Collapse to view only § 791.106 - Recordkeeping requirement.

§ 791.100 - General.

In implementing this part, the Secretary of Commerce may:

(a) Consider any and all relevant information held by, or otherwise made available to, the Federal Government that is not otherwise restricted by law for use for this purpose, including:

(1) Publicly available information;

(2) Confidential business information, as defined in 19 CFR 201.6, or proprietary information;

(3) Classified National Security Information, as defined in Executive Order 13526 (December 29, 2009) and its predecessor executive orders, and Controlled Unclassified Information, as defined in Executive Order 13556 (November 4, 2010);

(4) Information obtained from state, local, tribal, or foreign governments or authorities;

(5) Information obtained from parties to a transaction, including records related to such transaction that any party uses, processes, or retains, or would be expected to use, process, or retain, in their ordinary course of business for such a transaction;

(6) Information obtained through the authority granted under sections 2(a) and (c) of the Executive Order and IEEPA, as set forth in U.S.C. 7.101;

(7) Information provided by any other U.S. Government national security body, in each case only to the extent necessary for national security purposes, and subject to applicable confidentiality and classification requirements, including the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector and the Federal Acquisitions Security Council and its designated information-sharing bodies; and

(8) Information provided by any other U.S. Government agency, department, or other regulatory body, including the Federal Communications Commission, Department of Homeland Security, and Department of Justice;

(b) Consolidate the review of any ICTS Transactions with other transactions already under review where the Secretary determines that the transactions raise the same or similar issues, or that are otherwise properly consolidated;

(c) In consultation with the appropriate agency heads, in determining whether an ICTS Transaction involves ICTS designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary, consider the following:

(1) Whether the person or its suppliers have headquarters, research, development, manufacturing, test, distribution, or service facilities, or other operations in a foreign country, including one controlled by, or subject to the jurisdiction of, a foreign adversary;

(2) Ties between the person—including its officers, directors or similar officials, employees, consultants, or contractors—and a foreign adversary;

(3) Laws and regulations of any foreign adversary in which the person is headquartered or conducts operations, including research and development, manufacturing, packaging, and distribution; and

(4) Any other criteria that the Secretary deems appropriate;

(d) In consultation with the appropriate agency heads, in determining whether an ICTS Transaction poses an undue or unacceptable risk, consider the following:

(1) Threat assessments and reports prepared by the Director of National Intelligence pursuant to section 5(a) of the Executive Order;

(2) Removal or exclusion orders issued by the Secretary of Homeland Security, the Secretary of Defense, or the Director of National Intelligence (or their designee) pursuant to recommendations of the Federal Acquisition Security Council, under 41 U.S.C. 1323;

(3) Relevant provisions of the Defense Federal Acquisition Regulation (48 CFR ch. 2) and the Federal Acquisition Regulation (48 CFR ch. 1), and their respective supplements;

(4) The written assessment produced pursuant to section 5(b) of the Executive Order, as well as the entities, hardware, software, and services that present vulnerabilities in the United States as determined by the Secretary of Homeland Security pursuant to that section;

(5) Actual and potential threats to execution of a “National Critical Function” identified by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency;

(6) The nature, degree, and likelihood of consequence to the United States public and private sectors that could occur if ICTS vulnerabilities were to be exploited; and

(7) Any other source or information that the Secretary deems appropriate; and

(e) In the event the Secretary finds that unusual and extraordinary harm to the national security of the United States is likely to occur if all of the procedures specified herein are followed, the Secretary may deviate from these procedures in a manner tailored to protect against that harm.

§ 791.101 - Information to be furnished on demand.

(a) Pursuant to the authority granted to the Secretary under sections 2(a), 2(b), and 2(c) of the Executive Order and IEEPA, persons involved in an ICTS Transaction may be required to furnish under oath, in the form of reports or otherwise, at any time as may be required by the Secretary, complete information relative to any act or transaction, subject to the provisions of this part. The Secretary may require that such reports include the production of any books, contracts, letters, papers, or other hard copy or electronic documents relating to any such act, transaction, or property, in the custody or control of the persons required to make such reports. Reports with respect to transactions may be required either before, during, or after such transactions. The Secretary may, through any person or agency, conduct investigations, hold hearings, administer oaths, examine witnesses, receive evidence, take depositions, and require by subpoena the attendance and testimony of witnesses and the production of any books, contracts, letters, papers, and other hard copy or documents relating to any matter under investigation, regardless of whether any report has been required or filed in connection therewith.

