For general inquiries to OICTS, please :
Link to kelingyizhi
This address is being protected from spambots. You need JavaScript enabled to view it.
To report a tip on potential violations of OICTS regulations, please :
This address is being protected from spambots. You need JavaScript enabled to view it.
All comments must be submitted by one of the following methods:
To implement provisions of Executive Order , Protecting Americans' Sensitive Data from Foreign Adversaries ( E.O. ), the Department of Commerce is proposing to amend its Interim Final Rule on Securing the Information and Communications Technology and Services Supply Chain (Supply Chain Rule), which was published on January 19, , 86 FR . Specifically, this proposed rule would amend the Supply Chain Rule to provide for additional criteria that the Secretary of Commerce (the Secretary) may consider specifically when determining whether ICTS Transactions (as defined in the Supply Chain Rule) that involve connected software applications present an undue or unacceptable risk. The rule also makes conforming changes by revising the definition of ICTS to expressly include connected software applications and adding a definition of connected software application that is consistent with that used in E.O. . The Department is interested in the public's views on the additional criteria for connected software applications, including whether they should be applied to all ICTS Transaction reviews, whether there are other criteria that should be applied, and how the Secretary should apply the criteria to ICTS Transactions involving connected software applications.
( print page )
On January 19, , the Department published an interim final rule in the Federal Register on Securing the Information and Communications Technology and Services Supply Chain. 86 FR . The Supply Chain Rule implemented Executive Order , Securing the Information and Communications Technology and Services Supply Chain (84 FR ), including by setting out procedures by which the Secretary of Commerce, in consultation with the appropriate heads of other administrative agencies, would review ICTS Transactions for whether they present an undue or unacceptable risk due to a foreign adversary's involvement. The Supply Chain Rule defines ICTS as any hardware, software, or other product or service, including cloud-computing services, primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means (including electromagnetic, magnetic, and photonic), including through transmission, storage, or display. The Supply Chain Rule further provides that an ICTS Transaction is, any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service, including ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download. An ICTS Transaction includes any other transaction, the structure of which is designed or intended to evade or circumvent the application of E.O. . The term ICTS Transaction includes a class of ICTS Transactions.
On June 9, , the President issued E.O. to elaborate upon measures to address the national emergency with respect to the information and communications technology and services supply chain that was declared in Executive Order of May 15, , `Securing the Information and Communications Technology and Services Supply Chain.' E.O. sets out the finding that the increased use in the United States of certain connected software applications designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary, which the Secretary of Commerce acting pursuant to E.O. has defined to include the People's Republic of China, among others, continues to threaten the national security, foreign policy, and economy of the United States. This rule would implement E.O. by specifically adding the term connected software applications and the accompanying criteria, which do not appear in E.O. , to the Supply Chain Rule to ensure the rule clearly and consistently identifies the ICTS that is threatened.
E.O. orders the Secretary to evaluate on a continuing basis transactions involving connected software applications that may pose an undue risk of sabotage or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States; pose an undue risk of catastrophic effects on the security or resiliency of the critical infrastructure or digital economy of the United States; or otherwise pose an unacceptable risk to the national security of the United States or the security and safety of United States persons.
E.O. further sets out certain factors, consistent with the criteria established in E.O. and in addition to those set forth in the Supply Chain Rule, that should be considered in evaluating the risks of a transaction involving connected software applications. Specifically, E.O. lists the following as potential indicators of risk related to connected software applications: ownership, control, or management by persons that support a foreign adversary's military, intelligence, or proliferation activities; use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary's access to sensitive or confidential government or business information, or sensitive personal data; ownership, control, or management of connected software applications by persons subject to coercion or cooption by a foreign adversary; ownership, control, or management of connected software applications by persons involved in malicious cyber activities; a lack of thorough and reliable third-party auditing of connected software applications; the scope and sensitivity of the data collected; the number and sensitivity of the users of the connected software application; and the extent to which identified risks have been or can be addressed by independently verifiable measures.
This proposed rule incorporates these potential indicators of risk as criteria to be considered by the Secretary when assessing whether an ICTS Transaction involving connected software applications poses an undue or unacceptable risk. The Department seeks public comments on these criteria, including how the Secretary should apply these to ICTS Transactions involving connected software applications, and whether there are additional criteria that should be considered by the Secretary with respect to connected software applications. The Department is also interested in the public's views as to whether these criteria should be applied to all ICTS Transaction reviews or just those that involve connected software applications. In addition, the Department seeks comment on any other considerations the Secretary should take into account when determining whether an ICTS Transaction involving connected software applications should, consistent with the authority and procedures of E.O. and the Supply Chain Rule, be allowed, mitigated, or prohibited.
