(a) This part sets forth the procedures by which the Secretary may:

(1) Determine whether any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service, including but not limited to connected software applications, (ICTS Transaction) that has been designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries poses certain undue or unacceptable risks as identified in the Executive Order. For purposes of these regulations, the Secretary will consider ICTS to be designed, developed, manufactured, or supplied by a person owned by, controlled by, or subject to the jurisdiction of a foreign adversary where such a person operates, manages, maintains, or services the ICTS;

(2) Issue a determination to prohibit an ICTS Transaction;

(3) Direct the timing and manner of the cessation of the ICTS Transaction;

(4) Consider factors that may mitigate the risks posed by the ICTS Transaction.

(b) The Secretary will evaluate ICTS Transactions under this rule, which include, but are not limited to, classes of transactions, on a case-by-case basis. The Secretary, in consultation with appropriate agency heads specified in Executive Order 13873 and other relevant governmental bodies, as appropriate, shall make an initial determination as to whether to prohibit a given ICTS Transaction or propose mitigation measures, by which the ICTS Transaction may be permitted. Parties may submit information in response to the initial determination, including a response to the initial determination and any supporting materials and/or proposed measures to remediate or mitigate the risks identified in the initial determination as posed by the ICTS Transaction at issue. Upon consideration of the parties' submissions, the Secretary will issue a final determination prohibiting the transaction, not prohibiting the transaction, or permitting the transaction subject to the adoption of measures determined by the Secretary to sufficiently mitigate the risks associated with the ICTS Transaction. The Secretary shall also engage in coordination and information sharing, as appropriate, with international partners on the application of this part.

Appropriate agency heads means the Secretary of the Treasury, the Secretary of State, the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, the United States Trade Representative, the Director of National Intelligence, the Administrator of General Services, the Chairman of the Federal Communications Commission, and the heads of any other executive departments and agencies the Secretary determines is appropriate.

Commercial item has the same meaning given to it in Federal Acquisition Regulation (48 CFR part 2.101).

Connected software application means software, a software program, or a group of software programs, that is designed to be used on an end-point computing device and includes as an integral functionality, the ability to collect, process, or transmit data via the internet.

Department means the United States Department of Commerce.

End-point computing device means a device that can receive or transmit data and includes as an integral functionality the ability to collect or transmit data via the internet.

Entity means a partnership, association, trust, joint venture, corporation, group, subgroup, or other non-U.S. governmental organization.

Executive Order means Executive Order 13873, May 15, 2019, “Securing the Information and Communications Technology and Services Supply Chain”.

Foreign adversary means any foreign government or foreign non-government person determined by the Secretary to have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons.

ICTS Transaction means any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service, including ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download. An ICTS Transaction includes any other transaction, the structure of which is designed or intended to evade or circumvent the application of the Executive Order. The term ICTS Transaction includes a class of ICTS Transactions.

IEEPA means the International Emergency Economic Powers Act (50 U.S.C. 1701, et seq.).

Information and communications technology or services or ICTS means any hardware, software, including connected software applications, or other product or service, including cloud-computing services, primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means (including electromagnetic, magnetic, and photonic), including through transmission, storage, or display.

Party or parties to a transaction means a person engaged in an ICTS Transaction, including the person acquiring the ICTS and the person from whom the ICTS is acquired. Party or parties to a transaction include entities designed, or otherwise used with the intention, to evade or circumvent application of the Executive Order. For purposes of this rule, this definition does not include common carriers, except to the extent that a common carrier knew or should have known (as the term “knowledge” is defined in 15 CFR 772.1) that it was providing transportation services of ICTS to one or more of the parties to a transaction that has been prohibited in a final written determination made by the Secretary or, if permitted subject to mitigation measures, in violation of such mitigation measures.

Person means an individual or entity.

Person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary means any person, wherever located, who acts as an agent, representative, or employee, or any person who acts in any other capacity at the order, request, or under the direction or control, of a foreign adversary or of a person whose activities are directly or indirectly supervised, directed, controlled, financed, or subsidized in whole or in majority part by a foreign adversary; any person, wherever located, who is a citizen or resident of a nation-state controlled by a foreign adversary; any corporation, partnership, association, or other organization organized under the laws of a nation-state controlled by a foreign adversary; and any corporation, partnership, association, or other organization, wherever organized or doing business, that is owned or controlled by a foreign adversary.

Secretary means the Secretary of Commerce or the Secretary's designee.

