February 12, 2021
The Information and Communications Technology and Services
(ICTS) Rule and Review Process
On January 19, 2021, the Department of Commerce
definition, but Commerce elaborated on the term in the
(Commerce) issued an interim final rule (86 FR 4909)
ICTS Rule. Commerce identified China (including Hong
implementing Executive Order 13873, which created a new
Kong), Cuba, Iran, North Korea, Russia, and the Nicolás
process for the Secretary to review transactions involving
Maduro regime in Venezuela as foreign adversaries.
information and communications technology and services
Commerce based its determination on several sources,
(ICTS) and determine whether those transactions present
including the U.S. National Security Strategy, the U.S.
certain national security and economic risks. When a
Intelligence Community’s Worldwide Threat Assessment,
transaction in ICTS involves foreign persons or
the 2018 U.S. Cyber Strategy, and other reports and
governments designated as “foreign adversaries” and
assessments from U.S. agencies. Commerce is to
presents certain “undue or unacceptable risks” to the United
periodically review the list of foreign adversaries.
States, the new rule (ICTS Rule) allows Commerce to either
block the transaction or negotiate risk-mitigation measures.
Determining Foreign Adversary
The ICTS review process regulates individual ICTS
Involvement
transactions—broadly defined as “any acquisition,
To be subject to the ICTS review process, a transaction
importation, transfer, installation, dealing in, or use of any
must involve ICTS designed, developed, manufactured, or
[ICTS].” As such, it could subject a wide range of
supplied by persons or entities owned by, controlled by, or
commercial interactions to a new federal approval process.
subject to the jurisdiction of a foreign adversary. In
determining whether the foreign adversary element is met,
What Is ICTS?
Commerce may consider: (1) whether the party to the
ICTS is defined as any “hardware, software, or other
transaction or its suppliers have headquarters or other
product or service . . . primarily intended to fulfill or enable
facilities in a foreign country controlled by a foreign
the function of information or data processing, storage,
adversary; (2) personal and professional ties between the
retrieval, or communication by electronic means . . . .” The
party and a foreign adversary; (3) laws and regulations of
term includes a broad array of technologies and services,
the foreign adversary in which a party is headquartered or
such as internet systems, wireless networks, cellular
conducts operations; and (4) other factors that the Secretary
phones, computers, satellite systems, artificial intelligence,
of Commerce deems appropriate.
quantum computing, and cloud computing services.
What Transactions Will Be Reviewed?
Executive Order 13873
In addition to the foreign adversary requirement, a
The ICTS Rule implements Executive Order 13873, titled
transaction must meet several criteria to be subject to the
Securing the Information and Communications Technology
ICTS review process. First, the transaction must involve
and Services Supply Chain. Invoking National Emergencies
property subject to U.S. jurisdiction or be conducted by an
Act (50 U.S.C. § 1601) and citing the International
individual or entity subject to U.S. jurisdiction. Second, the
Emergency Economic Powers Act (50 U.S.C. § 1701)
transaction must involve property in which a foreign
(IEEPA), President Trump declared that a national
country or foreign national has an interest. Third, the
emergency exists because of the threat of foreign
transaction must be initiated, pending, or completed after
adversaries exploiting vulnerabilities in ICTS. In response
January 19, 2021. Finally, the transaction must involve one
to this threat, Executive Order 13873 prohibits transactions
of six categories of technology:
involving foreign-owned ICTS that present: (1) an undue
risk of sabotage or subversion to ICTS in the United States;
1. Critical infrastructure: ICTS that will be
(2) an undue risk of catastrophic effects on the security or
used in one of 16 critical infrastructure sectors
resiliency of critical infrastructure or the digital economy in
designated in Presidential Policy Directive 21
the United States; or (3) an unacceptable risk to U.S.
(PPD 21);
national security or the security and safety of U.S. persons.
2. Network infrastructure and satellites: ICTS
The order delegates implementation to Commerce.
integral to wireless local area networks,
What Is a Foreign Adversary?
mobile networks, satellite payloads, satellite
operations and control, cable access points,
Executive Order 13873 references risks posed by foreign
wireline access points, core networking
adversaries, which the order defines as any foreign
systems, or long- and short-haul systems;
government or foreign person “engaged in a long-term
3. Sensitive personal data processing: ICTS
pattern or serious instances of conduct significantly
adverse” to U.S. security or the safety of U.S. persons.
integral to data hosting or computing services
The
that process (or are expected to process)
executive order does not identify entities that meet the
https://crsreports.congress.gov
The Information and Communications Technology and Services (ICTS) Rule and Review Process
sensitive personal data on more than one
parties do not respond, Commerce can make a final
million U.S. persons;
determination without a second consultation.
