Quiero saber acerca de...

Federal Register / Vol. 86, No. 11 / Tuesday, January 19, 2021 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES

security of the United States or the security and safety of United States persons.
7.3 Scope of Covered ICTS
Transactions Many commenters suggested ways the Department could narrow the scope of the rule to provide more guidance for the types of transactions the Department may review. For example, commenters noted the potential impact of the proposed rule on certain types of transactions, such as transportation services of ICTS, and argued the rule would harm commenters industries.
They also argued that the proposed rule was overly broad and that narrowing the scope would bring greater economic certainty to ICTS Transactions and the technology industry as a whole.
Other commenters sought to have the Department identify categorical exemptions for select industries, such as ICTS Transactions involving medical devices or services for air traffic control, while yet others sought to exempt transactions involving companies with their business headquarters in allied nations, such as Japan. Commenters also suggested that, provided appropriate cybersecurity mitigation techniques exist, transactions involving otherwise banned equipment should be exempted from this rule.
The Department concludes that categorical exemptions of specific industries or geographic locations are unwarranted at this time, although the Secretary may consider this possibility in the future. Wholesale exemptions of industries and geographic locations would not serve the rules intended purpose of securing the ICTS supply chain because such exemptions would contradict the Departments evaluation method for ICTS Transactions. Such exemptions would indicate to foreign adversaries whole classes of ICTS
Transactions outside the scope of evaluation under this rule. This would allow foreign adversaries to pinpoint certain types of ICTS Transactions that would more easily escape Departmental oversight and, therefore, threaten U.S.
national security. By retaining broad authority across industries, the Department will be better able to mitigate identified risks.
While the rule does not contain categorical exemptions of specific industries or geographic locations, the rule now specifies that ICTS
Transactions that involve certain technologies, hardware, or software will be considered to be covered ICTS
Transactions. Additionally, the rule does make clear that, as further discussed below, the acquisition of ICTS

VerDate Sep<11>2014

16:33 Jan 17, 2021

Jkt 253001

items by a United States person as a party to a transaction authorized under a U.S. government-industrial security program, is not an ICTS Transaction.
Additionally, the Department acknowledges that ICTS Transactions solely involving personal ICTS
hardware devices, such as handsets, do not warrant particular scrutiny.
7.3Technology Sectors Many commenters requested that the Department identify those technologies or products that the Department considers create the greatest risks to the national security of the United States.
The Department understands the desire for additional certainty and broke down the scope of technologies included under the scope of this rule into six main types of ICTS Transactions involving: 1 ICTS that will be used by a party to a transaction in a sector designated as critical infrastructure by Presidential Policy Directive 21
Critical Infrastructure Security and Resilience, including any subsectors or subsequently designated sectors; 2
software, hardware, or any other product or service integral to wireless local area networks, mobile networks, satellite payloads, satellite operations and control, cable access points, wireline access points, core networking systems, or longand short-haul systems; 3 software, hardware, or any other product or service integral to data hosting or computing services that uses, processes, or retains, or is expected to use, process, or retain, sensitive personal data on greater than one million U.S. persons at any point over the twelve months preceding an ICTS
Transaction; 4 certain ICTS products which greater than one million units have been sold to U.S. persons at any point over the twelve months prior to an ICTS Transaction; 5 software designed primarily for connecting with and communicating via the internet that is in use by greater than one million U.S.
persons at any point over the twelve months preceding an ICTS Transaction;
6 ICTS integral to artificial intelligence and machine learning, quantum key distribution, quantum computing, drones, autonomous systems, or advanced robotics.
7.3Licensing Process for Potential Transactions Many commenters requested that the Department establish a process for entities to seek pre-approval of their ICTS Transactions, similar to the process by which entities may inform the Committee on Foreign Investment in the United States CFIUS of investments in U.S. businesses, and
PO 00000

Frm 00037

Fmt 4700

Sfmt 4700

4913

obtain safe harbor for those transactions. Commenters argued that such a process would help ease business uncertainty in specific cases.
To afford parties greater certainty, within 60 days of the publication date of this rule, the Department intends to publish procedures to allow a party or parties to a proposed, pending, or ongoing ICTS Transaction to seek a license, pursuant to Section 2b of the Executive Order, in a manner consistent with the national security of the United States. Within 120 days of the publication date of this rule, the Department intends to implement this licensing process. The published procedures will establish criteria by which persons may seek a license to enter into a proposed or pending ICTS
Transaction or engage in an ongoing ICTS Transaction. Persons who may seek a license will include any parties to a proposed, pending, or ongoing ICTS
Transaction as that term is defined in this rule. License application reviews will be conducted on a fixed timeline, not to exceed 120 days from accepting a license application, to enable qualifying parties to conclude permissible transactions without undue delay. If the Department does not issue a license decision within 120 days from accepting a license application, the application will be deemed granted. In no event, however, would the Department issue a license decision on an ICTS Transaction that would reveal sensitive information to foreign adversaries or others who may seek to undermine U.S. national security.
Qualifying parties may voluntarily apply for a license, and a partys decision not to seek a license will not create a negative inference or unfavorable presumption with respect to a transaction.
7.3Presidential Policy Directive 21
Critical Infrastructure Security and Resilience Regarding the Departments assessment of undue and unacceptable risk, commenters suggested that the Department create risk criticality categories for transactions, such as low, medium, and high, along with different assessment approaches. Other commenters advocated using risk scores or categories to determine the frequency and rigor of monitoring.
The Department agrees that the scope of the rule could be narrowed to indicate more specifically the types of ICTS Transactions that may be reviewed. Accordingly, the Department clarifies that ICTS Transactions include those that involve, among other aspects, a sector designated as critical
E:FRFM19JAR1.SGM

19JAR1