Sensitive personal data means:

(1) Personally-identifiable information, including:

(i) Financial data that could be used to analyze or determine an individual's financial distress or hardship;

(ii) The set of data in a consumer report, as defined under 15 U.S.C. 1681a, unless such data is obtained from a consumer reporting agency for one or more purposes identified in 15 U.S.C. 1681b(a);

(iii) The set of data in an application for health insurance, long-term care insurance, professional liability insurance, mortgage insurance, or life insurance;

(iv) Data relating to the physical, mental, or psychological health condition of an individual;

(v) Non-public electronic communications, including email, messaging, or chat communications, between or among users of a U.S. business's products or services if a primary purpose of such product or service is to facilitate third-party user communications;

(vi) Geolocation data collected using positioning systems, cell phone towers, or WiFi access points such as via a mobile application, vehicle GPS, other onboard mapping tool, or wearable electronic device;

(vii) Biometric enrollment data including facial, voice, retina/iris, and palm/fingerprint templates;

(viii) Data stored and processed for generating a Federal, State, Tribal, Territorial, or other government identification card;

(ix) Data concerning U.S. Government personnel security clearance status; or

(x) The set of data in an application for a U.S. Government personnel security clearance or an application for employment in a position of public trust; or

(2) Genetic information, which includes the results of an individual's genetic tests, including any related genetic sequencing data, whenever such results, in isolation or in combination with previously released or publicly available data, constitute identifiable data. Such results shall not include data derived from databases maintained by the U.S. Government and routinely provided to private parties for purposes of research. For purposes of this paragraph, “genetic test” shall have the meaning provided in 42 U.S.C. 300gg-91(d)(17).

Undue or unacceptable risk means those risks identified in Section 1(a)(ii) of the Executive Order.

United States person means any United States citizen; any permanent resident alien; or any entity organized under the laws of the United States or any jurisdiction within the United States (including such entity's foreign branches).

Via the internet means using internet protocols to transmit data, including, but not limited to, transmissions by cable, telephone lines, wireless methods, satellites, or other means.

(a) This part applies only to an ICTS Transaction that:

(1) Is conducted by any person subject to the jurisdiction of the United States or involves property subject to the jurisdiction of the United States;

(2) Involves any property in which any foreign country or a national thereof has an interest (including through an interest in a contract for the provision of the technology or service);

(3) Is initiated, pending, or completed on or after January 19, 2021, regardless of when any contract applicable to the transaction is entered into, dated, or signed or when any license, permit, or authorization applicable to such transaction was granted. Any act or service with respect to an ICTS Transaction, such as execution of any provision of a managed services contract, installation of software updates, or the conducting of repairs, that occurs on or after January 19, 2021 may be deemed an ICTS Transaction within the scope of this part, even if the contract was initially entered into, or the activity commenced, prior to January 19, 2021; and

(4) Involves one of the following ICTS:

(i) ICTS that will be used by a party to a transaction in a sector designated as critical infrastructure by Presidential Policy Directive 21—Critical Infrastructure Security and Resilience, including any subsectors or subsequently designated sectors;

(ii) Software, hardware, or any other product or service integral to:

(A) Wireless local area networks, including:

(1) Distributed antenna systems; and

(2) Small-cell or micro-cell base stations;

(B) Mobile networks, including:

(1) eNodeB based stations;

(2) gNodeB or 5G new radio base stations;

(3) NodeB base stations;

(4) Home location register databases;

(5) Home subscriber servers;

(6) Mobile switching centers;

(7) Session border controllers; and

(8) Operation support systems;

(C) Satellite payloads, including:

(1) Satellite telecommunications systems;

(2) Satellite remote sensing systems; and

(3) Satellite position, navigation, and timing systems;

(D) Satellite operations and control, including:

(1) Telemetry, tracking, and control systems;

(2) Satellite control centers;

(3) Satellite network operations;

(4) Multi-terminal ground stations; and

(5) Satellite uplink centers;

(E) Cable access points, including:

(1) Core routers;

(2) Core networks; and

(3) Core switches;

(F) Wireline access points, including:

(1) Access infrastructure datalinks; and

(2) Access infrastructure digital loops;

(G) Core networking systems, including:

(1) Core infrastructure synchronous optical networks and synchronous digital hierarchy systems;

(2) Core infrastructure dense wavelength division multiplexing or optical transport network systems;

(3) Core infrastructure internet protocol and internet routing systems;

(4) Core infrastructure content delivery network systems;

(5) Core infrastructure internet protocol and multiprotocol label switching systems;

