The Information and Communications Technology and Services (ICTS) Rule and Review Process
Updated June 22, 2023
The Information and Communications Technology and Services
(ICTS) Rule and Review Process
In January 2021, the Department of Commerce
definition, but Commerce elaborated on the term in the
(Commerce) created a new process for the executive branch
Supply Chain Rule. Commerce identified China (including
to review transactions involving information and
Hong Kong), Cuba, Iran, North Korea, Russia, and the
communications technology and services (ICTS) and to
Nicolás Maduro regime in Venezuela as foreign
determine whether those transactions present national
adversaries. Commerce based its determination on several
security and economic risks. Commerce established the
sources, including the U.S. National Security Strategy, the
process under an interim final rule (86 FR 4909), which
U.S. Intelligence Community’s Worldwide Threat
implements Executive Order 13873 (May 15, 2019). When
Assessment, the 2018 U.S. Cyber Strategy, and other
a transaction in ICTS involves “foreign adversaries” and
reports and assessments from U.S. agencies. Commerce is
presents certain “undue or unacceptable risks” to the United
to periodically review the list of foreign adversaries.
States, the new rule (Supply Chain Rule) allows Commerce
to either block the transaction or negotiate risk-mitigation
Determining Foreign Adversary
measures. The ICTS review process regulates individual
Involvement
ICTS transactions—broadly defined as “any acquisition,
To be subject to the ICTS review process, a transaction
importation, transfer, installation, dealing in, or use of any
must involve ICTS designed, developed, manufactured, or
[ICTS].” As such, it could subject a wide range of
supplied by persons or entities owned by, controlled by, or
commercial interactions to a new federal approval process.
subject to the jurisdiction or direction of a foreign
adversary. In determining whether the foreign adversary
What Is ICTS?
element is met, Commerce may consider (1) whether the
ICTS is defined as any “hardware, software, or other
party to the transaction or its suppliers have headquarters or
product or service … primarily intended to fulfill or enable
other facilities in a foreign country controlled by a foreign
the function of information or data processing, storage,
adversary, (2) personal and professional ties between the
retrieval, or communication by electronic means.” The term
party and a foreign adversary, (3) laws and regulations of
includes a broad array of technologies and services, such as
the foreign adversary in which a party is headquartered or
internet systems, wireless networks, cellular phones,
conducts operations, and (4) other factors that the Secretary
computers, satellite systems, artificial intelligence, quantum
of Commerce deems appropriate.
computing, and cloud computing services.
What Transactions Will Be Reviewed?
Executive Order 13873
In addition to the foreign adversary requirement, a
The Supply Chain Rule implements Executive Order
transaction must meet several criteria to be subject to the
13873, titled Securing the Information and
ICTS review process. First, the transaction must involve
Communications Technology and Services Supply Chain.
property subject to U.S. jurisdiction or activity conducted
Invoking National Emergencies Act (50 U.S.C. § 1601) and
by an individual or entity subject to U.S. jurisdiction.
citing the International Emergency Economic Powers Act
Second, the transaction must involve property in which a
(50 U.S.C. §1701), then-President Trump declared a
foreign country or foreign national has an interest. Third,
national emergency because of the threat of foreign
the transaction must be initiated, pending, or completed
adversaries exploiting vulnerabilities in ICTS. In response
after January 19, 2021. Finally, the transaction must involve
to this threat, Executive Order 13873 prohibits transactions
one of six categories of technology:
involving foreign-owned ICTS that present (1) an undue
risk of sabotage or subversion to ICTS in the United States,
1. Critical infrastructure: ICTS that will be
(2) an undue risk of catastrophic effects on the security or
used in one of 16 critical infrastructure sectors
resiliency of critical infrastructure or the digital economy in
designated in Presidential Policy Directive 21;
the United States, or (3) an unacceptable risk to U.S.
2. Network infrastructure and satellites: ICTS
national security or the security and safety of U.S. persons.
integral to wireless local area networks,
The order delegates implementation to Commerce.
mobile networks, satellite payloads, satellite
What Is a Foreign Adversary?
operations and control, cable access points,
wireline access points, core networking
Executive Order 13873 references risks posed by foreign
systems, or long- and short-haul systems;
adversaries, which the order defines as any foreign
government or foreign person “engaged in a long
3. Sensitive personal data processing: ICTS
-term
integral to data hosting or computing services
pattern or serious instances of conduct significantly
adverse” to U.S. security or the safety of U.S. persons. The
that process (or are expected to process)
executive order does not identify entities that meet the
https://crsreports.congress.gov
The Information and Communications Technology and Services (ICTS) Rule and Review Process
sensitive personal data on more than 1 million
If Commerce determines that the transaction presents an
U.S. persons;
undue or unacceptable risk, it must conduct an interagency
4. Monitoring, home networking, and drones:
consultation.
