public information or classified sources. The IR also provides the Secretary to compel production of records and testimony, under oath, in connection with its investigation of any transaction. Ultimately, the Secretary, in consultation with other specified agency heads, can prohibit a transaction or order that the transaction may only proceed subject to mitigation measures. Any failure to comply with the regulations or subsequent orders is subject to the fines and penalties available under IEEPA.

While the IR does not provide for advisory opinions, Commerce has promised to publish, at the same time the IR becomes effective, a licensing process (to become effective 60 days thereafter) to provide greater certainty with respect to proposed or pending ICTS transactions. Commerce is also accepting further comments on the IR during the 60 days before it becomes effective.