(b) For purposes of paragraph (a) of this section, the term “document” includes any written, recorded, or graphic matter or other means of preserving thought or expression (including in electronic format), and all tangible things stored in any medium from which information can be processed, transcribed, or obtained directly or indirectly, including correspondence, memoranda, notes, messages, contemporaneous communications such as text and instant messages, letters, emails, spreadsheets, metadata, contracts, bulletins, diaries, chronological data, minutes, books, reports, examinations, charts, ledgers, books of account, invoices, air waybills, bills of lading, worksheets, receipts, printouts, papers, schedules, affidavits, presentations, transcripts, surveys, graphic representations of any kind, drawings, photographs, graphs, video or sound recordings, and motion pictures or other film.

(c) Persons providing documents to the Secretary pursuant to this section must produce documents in a format useable to the Department of Commerce, which may be detailed in the request for documents or otherwise agreed to by the parties.

§ 791.102 - Confidentiality of information.

(a) Information or documentary materials, not otherwise publicly or commercially available, submitted or filed with the Secretary under this part will not be released publicly except to the extent required by law.

(b) The Secretary may disclose information or documentary materials that are not otherwise publicly or commercially available and referenced in paragraph (a) in the following circumstances:

(1) Pursuant to any administrative or judicial proceeding;

(2) Pursuant to an act of Congress;

(3) Pursuant to a request from any duly authorized committee or subcommittee of Congress;

(4) Pursuant to any domestic governmental entity, or to any foreign governmental entity of a United States ally or partner, information or documentary materials, not otherwise publicly or commercially available and important to the national security analysis or actions of the Secretary, but only to the extent necessary for national security purposes, and subject to appropriate confidentiality and classification requirements;

(5) Where the parties or a party to a transaction have consented, the information or documentary material that are not otherwise publicly or commercially available may be disclosed to third parties; and

(6) Any other purpose authorized by law.

(c) This section shall continue to apply with respect to information and documentary materials that are not otherwise publicly or commercially available and submitted to or obtained by the Secretary even after the Secretary issues a final determination pursuant to § 791.109.

(d) The provisions of 18 U.S.C. 1905, relating to fines and imprisonment and other penalties, shall apply with respect to the disclosure of information or documentary material provided to the Secretary under these regulations.

[86 FR 4923, Jan. 19, 2021. Redesignated and amended at 89 FR 58265, July 18, 2024]

§ 791.103 - Initial review of ICTS Transactions.

(a) Upon receipt of any information identified in § 791.100(a), upon written request of an appropriate agency head, or at the Secretary's discretion, the Secretary may consider any referral for review of a transaction (referral).

(b) In considering a referral pursuant to paragraph (a), the Secretary shall assess whether the referral falls within the scope of § 791.3(a) and involves ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary, and determine whether to:

(1) Accept the referral and commence an initial review of the transaction;

(2) Request additional information, as identified in § 791.100(a), from the referring entity regarding the referral; or

(3) Reject the referral.

(c) Upon accepting a referral pursuant to paragraph (b) of this section, the Secretary shall conduct an initial review of the ICTS Transaction and assess whether the ICTS Transaction poses an undue or unacceptable risk, which may be determined by evaluating the following criteria:

(1) The nature and characteristics of the information and communications technology or services at issue in the ICTS Transaction, including technical capabilities, applications, and market share considerations;

(2) The nature and degree of the ownership, control, direction, or jurisdiction exercised by the foreign adversary over the design, development, manufacture, or supply at issue in the ICTS Transaction;

(3) The statements and actions of the foreign adversary at issue in the ICTS Transaction;

(4) The statements and actions of the persons involved in the design, development, manufacture, or supply at issue in the ICTS Transaction;

(5) The statements and actions of the parties to the ICTS Transaction;

(6) Whether the ICTS Transaction poses a discrete or persistent threat;

(7) The nature of the vulnerability implicated by the ICTS Transaction;

(8) Whether there is an ability to otherwise mitigate the risks posed by the ICTS Transaction;

(9) The severity of the harm posed by the ICTS Transaction on at least one of the following:

(i) Health, safety, and security;

(ii) Critical infrastructure;

(iii) Sensitive data;

(iv) The economy;

(v) Foreign policy;

(vi) The natural environment; and

(vii) National Essential Functions (as defined by Federal Continuity Directive-2 (FCD-2)); and

(10) The likelihood that the ICTS Transaction will in fact cause threatened harm.