Monitoring devices (e.g., webcams), home
networking devices (e.g., routers and
Initial determination: After the first interagency
modems), and drones or other unmanned
consultation, Commerce is to make an initial determination
aerial systems when more than 1 million units
on whether to permit a transaction, prohibit it, or propose
have been sold to U.S. persons;
measures to mitigate risks. Unless it permits the transaction
in full, Commerce must provide a written determination to
5. Communication software: Software
the parties to the transaction. Next, the parties have 30 days
designed primarily for internet connections
to respond to the initial determination and propose their
and communications in use by more than 1
own remedial measures. If the parties respond, Commerce
million U.S. persons; or
must engage in a second interagency consultation. If the
6. Emerging technology: ICTS integral to
parties do not respond, Commerce can make a final
artificial intelligence and machine learning,
determination without a second consultation.
quantum key distribution, quantum
computing, drones, autonomous systems, or
Final determination: After the initial determination
advanced robotics.
process, Commerce may issue a final, written determination
Connected Software Applications
on whether to permit the transaction, prohibit it in full, or
permit it subject to an agreement on risk-mitigation
In June 2021, President Biden issued Executive Order
measures. Commerce must complete the total process
14034, which directed the Secretary of Commerce to
within 180 days unless it determines in writing that more
evaluate the risks posed by connected software
time is necessary. Violation of a final determination can
applications, commonly called “apps.” The order identified
result in civil and criminal penalties.
additional criteria for Commerce to consider when
evaluating transactions involving apps under the Supply
Comparisons to CFIUS
Chain Rule. Factors include the app’s capacity to enable
Some observers have likened the ICTS review process to
espionage and the sensitivity of data collected. In June
CFIUS, which assists the President in overseeing the
2023, Commerce published a final rule (88 FR 39353),
national security implications of foreign investment in the
effective July 17, 2023, that expressly includes apps in the
U.S. economy. Both CFIUS and the ICTS review involve
definition of ICTS and adds app-specific risk factors to the
interagency processes to review and block certain
Supply Chain Rule.
commercial transactions with foreign entities that present
Exclusions
national security concerns. However, while CFIUS
traditionally reviews major corporate restructurings and
The Supply Chain Rule excludes from review a U.S.
acquisitions, the Supply Chain Rule authorizes Commerce
person’s acquisition of ICTS as part of a U.S. government-
to review individual commercial sales. For example,
industrial security program, because those acquisitions are
whereas CFIUS might prevent a foreign entity from
subject to other forms of oversight. It also excludes
acquiring a stake in a U.S. semiconductor company, under
transactions that the Committee on Foreign Investment in
the Supply Chain Rule, Commerce could block a U.S.
the United States (CFIUS) is reviewing or has reviewed.
company from buying individual semiconductors from a
foreign company in a foreign adversary’s jurisdiction.
The ICTS Review Process
Referral: ICTS review begins with referral of a transaction
Licensing and Pre-Approval
to Commerce. Referral can take place in three ways: (1)
During the notice and comment period on a proposed
Commerce’s receipt of certain information that indicates
version of the Supply Chain Rule (84 FR 65316), many
review is warranted; (2) the head of a federal agency’s
commentators requested that Commerce allow parties to
request; or (3) at the Secretary of Commerce’s discretion
obtain pre-approval for planned ICTS transactions. In
(i.e., self-referral). The Supply Chain Rule does not require
response, Commerce stated in the Supply Chain Rule that it
parties to proactively notify Commerce of an ICTS
plans to create a licensing process.
transaction, but Commerce may require parties to furnish
information and documents. At the referral stage,
Congressional Interest
Commerce assesses whether a transaction meets the foreign
Members of Congress may have an interest in the Supply
adversary, technology, and other requirements to fall within
Chain Rule’s impact on U.S. national security and
the scope of the review process. After this assessment,
economic interests. Because the ICTS sector is integrated
Commerce can accept the referral, seek more information
into many aspects of the economy, the Supply Chain Rule
from parties, or reject the referral.
could have a wide-ranging effect on U.S. industry. Some
business and trade groups contend the rule is overbroad,
Initial review: If Commerce accepts a referral, it next
lacks transparency, and results in costly compliance. Others
conducts an initial review to determine whether the
view the rule as essential to protect U.S. national security
transaction poses an undue or unacceptable risk as
and supply chains.
described in Executive Order 13787. The Supply Chain
Rule lists 10 criteria Commerce may use in evaluating these
Stephen P. Mulligan, Legislative Attorney
risks. Criteria include the type of the technology or service
at issue, nature of the threat, and severity of potential harm.
IF11760
https://crsreports.congress.gov
The Information and Communications Technology and Services (ICTS) Rule and Review Process
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF11760 · VERSION 3 · UPDATED