On November 26, the Department of Commerce published a Notice of Proposed Rulemaking to secure information and communications technology and services (ICTS) supply chains, including potential third-party audits of connected software and ICTS transactions. The proposed rule would establish additional criteria for the Secretary of Commerce to consider in any decision regarding whether an ICTS transaction or connected software application would pose a threat to national security.
The proposed rule includes the following as potential indicators of risk related to connected software applications:
- ownership, control, or management by persons that support a foreign adversary’s military, intelligence, or proliferation activities;
- use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary’s access to sensitive or confidential government or business information, or sensitive personal data;
- ownership, control, or management of connected software applications by persons subject to coercion or cooption by a foreign adversary;
- ownership, control, or management of connected software applications by persons involved in malicious cyber activities;
- a lack of thorough and reliable third-party auditing of connected software applications; the scope and sensitivity of the data collected;
- the number and sensitivity of the users of the connected software application;
- and the extent to which identified risks have been or can be addressed by independently verifiable measures.
Comments to the Department of Commerce regarding this proposal must be received on or before December 27, 2021, and may be submitted here.
Please contact Jamie Saloom with any small business concerns.
Comments are closed.