The Emergence of ICTS-Driven Technology Supply Regulation
This past year has been a significant turning point in the regulation of the Information and Communications Technology and Services (ICTS) supply chain. Executive Order (E.O.) 13873 identified threats to the ICTS supply chain posed by foreign adversaries as a serious national security risk and a national emergency. This order authorizes the Department of Commerce to broadly review ICTS transactions in the U.S. to determine whether they present undue or unacceptable risks to U.S. national security. If such risks are identified, the Commerce Department is empowered to undertake sweeping actions to mitigate them—ranging from banning the importation or use of specific ICTS to imposing compliance requirements, including “know your customer” obligations.
Leading this regulatory effort is the Office of ICTS (OICTS) within the Bureau of Industry and Security (BIS), a Department of Commerce agency responsible for ICTS reviews and national security enforcement. This article examines BIS’s framework for ICTS, highlights its enforcement history, and outlines steps companies can take to ensure compliance with these evolving regulations.
The ICTS Framework
Foundations and Scope
Although the ICTS rules are relatively new, they draw heavily from established trade controls such as sanctions, export controls, and foreign investment reviews (e.g., the Committee on Foreign Investment in the United States, or CFIUS). Despite these similarities, the ICTS rules establish a distinct regulatory regime. Their foundation is rooted in E.O. 13873, issued in May 2019, which directed the Department of Commerce to develop regulations aimed at securing the ICTS supply chain. The order highlights the “unusual and extraordinary threat” posed by ICTS transactions involving foreign adversaries to the “national security, foreign policy, and economy of the United States.” These regulations are now codified under 15 CFR Part 791. While borrowing concepts from trade controls, this new regime addresses technology “inbound” into the United States—a novel approach not fully covered by existing frameworks.
BIS’s Role and Authority
The Bureau of Industry and Security (BIS) exercises its authority under the ICTS framework through both transaction-specific reviews and broader regulatory initiatives. In its transaction reviews, BIS evaluates individual ICTS transactions involving foreign adversaries to assess potential risks. If a transaction is determined to pose a significant risk, BIS can impose measures to either ban or mitigate it. Beyond individual transactions, BIS also regulates categories of ICTS technologies that are identified as inherently high-risk due to vulnerabilities or links to foreign adversaries.
BIS focuses on addressing risks such as sabotage and subversion of ICTS infrastructure, potential disruptions to critical infrastructure or the digital economy, and broader threats to U.S. national security or personal safety. To mitigate these risks, BIS employs several regulatory tools. It can impose restrictions on specific classes of technologies, as demonstrated by proposed rules targeting connected vehicles. Additionally, BIS may take ac
tion against individual companies, such as its prohibition targeting Kaspersky Lab. The agency is also empowered to establish compliance program requirements, including “know your customer” rules, and to issue subpoenas to gather information relevant to its assessments.
Implementation of E.O. 13873
January 2021 Interim Rule: Key Provisions
The January 2021 Interim Rule, which became effective on March 22, 2021, established a framework for reviewing ICTS transactions involving foreign adversaries. Its broad scope covers ICTS technologies critical to infrastructure sectors as well as emerging technologies. While purely domestic transactions—those without any foreign involvement—are excluded from these rules, such scenarios are increasingly rare in today’s interconnected global supply chains.
In December 2024, BIS issued a final rule to replace the January interim rule, codifying its framework for reviewing ICTS transactions. Key updates to the final rule included:
Consolidating the scope of covered ICTS technologies.
Strengthening recordkeeping requirements for compliance transparency.
Clarifying the decision-making criteria for BIS reviews.
Key provisions of the combined rules include:
Definition of ICTS: The rule defines ICTS broadly to include hardware, software, and services intended for data processing, storage, or communication.
Foreign Adversaries: Countries currently designated as foreign adversaries include China, Russia, Iran, North Korea, Cuba, and Venezuela. Among these, China and Russia are particularly notable due to their significant trade ties and history of exploiting ICTS vulnerabilities. Transactions involving ICTS designed, developed, manufactured, or supplied by entities under the control or jurisdiction of these foreign adversaries are subject to the review process.
Transaction Scope: The rule applies to ICTS transactions initiated, pending, or completed on or after January 19, 2021, involving property under U.S. jurisdiction. To qualify for review, a transaction must involve foreign ownership, control, or interest and fall within one of six key technology categories:
Critical infrastructure
Network infrastructure
Sensitive personal data processing
Monitoring systems, home networks, and drones
Communication software
Emerging technologies, such as quantum key distribution
Pre-Approval Mechanism: Businesses have the option to seek pre-approval for transactions to gain regulatory certainty. This proactive approach allows companies to address potential concerns before engaging in ICTS-related activities.