Additionally, consistent with E.O. 's recognition of the ongoing threat, identified in E.O. , by foreign adversaries to steal or otherwise obtain data through connected software applications, the Department notes that the term information and communications technology and services encompasses connected software applications and is proposing to revise the definition of ICTS accordingly to expressly so specify. This rule would also make a conforming revision to the term ICTS Transaction, and would define connected software applications as software, a software program, or a group of software programs, that is designed to be used on an end-point computing device and includes as an integral functionality, the ability to collect, process, or transmit data via the internet.
The Department proposes to add the phrase connected software applications to section 7.1 of Title 15 of the Code of Federal Regulations (CFR).
As noted above, consistent with E.O. 's recognition of the ongoing threat by foreign adversaries to steal, otherwise obtain, or disrupt data through connected software applications, this rule would expressly specify that the term information and communications technology and services or ICTS encompasses connected software applications. The proposed definition of connected software applications is taken from E.O. : software, a software ( print page ) program, or a group of software programs, that is designed to be used on an end-point computing device and includes as an integral functionality, the ability to collect, process, or transmit data via the internet.
The Department welcomes comment on whether this definition is sufficient to identify fully this category of ICTS, or whether further clarification or elaboration is needed. For instance, are there technical aspects to the definition that are used in industry or engineering that should be incorporated into the definition? Should the Department include other devices, such as those that communicate through short message service (SMS) messages, or low-power radio protocols? Should the definition be extended from end-point devices to end-to-end technology, and is end-to-end a term of art that we should employ? Are there other means of communication or transmission that are not encompassed by this definition but should be included?
Further, the Department proposes to add new §7.3(a)(4)(v)(E) regarding the types of software designed primarily for connecting with and communicating via the internet that is used by greater than one million U.S. persons involved in ICTS Transactions that are subject to the Secretary's review.
To incorporate the new criteria for determining whether a transaction involving connected software applications poses an undue or unacceptable risk, as defined in the Supply Chain Rule, this rule would amend §7.103 to add the criteria from E.O. in a new paragraph. Notably, these criteria complement, and are in addition to, the criteria already in 7.103(c) for determining whether an ICTS Transaction poses an undue or unacceptable risk. In making this determination for connected software applications, the Secretary would evaluate both the criteria in 7.103(c) and in the new paragraph. Specifically, the Department would redesignate current paragraph 7.103(d) as 7.103(e) and add new paragraph 7.103(d) to include the following criteria:
As noted above, while the proposed regulatory text below adds these criteria in a new sub-paragraph applicable only to ICTS Transactions involving connected software applications, the Department is also inviting comments on whether these criteria are sufficient or whether others should be added. For example, should the Department add a criterion such as whether the software has any embedded out-going network calls or web server references, regardless of the ownership, control, or management of the software? The Department also seeks comments on whether the criteria should be more generally applicable to ICTS Transactions.
With regard to the phrase ownership, control or management, should it be understood to include both continuous control/management and sporadic control/management ( e.g., when a third-party must be temporally granted access to apply updates/upgrades/patches/etc.), or should this phrase be further clarified?
Additionally, the Department seeks comment on whether and how the Department should specifically define the terms reliable third-party and independently verifiable measures, and, if so, whether there are generally accepted definitions or terms of art that the Department should consider adopting. The Department is also interested in whether the reference to third-party auditing of connected software applications is sufficiently clear or whether it needs further definition. For example, would it be understood to apply to audits by a third party of only the connected software applications, or to audits of the organizations implementing the software applications as well? Also, should the requirement to audit applications be revised to make clear that auditing is a continuous process through the development and deployment life cycle of the application? And would the requirement to audit applications be understood to refer only to source-code examination and verification, or would it also include monitoring of logs or other data that the application collects?
Pursuant to the procedures established to implement Executive Order , the Office of Management and Budget has determined that this rule is significant but not economically significant.
The Chief Counsel for Regulation of the Department of Commerce certifies to the Chief Counsel for Advocacy of the Small Business Administration that this proposed rule would not have a significant economic impact on a substantial number of small entities. The factual determination for this determination is as follows.
This proposed rule would update the regulations at 15 CFR part 7 that implement E.O. to revise the term ICTS to specifically include connected software applications, as well as to affirm that a transaction involving connected software applications is an ICTS Transaction. It would add criteria the Secretary and the appropriate agency heads may use in making determinations about the risks potentially posed by ICTS Transactions involving connected software applications. The rule would also make conforming changes.
Accordingly, this proposed rule does not increase the scope of applicability of the existing regulations, the economic effects of which were evaluated in the regulatory impact analysis (RIA) associated with the Supply Chain Rule, at 86 FR . (The RIA can be found online at reginfo.gov, and at regulations.gov, with a search for RIN -AA51.) This proposed rule, once implemented, will not add any costs or burdens to any entity, small or large, because it does not expand the application scope of the Supply Chain Rule. Because this proposed rule neither increases the number of entities to which the Supply Chain Rule applies, nor increases the cost and burdens on those entities, it would not have a significant economic impact on a substantial number of small businesses. ( print page )
The Paperwork Reduction Act of (44 U.S.C. et seq.) (PRA) provides that an agency generally cannot conduct or sponsor a collection of information, and no person is required to respond to nor be subject to a penalty for failure to comply with a collection of information, unless that collection has obtained Office of Management and Budget (OMB) approval and displays a currently valid OMB Control Number. This proposed rule does not contain a collection of information requirement subject to review and approval by OMB under the PRA.