(6) Data center multiprotocol label switching routers; and

(7) Metropolitan multiprotocol label switching routers; or

(H) Long- and short-haul networks, including:

(1) Fiber optical cables; and

(2) Repeaters;

(iii) Software, hardware, or any other product or service integral to data hosting or computing services, to include software-defined services such as virtual private servers, that uses, processes, or retains, or is expected to use, process, or retain, sensitive personal data on greater than one million U.S. persons at any point over the twelve (12) months preceding an ICTS Transaction, including:

(A) Internet hosting services;

(B) Cloud-based or distributed computing and data storage;

(C) Managed services; and

(D) Content delivery services;

(iv) Any of the following ICTS products, if greater than one million units have been sold to U.S. persons at any point over the twelve (12) months prior to an ICTS Transaction:

(A) Internet-enabled sensors, webcams, and any other end-point surveillance or monitoring device;

(B) Routers, modems, and any other home networking device; or

(C) Drones or any other unmanned aerial system;

(v) Software designed primarily to enable connecting with and communicating via the internet, which is accessible through cable, telephone line, wireless, or satellite or other means, that is in use by greater than one million U.S. persons at any point over the twelve (12) months preceding an ICTS Transaction, including:

(A) Desktop applications;

(B) Mobile applications;

(C) Gaming applications;

(D) Web-based applications; and

(E) Connected software applications; or

(vi) ICTS integral to:

(A) Artificial intelligence and machine learning;

(B) Quantum key distribution;

(C) Quantum computing;

(D) Drones;

(E) Autonomous systems; or

(F) Advanced Robotics.

(b) This part does not apply to an ICTS Transaction that:

(1) Involves the acquisition of ICTS items by a United States person as a party to a transaction authorized under a U.S. government-industrial security program; or

(2) The Committee on Foreign Investment in the United States (CFIUS) is actively reviewing, or has reviewed, as a covered transaction or covered real estate transaction or as part of such a transaction under section 721 of the Defense Production Act of 1950, as amended, and its implementing regulations.

(c) Notwithstanding the exemption in paragraph (b)(2) of this section, ICTS Transactions conducted by parties to transactions reviewed by CFIUS that were not part of the covered transaction or covered real estate transaction reviewed by CFIUS remain fully subject to this part.

(a) The Secretary has determined that the following foreign governments or foreign non-government persons have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons and, therefore, constitute foreign adversaries solely for the purposes of the Executive Order, this rule, and any subsequent rule:

(1) The People's Republic of China, including the Hong Kong Special Administrative Region (China);

(2) Republic of Cuba (Cuba);

(3) Islamic Republic of Iran (Iran);

(4) Democratic People's Republic of Korea (North Korea);

(5) Russian Federation (Russia); and

(6) Venezuelan politician Nicolás Maduro (Maduro Regime).

(b) The Secretary's determination of foreign adversaries is solely for the purposes of the Executive Order, this rule, and any subsequent rule promulgated pursuant to the Executive Order. Pursuant to the Secretary's discretion, the list of foreign adversaries will be revised as determined to be necessary. Such revisions will be effective immediately upon publication in the Federal Register without prior notice or opportunity for public comment.

(c) The Secretary's determination is based on multiple sources, including:

(1) National Security Strategy of the United States;

(2) The Director of National Intelligence's 2016-2019 Worldwide Threat Assessments of the U.S. Intelligence Community;

(3) The 2018 National Cyber Strategy of the United States of America; and

(4) Reports and assessments from the U.S. Intelligence Community, the U.S. Departments of Justice, State and Homeland Security, and other relevant sources.

(d) (d) The Secretary will periodically review this list in consultation with appropriate agency heads and may add to, subtract from, supplement, or otherwise amend this list. Any amendment to this list will apply to any ICTS Transaction that is initiated, pending, or completed on or after the date that the list is amended.

Nothing in this part shall be construed as altering or affecting any other authority, process, regulation, investigation, enforcement measure, or review provided by or established under any other provision of Federal law, including prohibitions under the National Defense Authorization Act of 2019, the Federal Acquisition Regulations, or IEEPA, or any other authority of the President or the Congress under the Constitution of the United States.

Except as otherwise provided by law, any determinations, prohibitions, or decisions issued under this part may be amended, modified, or revoked, in whole or in part, at any time.

Public requests for agency records related to this part will be processed in accordance with the Department of Commerce's Freedom of Information Act regulations, 15 CFR part 4, or other applicable law and regulation.