(d) For ICTS Transactions involving connected software applications that are accepted for review, the Secretary's assessment of whether the ICTS Transaction poses an undue or unacceptable risk may be determined by evaluating the criteria in paragraph (c) as well as the following additional criteria:

(1) Ownership, control, or management by persons that support a foreign adversary's military, intelligence, or proliferation activities;

(2) Use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary's access to sensitive or confidential government or business information, or sensitive personal data;

(3) Ownership, control, or management of connected software applications by persons subject to the jurisdiction or direction of a foreign adversary;

(4) Ownership, control, or management of connected software applications by persons involved in malicious cyber activities;

(5) Whether there is regular, thorough, and reliable third-party auditing of connected software applications;

(6) The scope and sensitivity of the data collected;

(7) The number and sensitivity of the users with access to the connected software application; and

(8) The extent to which identified risks have been or can be mitigated using measures that can be verified by independent third parties.

(e) If the Secretary finds that an ICTS Transaction does not meet the criteria of paragraph (b) of this section:

(1) The transaction shall no longer be under review; and

(2) Future review of the transaction shall not be precluded, where additional information becomes available to the Secretary.

[86 FR 4923, Jan. 19, 2021, as amended at 88 FR 39358, June 16, 2023. Redesignated and amended at 89 FR 58265, July 18, 2024]

§ 791.104 - First interagency consultation.

Upon finding that an ICTS Transaction likely meets the criteria set forth in § 791.103(c) during the initial review under § 791.103, the Secretary shall notify the appropriate agency heads and, in consultation with them, shall determine whether the ICTS Transaction meets the criteria set forth in § 791.103(c).

[86 FR 4923, Jan. 19, 2021. Redesignated and amended at 89 FR 58265, July 18, 2024]

§ 791.105 - Initial determination.

(a) If, after the consultation required by § 791.104, the Secretary determines that the ICTS Transaction does not meet the criteria set forth in § 791.103(c):

(1) The transaction shall no longer be under review; and

(2) Future review of the transaction shall not be precluded, where additional information becomes available to the Secretary.

(b) If, after the consultation required by § 791.104, the Secretary determines that the ICTS Transaction meets the criteria set forth in § 791.103(c), the Secretary shall:

(1) Make an initial written determination, which shall be dated and signed by the Secretary, that:

(i) Explains why the ICTS Transaction meets the criteria set forth in § 791.103(c); and

(ii) Sets forth whether the Secretary has initially determined to prohibit the ICTS Transaction or to propose mitigation measures, by which the ICTS Transaction may be permitted; and

(2) Notify the parties to the ICTS Transaction either through publication in the Federal Register or by serving a copy of the initial determination on the parties via registered U.S. mail, facsimile, and electronic transmission, or third-party commercial carrier, to an addressee's last known address or by personal delivery.

(c) Notwithstanding the fact that the initial determination to prohibit or propose mitigation measures on an ICTS Transaction may, in whole or in part, rely upon classified national security information, or sensitive but unclassified information, the initial determination will contain no classified national security information, nor reference thereto, and, at the Secretary's discretion, may not contain sensitive but unclassified information.

[86 FR 4923, Jan. 19, 2021. Redesignated and amended at 89 FR 58265, July 18, 2024]

§ 791.106 - Recordkeeping requirement.

Upon notification that an ICTS Transaction is under review or that an initial determination concerning an ICTS Transaction has been made, a notified person must immediately take steps to retain any and all records relating to such transaction.

§ 791.107 - Procedures governing response and mitigation.