This proposed rule would not create a Federal mandate (under the regulatory provisions of Title II of the Unfunded Mandates Reform Act of ) for State, local, and tribal governments or the private sector.
This proposed rule does not contain policies having federalism implications requiring preparations of a Federalism Summary Impact Statement.
This rule does not contain policies that have unconstitutional takings implications.
The Department has analyzed this proposed rule under Executive Order and has determined that the action would not have a substantial direct effect on one or more Indian tribes, would not impose substantial direct compliance costs on Indian tribal governments, and would not preempt tribal law.
The Department has reviewed this rulemaking action for the purposes of the National Environmental Policy Act (42 U.S.C. et. seq). It has determined that this proposed rule would not have a significant impact on the quality of the human environment.
Trisha Anderson,
Deputy Assistant Secretary for Intelligence and Security, U.S. Department of Commerce.
1. The authority citation for part 7 continues to read as follows:
2. Revise §7.1 to read as follows:
Purpose.
(a) These regulations set forth the procedures by which the Secretary may:
(1) Determine whether any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service (ICTS Transaction), including connected software applications, that has been designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries poses certain undue or unacceptable risks as identified in the Executive Order;
(2) Issue a determination to prohibit an ICTS Transaction;
(3) Direct the timing and manner of the cessation of the ICTS Transaction; and
(4) Consider factors that may mitigate the risks posed by the ICTS Transaction.
(b) The Secretary will evaluate ICTS Transactions under this rule, which include classes of transactions, on a case-by-case basis. The Secretary, in consultation with appropriate agency heads specified in Executive Order and other relevant governmental bodies, as appropriate, shall make an initial determination as to whether to prohibit a given ICTS Transaction or propose mitigation measures, by which the ICTS Transaction may be permitted. Parties may submit information in response to the initial determination, including a response to the initial determination and any supporting materials and/or proposed measures to remediate or mitigate the risks identified in the initial determination as posed by the ICTS Transaction at issue. Upon consideration of the parties' submissions, the Secretary will issue a final determination prohibiting the transaction, not prohibiting the transaction, or permitting the transaction subject to the adoption of measures determined by the Secretary to sufficiently mitigate the risks associated with the ICTS Transaction. The Secretary shall also engage in coordination and information sharing, as appropriate, with international partners on the application of these regulations.
3. Amend §7.2 by adding, in alphabetical order, the definition for Connected software application and revising the definition of Information and communications technology or services or ICTS to read as follows:
§7.2Definitions.
*
*
*
*
Want more information on communication technology ltd? Feel free to contact us.
*
Connected software application means software, a software program, or a group of software programs, that is designed to be used on an end-point computing device and includes as an integral functionality, the ability to collect, process, or transmit data via the internet.
*
*
*
*
*
Information and communications technology or services or ICTS means any hardware, software, including connected software applications, or other product or service, including cloud-computing services, primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means (including electromagnetic, magnetic, and photonic), including through transmission, storage, or display.
*
*
*
*
*
4. Amend §7.3 by adding paragraph (a)(4)(v)(E) to read as follows:
§7.3Scope of Covered ICTS Transactions.
(a) * * *
(4) * * *
(v) * * *
(E) Connected software applications; or
*
*
*
*
*
5. In §7.103, redesignate paragraph (d) as paragraph (e) and add new paragraph (d) to read as follows:
§7.103Initial review of ICTS Transactions.
*
*
*
*
*
(d) For ICTS Transactions involving connected software applications that are accepted for review, the Secretary's assessment of whether the ICTS Transaction poses an undue or unacceptable risk may be determined by evaluating the criteria in paragraph (c) of this section as well as the following additional criteria:
(1) Ownership, control, or management by persons that support a foreign adversary's military, intelligence, or proliferation activities; ( print page )
(2) Use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary's access to sensitive or confidential government or business information, or sensitive personal data;
(3) Ownership, control, or management of connected software applications by persons subject to coercion or cooption by a foreign adversary;
(4) Ownership, control, or management of connected software applications by persons involved in malicious cyber activities;
(5) A lack of thorough and reliable third-party auditing of connected software applications;
(6) The scope and sensitivity of the data collected;
(7) The number and sensitivity of the users of the connected software application; and
(8) The extent to which identified risks have been or can be addressed by independently verifiable measures.
*
*
*
*
*
Are you interested in learning more about telecom bts? Contact us today to secure an expert consultation!