Final Rule Formalizes Implementation of ICTS Program Authorities to Address Undue and Unacceptable Foreign Adversary Risks to ICTS Transactions in the United States

WASHINGTON, D.C. – Today, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) issued a final rule cementing the procedures it will follow in investigating foreign adversary threats to information and communications technology and services (ICTS) transactions that may harm U.S. national security, pursuant to Executive Order (EO) 13873: Securing the Information and Communications Technology and Services Supply Chain.

This final rule demonstrates the Biden-Harris Administration’s proactive efforts to address the potential national security risks associated with the ICTS supply chain and the abuse of U.S. critical infrastructure by foreign adversaries. It is a significant step in formalizing the operations of the Office of Information and Communications Technology and Services (OICTS), which was established within BIS in March 2022 to implement EO 13873 and related executive orders.

Since its formation, OICTS has completed or undertaken several key investigations and rulemakings. In June 2024, OICTS announced a first-of-its-kind final determination prohibiting Kaspersky Lab, Inc., the U.S. subsidiary of a Russia-based anti-virus software and cybersecurity company, from selling its software within the United States or providing updates to software already in use, amongst other activities.

Additionally, in September 2024, OICTS issued a proposed rule that would prohibit the sale or import of connected vehicles integrating specific pieces of hardware and software, or those components sold separately, with a sufficient nexus to the People’s Republic of China (PRC) or Russia. These actions underscore the critical role of OICTS in protecting American technologies and services from potentially malicious foreign adversary intervention or interference.

“This final rule clarifies and strengthens BIS’s existing authorities to investigate, mitigate, and prohibit ICTS transactions involving our foreign adversaries. It significantly enhances our ability to protect the resilience of our national infrastructure and technology and communications sectors,” said Under Secretary of Commerce for Industry and Security Alan F. Estevez. “The further formalization of the OICTS is an important part of a pivotal year in the office’s growth as it continues to advance U.S. national security.”

“Today’s rule affirms the Department’s commitment to preventing foreign adversaries from using U.S. technology and communications systems to harm U.S. persons or critical infrastructure,” said OICTS Executive Director Elizabeth Cannon. “The rule makes important updates to the processes our office uses to identify and mitigate risks and enforce our regulations on foreign adversary ICTS in the United States.”

An interim final rule published on January 19, 2021, solicited public comments on how the Department should implement various provisions of EO 13873. The final rule addresses feedback from the public on a number of issues, including the scope of the rule, the timeline for completing investigations, the procedures the Department will follow in making determinations, and the role of the Department’s interagency partners.

Changes made in today’s final rule include consolidating the list of technologies within the scope of the rule, outlining the sources of information the Secretary of Commerce may consider when formulating Initial and Final Determinations, and refining the recordkeeping requirements for parties to transaction(s). The Department intends these changes to be consistent with industry and public concerns regarding potential foreign adversary threats to the ICTS supply chain.

The text of the final rule released today is available on the Federal Register’s website here.

For more information, visit https://www.bis.gov.

###