4. Monitoring, home networking, and drones:
Monitoring devices (e.g., webcams), home
Final determination: After the initial determination
networking devices (e.g., routers and
process, Commerce may issue a final, written determination
modems), and drones or other unmanned
on whether to permit the transaction, prohibit it in full, or
aerial systems, when more than one million
permit it subject to an agreement on risk-mitigation
units have been sold to U.S. persons;
measures. Commerce must complete the total process
within 180 days, unless it determines in writing that more
5. Communication software: Software
time is necessary. Violation of a final determination can
designed primarily for internet connections
result in civil and criminal penalties.
and communications in use by more than one
million U.S. persons; or
Comparisons to CFIUS
6. Emerging technology: ICTS integral to
Some observers have likened the ICTS review process to
artificial intelligence and machine learning,
CFIUS, which assists the President in overseeing the
quantum key distribution, quantum
national security implications of foreign investment in the
computing, drones, autonomous systems, or
U.S. economy. Both CFIUS and the ICTS review involve
advanced robotics.
interagency processes to review and block certain
Exclusions
commercial transactions with foreign entities that present
national security concerns. However, while CFIUS
The ICTS Rule excludes from review a U.S. person’s
traditionally reviews major corporate restructurings and
acquisition of ICTS as part of a U.S. government-industrial
acquisitions, the ICTS Rule authorizes Commerce to review
security program because those acquisitions are subject to
individual commercial sales. For example, whereas CFIUS
other forms of oversight. It also excludes transactions that
might prevent a foreign entity from acquiring a stake in a
the Committee on Foreign Investment in the United States
U.S. semiconductor company, under the ICTS Rule,
(CFIUS) is actively reviewing or has reviewed.
Commerce could block a U.S. company from buying
The ICTS Review Process
individual semiconductors from a foreign company subject
to the jurisdiction of a foreign adversary, such as China.
Referral: ICTS review begins with referral of a transaction
to Commerce. Referral can take place in three ways: (1)
When Does the ICTS Rule Go into Effect?
Commerce’s receipt of certain information that indicates
The ICTS Rule states that it will go into effect on March
review is warranted; (2) the request of the head of a federal
22, 2021. Although Commerce could delay implementation
agency; or (3) at the Secretary of Commerce’s discretion
under the Biden Administration’s January 20, 2021
(i.e., self-referral). The ICTS Rule does not require parties
memorandum imposing a regulatory freeze, executive
to proactively notify Commerce of an ICTS transaction, but
branch officials have not stated whether they will do so.
Commerce may require parties to furnish information and
documents. At the referral stage, Commerce assesses
Licensing and Preapproval
whether a transaction meets the foreign adversary,
During the notice and comment period on a proposed
technology, and other requirements to fall within the scope
version of the ICTS Rule (84 FR 65316), many
of the review process. After this assessment, Commerce can
commentators requested that Commerce allow parties to
accept the referral, seek more information from parties
obtain preapproval for planned ICTS transactions. In
involved in the transaction, or reject the referral.
response, Commerce stated in the ICTS Rule that it plans to
create a process to obtain licenses for proposed or pending
Initial review: If Commerce accepts a referral, it next
ICTS transactions. Commerce intends to publish licensing
conducts an initial review to determine whether the
procedures by March 22, 2021. The procedures would
transaction poses an undue or unacceptable risk as
require Commerce to review license applications on a fixed
described in Executive Order 13787. The ICTS Rule lists
timeline, and Commerce must complete review within 120
ten criteria Commerce may use in evaluating these risks.
days or the license would be deemed granted.
Criteria include the type of the technology or service at
issue, nature of the threat, and severity of potential harm. If
Congressional Interest
Commerce determines that the transaction presents an
Members of Congress may have an interest in the impact of
undue or unacceptable risk, it must conduct an interagency
the ICTS Rule on U.S. national security and economic
consultation.
interests. Because the ICTS sector is integrated into many
aspects of the economy, the ICTS Rule could have a wide-
Initial determination: After the first interagency
ranging effect on U.S. industry. Some business and trade
consultation, Commerce is to make an initial determination
groups contend the rule is overbroad, lacks transparency,
on whether to permit a transaction, prohibit it, or propose
and that compliance will be costly for U.S. companies.
measures to mitigate risks. Unless it permits the transaction
Others view the rule as essential to protect U.S. national
in full, Commerce must provide a written determination to
security and supply chains.
the parties to the transaction. Next, the parties have 30 days
to respond to the initial determination and propose their
Stephen P. Mulligan, Legislative Attorney
own remedial measures. If the parties respond, Commerce
must engage in a second interagency consultation. If the
IF11760
https://crsreports.congress.gov
The Information and Communications Technology and Services (ICTS) Rule and Review Process
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF11760 · VERSION 1 · NEW