Quiero saber acerca de...

Federal Register / Vol. 86, No. 11 / Tuesday, January 19, 2021 / Rules and Regulations DEPARTMENT OF COMMERCE
15 CFR Part 7
Docket No. 2101130009
RIN 0605AA51

Securing the Information and Communications Technology and Services Supply Chain U.S. Department of Commerce.
Interim final rule; request for comments.

AGENCY:
ACTION:

The Department of Commerce is promulgating regulations to implement provisions of Executive Order 13873, Executive Order on Securing the Information and Communications Technology and Services Supply Chain May 15, 2019.
These regulations create the processes and procedures that the Secretary of Commerce will use to identify, assess, and address certain transactions, including classes of transactions, between U.S. persons and foreign persons that involve information and communications technology or services designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary; and pose an undue or unacceptable risk. While this interim final rule will become effective on March 22, 2021, the Department of Commerce continues to welcome public input and is thus seeking additional public comment. Once any additional comments have been evaluated, the Department is committed to issuing a final rule.
DATES: Effective March 22, 2021.
Comments to the interim final rule must be received on or before March 22, 2021.
ADDRESSES: All comments must be submitted by one of the following methods:
By the Federal eRulemaking Portal:
http www.regulations.gov at docket number DOC20190005.
By email directly to:
ICTsupplychain@doc.gov. Include RIN
0605AA51 in the subject line.
Instructions: Comments sent by any other method, to any other address or individual, or received after the end of the comment period, may not be considered. For those seeking to submit confidential business information CBI, please clearly mark such submissions as CBI and submit by email, mail, or hand delivery as instructed above. Each CBI
submission must also contain a summary of the CBI, clearly marked as public, in sufficient detail to permit a
khammond on DSKJM1Z7X2PROD with RULES

SUMMARY:

VerDate Sep<11>2014

16:33 Jan 17, 2021

Jkt 253001

reasonable understanding of the substance of the information for public consumption. Such summary information will be posted on regulations.gov.
Supporting documents:
The Regulatory Impact Analysis is available at http www.regulations.gov at docket number DOC20190005;
The Center for Strategic &
International Studies, Significant Cyber Incidents 2020 is available at https www.csis.org/programs/
technology-policy-program/significantcyber-incidents;
The National Security Strategy of the United States is available at https
www.whitehouse.gov/wp-content/
uploads/2017/12/NSS-Final-12-182017-0905.pdf;
ODNIs 20162019 Worldwide Threat Assessments of the U.S.
Intelligence Community are available at https www.dni.gov/files/documents/
Newsroom/Testimonies/
SSCI%20Unclassified%20SFR%20%20Final.pdf 2017, https
www.dni.gov/files/documents/
Newsroom/Testimonies/2018-ATA--Unclassified-SSCI.pdf 2018, https
www.dni.gov/files/ODNI/documents/
2019-ATA-SFR---SSCI.pdf 2019; and The 2018 National Cyber Strategy of the United States of America is available at https
www.whitehouse.gov/wp-content/
uploads/2018/09/National-CyberStrategy.pdf.
FOR FURTHER INFORMATION CONTACT:

Henry Young, U.S. Department of Commerce, telephone: 202 4820224.
For media inquiries: Meghan Burris, Director, Office of Public Affairs, U.S.
Department of Commerce, telephone:
202 4824883.
SUPPLEMENTARY INFORMATION:
I. Background The information and communications technology and services ICTS supply chain is critical to nearly every aspect of U.S. national security. U.S. business and governments at all levels rely heavily on ICTS, which: Underpin our economy; support critical infrastructure and emergency services; and facilitate the Nations ability to store, process, and transmit vast amounts of data, including sensitive information, that is used for personal, commercial, government, and national security purposes. The ICTS supply chain must be secure to protect our national security, including the economic strength that is an essential element of our national security. Ensuring the resilience of, and trust in, our ICTS
supply chain is an issue that touches
PO 00000

Frm 00033

Fmt 4700

Sfmt 4700

4909

upon national security, including economic security, and public health and safety.
The purchase, incorporation, and use by U.S. persons of ICTSsuch as network management or data storage produced by any person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversarycan create multiple opportunities for those foreign adversaries to exploit potential vulnerabilities in the ICTS. That, in turn, could cause direct and indirect harm to both the immediate targets of the adverse action and to the United States as a whole. While attacks can originate from remote foreign sources, incorporating certain software, equipment, and products into U.S.
domestic ICTS networks, as well as the use of certain cloud, network management, or other services, greatly increases the risk that potential vulnerabilities may be introduced, or that vulnerabilities may be present without being detected. These potential vulnerabilities, if exploited, could undermine the confidentiality, integrity, and availability of U.S. person data including personally identifiable information or other sensitive personal data.
Some foreign adversaries are known to exploit the sale of software and hardware to introduce vulnerabilities that can allow them to steal critical intellectual property, research results e.g., health data, or government or financial information from users of the software or hardware. Such vulnerabilities can be introduced in the network, cloud service, or individual product data; allow traffic monitoring or surveillance; and may be resistant to detection by private purchasers or telecommunications carriers. Once detected, such vulnerabilities may be extremely costly or impossible to remediate.
Vulnerabilities to data integrity can be created by including a foreign adversarys hardware and software into U.S. networks and systems. This incorporated hardware and software poses opportunities to add or remove important information, modify files or data streams, slow down, or otherwise modify the normal transmission or availability of data across U.S. networks.
Such capabilities could be exercised in areas as diverse as financial market communications, satellite communications or control, or sensitive consumer information.
A foreign adversary could also exploit vulnerabilities provided by the incorporation of hardware and software into U.S. environments by fully or
E:FRFM19JAR1.SGM

19JAR1