Key Regulatory Developments and Enforcement Actions
Cloud Services under Scrutiny
BIS proposed rules targeting foreign access to cloud computing infrastructure due to concerns that such access could facilitate malicious activities, including cyberattacks or misuse of AI. Key proposed measures included:
Customer Identification Program: Similar to financial-sector “know your customer” programs, Infrastructure as a Service (IAAS) providers would verify and monitor customer identities.
Compliance Reporting: Providers would submit annual reports detailing adherence to CIP requirements.
Prohibitions and Exemptions: BIS proposed authority to restrict certain foreign persons from accessing IAAS platforms.
Though still in the proposal stage, these measures signal increasing scrutiny of foreign involvement in cloud services and further regulatory action. They also illustrate how Commerce can combine AML-style obligations with national security considerations.
Ban on Kaspersky Lab Cybersecurity Software
In a landmark enforcement action, BIS issued a Final Determination banning the use of Kaspersky Lab cybersecurity software in the U.S. due to its ties to Russian intelligence laws. BIS cited unacceptable risks, including potential data exploitation, unauthorized system manipulation, and malware injection. This decision demonstrated BIS’s ability to directly target foreign-controlled ICTS technologies, underscoring its capacity to take decisive action against individual companies deemed to pose national security threats. The ban covered both new agreements and ongoing updates, effectively prohibiting Kaspersky Lab software from operating in the United States.
Proposed Controls on Connected Vehicles
BIS issued a Notice of Proposed Rulemaking (NPRM) focused on connected vehicle systems linked to foreign adversaries, particularly China and Russia. The proposed rule outlined:
Import Restrictions: Bans on vehicle connectivity hardware and software tied to adversary-linked entities.
Supply Chain Due Diligence: Requiring manufacturers to certify compliance, ensuring no foreign adversary involvement in their products.
This inquiry reflects BIS’s broader strategy of regulating entire technology categories, going beyond company-specific bans. If implemented, it would have significant implications for the automotive sector, requiring manufacturers and suppliers to reassess their supply chains to comply with the proposed rules. Importantly, “knowledge” of foreign adversary involvement could include willful blindness, prompting deeper supplier due diligence.
UAS Rulemaking on the Horizon
On January 3, 2025, BIS issued an Advance Notice of Proposed Rulemaking (ANPRM) regarding Unmanned Aircraft Systems (UAS), aiming to assist the agency in determining which UAS-related technologies and market participants may be appropriate for regulation. The goal is to address undue or unacceptable risks to U.S. national security, including ICTS supply chains and critical infrastructure, and to ensure the security and safety of U.S. persons. Depending on how the rulemaking process evolves, BIS may issue another broad sector ban. This ANPRM suggests Commerce will continue examining entire segments for potential import bans or extensive compliance mandates.
Preparing for ICTS Enforcement: Compliance Tips
Practical Steps for Building Resilience
The ICTS framework’s evolution underscores the importance of proactive compliance. Companies should take the following steps to mitigate risks:
Inventory ICTS Applications: Identify ICTS technologies across the organization and supply chain. Transition away from adversary-linked products to minimize exposure. This inventory should include hardware, software, and any service that processes or communicates data.
Conduct Supplier Due Diligence: Investigate supplier links to foreign adversaries and regularly update these assessments to address evolving risks. Evaluate the legal, operational, and reputational implications of engaging with ICTS suppliers in countries considered foreign adversaries or integrating their products or services into your operations. Be aware that ownership or control by an adversary may extend beyond state-owned enterprises to private firms.
Develop Contingency Plans: Ensure alternative suppliers and technologies are available to mitigate disruptions caused by new restrictions. If BIS issues a final prohibition, imports and usage may need to cease quickly.
Integrate ICTS Risk into M&A Due Diligence: Include ICTS-related risks in merger and acquisition evaluations to uncover potential exposures.
Enhance Compliance Programs: Update policies to reflect BIS regulations and provide training on ICTS risk management. Strengthen internal frameworks for monitoring ICTS-related risks, ensuring they are robust and adaptable to new regulatory requirements. Consider establishing internal reporting channels for identifying potential links to foreign adversaries and clarifying how to respond to Commerce subpoenas or inquiries.
BIS’s enforcement actions—such as the Kaspersky ban and the Connected Vehicles inquiry—underscore a clear trend: the U.S. government is intensifying efforts to secure the ICTS supply chain from foreign adversaries. By actively participating in ongoing rulemaking, industry can help shape the regulatory landscape and ensure practical, effective measures. In parallel, companies must strengthen compliance frameworks, conduct thorough due diligence, and prepare for potential restrictions.
Disclaimer: The views expressed here are solely my own and do not represent the positions of my employer. They do not constitute legal advice nor create an attorney–client relationship.