Quiero saber acerca de...

Federal Register / Vol. 86, No. 183 / Friday, September 24, 2021 / Proposed Rules culminates in a report to the President recommending ways to encourage information sharing and collaboration amongst U.S. IaaS providers and government. Finally, Sections 47
consider resources necessary for implementation, relevant definitions, reporting authorizations, and other general provisions. This ANPRM seeks comments specifically on how the Secretary should implement, through regulation, E.O. 13984 Section 1
Verification of Identity, Section 2
Special Measures for Certain Foreign Jurisdictions or Foreign Persons, and Section 5 Definitions.
II. Issues for Comment The Department welcomes comments and views on all aspects of how the Secretary should implement Sections 1, 2, and 5 of E.O. 13984, but is particularly interested in obtaining information on the following questions, within four categories: 1 Customer due diligence regulations and relevant exemptions; 2 special measures; 3
definitions, and 4 overarching inquiries. The Department encourages commenters to reference specific question numbers to facilitate the Departments review of comments.
Customer Due Diligence Regulations and Relevant Exemptions:
1 E.O. 13984 requires the Secretary to promulgate regulations that set forth minimum standards that U.S. IaaS
providers must adopt to verify the identity of a foreign person when 1
opening an Account or 2
maintaining an existing Account, including types of documentation and procedures required for verification and records that U.S. IaaS providers must securely maintain in both instances.
a. How should the Department implement the requirement for both verifying a foreign persons identity 1
upon the opening of an Account, and 2
during the maintenance of an existing Account, and what should the Department consider in determining customer due diligence requirements for U.S. IaaS providers?
b. Can the Department implement the requirement to verify a foreign persons identity 1 upon the opening of an Account, and 2 during the maintenance of an existing Account, while minimizing the impact on U.S.
persons opening or using such Accounts, or will the application of the requirements to foreign persons in practice necessitate the application of that requirement across all customers?
c. How do the records specifically identified within Section 1aiiAD
compare with the types of customer documentation and records that are
VerDate Sep<11>2014

16:14 Sep 23, 2021

Jkt 253001

currently collected by U.S. IaaS
providers? Will changes be required in U.S. IaaS providers business processes or technical architectures for the maintenance of the records explicitly listed in Section 1aiiAD, and if so, what are these changes? What differences may exist in U.S. IaaS
providers ability to obtain certain records based on the type of U.S. IaaS
product in question i.e., managed vs.
unmanaged services, virtual private servers or virtual private network products vs. cloud services? What level of burden for U.S. IaaS providers would be associated with such changes?
d. Do U.S. IaaS providers currently collect information on the true users of their respective IaaS products, to include reselling activities? If no, what level of burden would be associated with a requirement to track lessees through resellers, including to verify nationality and collect/store identity information, and to augment existing U.S. IaaS providers Terms and Conditions and Service Level Agreements to reflect these obligations?
e. What additional identifying information is collected by U.S. IaaS
providers that could potentially assist with verification of customer identity and customer due diligence? Do U.S.
IaaS providers possess other categories of information that would assist in the identification and investigation of foreign malicious cyber actors e.g., Account log information, suspicious/
abnormal Account activity reports, threat monitoring reports, suspended or blocked services by third parties, etc.?
What would be the associated benefits or costs of including such records within the scope of the obligation to maintain records of foreign persons that obtain an Account?
f. Do U.S. IaaS providers have the capacity or capability to augment technical identity verification e.g., Two-Factor Authentication 2FA with additional, non-technical vetting e.g., third-party person/entity vouching to further deter foreign malicious cyber actors from acquiring replacement infrastructure?
g. What types of data or technical analyses, if any, do U.S. IaaS providers use to identify or detect accounts that violate terms of service related to identify verificationincluding for those using fake names, fraudulent government documents or other fraudulent identification recordsof relevant services?
h. What procedures and processes should the Department consider to minimize the potential burden on U.S.
IaaS providers to implement verification
PO 00000

Frm 00007

Fmt 4702

Sfmt 4702

53019

and recordkeeping obligations under E.O. 13984?
i. Do U.S. IaaS providers currently take a risk-based approach to customer verification and ongoing customer due diligence, and should the Department consider some form of blended riskbased approach i.e., a small number of explicitly listed minimum identification and verification requirements, coupled with a more risk-based approach to allow providers to develop their own programs based on their specific operations?
j. What should the Department consider, including U.S. IaaS providers current methods of securing and limiting access to personally identifiable information and other sensitive data, when setting forth minimum standards and methods by which U.S. IaaS
providers should limit third-party access to the records that are described in Section 1aiiAD, or that might otherwise be required to be maintained?
2 What data protection and security implications should the Department be aware of when considering the imposition on U.S. IaaS providers of requirements to maintain records regarding foreign person customers? For example, how might the European Union General Data Protection Regulation GDPR, the California Consumer Privacy Act CCPA, or other relevant data protection and security laws and regulations affect U.S. IaaS
providers ability to fulfill these recordkeeping requirements pursuant to E.O.
13984? Should the Department consider specific limitations on the amount of time that such records must be kept?
3 What other international implications for U.S. IaaS providers should the Department be aware of when designing customer due diligence rules? How can the Department mitigate the risk of negative international consequences, if any, of such rules?
4 What should the Department consider when deciding how compliance with the requirements adopted under Section 1 should be monitored and enforced i.e., should compliance and enforcement be strictly limited to instances following malicious cyber activities that are traced back to specific U.S. IaaS providers; should the Department implement a voluntary or required proactive suspicious/abnormal Account activity report mechanism to assist in ongoing due diligence; should the Department periodically conduct compliance audits? How should the Department verify that Section 1
requirements are being met?
5 Section 1c permits the Secretary, in consultation with other Federal agency heads, to provide an exemption
E:FRFM24SEP1.SGM

24SEP1