Within 30 days of service of the Secretary's notification pursuant to § 791.105, a party to an ICTS Transaction may respond to the Secretary's initial determination or assert that the circumstances resulting in the initial determination no longer apply, and thus seek to have the initial determination rescinded or mitigated pursuant to the following administrative procedures:

(a) A party may submit arguments or evidence that the party believes establishes that insufficient basis exists for the initial determination, including any prohibition of the ICTS Transaction;

(b) A party may propose remedial steps on the party's part, such as corporate reorganization, disgorgement of control of the foreign adversary, engagement of a compliance monitor, or similar steps, which the party believes would negate the basis for the initial determination;

(c) Any submission must be made in writing;

(d) A party responding to the Secretary's initial determination may request a meeting with the Department, and the Department may, at its discretion, agree or decline to conduct such meetings prior to making a final determination pursuant to § 791.109;

(e) This rule creates no right in any person to obtain access to information in the possession of the U.S. Government that was considered in making the initial determination to prohibit the ICTS Transaction, to include classified national security information or sensitive but unclassified information; and

(f) If the Department receives no response from the parties within 30 days after service of the initial determination to the parties, the Secretary may determine to issue a final determination without the need to engage in the consultation process provided in section 791.108.

[86 FR 4923, Jan. 19, 2021. Redesignated and amended at 89 FR 58265, July 18, 2024]

§ 791.108 - Second interagency consultation.

(a) Upon receipt of any submission by a party to an ICTS Transaction under § 791.107, the Secretary shall consider whether and how any information provided—including proposed mitigation measures—affects an initial determination of whether the ICTS Transaction meets the criteria set forth in § 791.103(c).

(b) After considering the effect of any submission by a party to an ICTS Transaction under § 791.107 consistent with paragraph (a) of this section, the Secretary shall consult with and seek the consensus of all appropriate agency heads prior to issuing a final determination as to whether the ICTS Transaction shall be prohibited, not prohibited, or permitted pursuant to the adoption of negotiated mitigation measures.

(c) If consensus is unable to be reached, the Secretary shall notify the President of the Secretary's proposed final determination and any appropriate agency head's opposition thereto.

(d) After receiving direction from the President regarding the Secretary's proposed final determination and any appropriate agency head's opposition thereto, the Secretary shall issue a final determination pursuant to § 791.109.

[86 FR 4923, Jan. 19, 2021. Redesignated and amended at 89 FR 58265, July 18, 2024]

§ 791.109 - Final determination.

(a) For each transaction for which the Secretary issues an initial determination that an ICTS Transaction is prohibited, the Secretary shall issue a final determination as to whether the ICTS Transaction is:

(1) Prohibited;

(2) Not prohibited; or

(3) Permitted, at the Secretary's discretion, pursuant to the adoption of negotiated mitigation measures.

(b) Unless the Secretary determines in writing that additional time is necessary, the Secretary shall issue the final determination within 180 days of accepting a referral and commencing the initial review of the ICTS Transaction pursuant to § 791.103.

(c) If the Secretary determines that an ICTS Transaction is prohibited, the Secretary shall have the discretion to direct the least restrictive means necessary to tailor the prohibition to address the undue or unacceptable risk posed by the ICTS Transaction.

(d) The final determination shall:

(1) Be written, signed, and dated;

(2) Describe the Secretary's determination;

(3) Be unclassified and contain no reference to classified national security information;

(4) Consider and address any information received from a party to the ICTS Transaction;

(5) Direct, if applicable, the timing and manner of the cessation of the ICTS Transaction;

(6) Explain, if applicable, that a final determination that the ICTS Transaction is not prohibited does not preclude the future review of transactions related in any way to the ICTS Transaction;

(7) Include, if applicable, a description of the mitigation measures agreed upon by the party or parties to the ICTS Transaction and the Secretary; and

(8) State the penalties a party will face if it fails to comply fully with any mitigation agreement or direction, including violations of IEEPA, or other violations of law.

(e) The written, signed, and dated final determination shall be sent to:

(1) The parties to the ICTS Transaction via registered U.S. mail and electronic mail; and

(2) The appropriate agency heads.

(f) The results of final written determinations to prohibit an ICTS Transaction shall be published in the Federal Register. The publication shall omit any confidential business information.

[86 FR 4923, Jan. 19, 2021. Redesignated and amended at 89 FR 58265, July 18, 2024]

§ 791.110 - Classified national security information.

In any review of a determination made under this part, if the determination was based on classified national security information, such information may be submitted to the reviewing court ex parte and in camera. This section does not confer or imply any right to review in any tribunal, judicial or otherwise.