Je veux savoir à propos de…

53018

Federal Register / Vol. 86, No. 183 / Friday, September 24, 2021 / Proposed Rules
Issued on September 16, 2021.
Ross Landes, Deputy Director for Regulatory Operations, Compliance & Airworthiness Division, Aircraft Certification Service.

15 CFR Subtitle A

information for public consumption.
Such summary information will be posted on regulations.gov.
FOR FURTHER INFORMATION CONTACT:
Justin LP Shore, U.S. Department of Commerce, email: IaaScomments@
doc.gov. For media inquiries: Brittany Caplin, Deputy Director of Public Affairs and Press Secretary, U.S.
Department of Commerce, telephone:
202 4824883, email: PublicAffairs@
doc.gov.

2109130183

SUPPLEMENTARY INFORMATION:

RIN 0605AA61

I. Background
Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities
E.O. 13984, issued on January 19, 2021, and entitled Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities, 1
was issued pursuant to the Presidents authority under the Constitution and the laws of the United States, including the International Emergency Economic Powers Act,2 the National Emergencies Act,3 and section 301 of Title 3, United States Code. In E.O. 13984, the President determined that additional steps must be taken to address the national emergency related to significant malicious cyber-enabled activities declared in Executive Order 13694, Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities 80
FR 18077, Apr. 1, 2015.
E.O. 13984 addresses the threat posed by the use of U.S. cloud infrastructure by foreign malicious cyber actors to conduct malicious cyber-enabled activities, including theft of sensitive data and intellectual property and targeting of U.S. critical infrastructure.
IaaS products provide the ability to run software and store data on servers offered for rent or lease without responsibility for the maintenance and operating costs of those servers.4 The United States must ensure that providers offering United States IaaS
products verify the identity of persons obtaining an IaaS account for the provision of these products and maintain records of those transactions 5
as foreign persons obtain or offer for resale IaaS accounts Accounts with U.S. IaaS providers, and then use these Accounts to conduct malicious cyberenabled activities against U.S. interests.

FR Doc. 202120521 Filed 92321; 8:45 am BILLING CODE 491013P

DEPARTMENT OF COMMERCE

U.S. Department of Commerce.
Advance notice of proposed rulemaking ANPRM.

AGENCY:
ACTION:

Executive Order 13984 of January 19, 2021, Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities, directs the Secretary of Commerce Secretary to implement regulations to govern the process and procedures that the Secretary will use to deter foreign malicious cyber actors use of United States Infrastructure as a Service IaaS
products and assist in the investigation of transactions involving foreign malicious cyber actors. The Department of Commerce the Department is issuing this ANPRM to solicit public comments on questions pertinent to the development of regulations pursuant to this Executive Order.
DATES: Comments must be received by October 25, 2021.
ADDRESSES: All comments must be submitted by one of the following methods:
By the Federal eRulemaking Portal:
http www.regulations.gov at docket number: DOC20210007.
By email directly to:
IaaScomments@doc.gov. Include E.O.
13984: ANPRM in the subject line.
Instructions: Comments sent by any other method or to any other address or individual, or received after the end of the comment period, may not be considered. For those seeking to submit confidential business information CBI, please clearly mark such submissions as CBI and submit by email or via the Federal eRulemaking Portal, as instructed above. Each CBI submission must also contain a summary of the CBI, clearly marked as public, in sufficient detail to permit a reasonable understanding of the substance of the SUMMARY:

VerDate Sep<11>2014

16:14 Sep 23, 2021

Jkt 253001

1 E.O.

13984, 86 FR 6837 Jan. 19, 2021.
Law 95223 October 28, 1977, 91 Stat.
1626, codified as amended at 50 U.S.C. 1701 et seq.
2018 IEEPA.
3 Public Law 94412 September 14, 1976, 90
Stat. 1255, codified as amended at 50 U.S.C. 1601
et seq. 2018 NEA.
4 E.O. 13984 at 6837.
5 Id.
2 Public
PO 00000

Frm 00006

Fmt 4702

Sfmt 4702

Malicious actors then destroy evidence of their prior activities and transition to other services. This pattern makes it extremely difficult to track and obtain information on foreign malicious cyber actors and their activities in a timely manner, especially if U.S. IaaS
providers do not maintain updated information and records of their customers or the lessees and sub-lessees of those customers.
To deter foreign malicious cyber actors use of U.S. IaaS products, and assist in the investigation of transactions involving foreign malicious cyber actors, 6 E.O. 13984 requires more robust record-keeping practices and user identification and verification standards within the industry to better assist investigative efforts. Additionally, E.O.
13984 encourages the adoption of and adherence to security best practices to deter abuse of U.S. IaaS products by allowing the Secretary to take into account compliance with such best practices in deciding to exempt certain U.S. IaaS providers, Accounts, or lessees from any final regulations stemming from Section 1 of E.O. 13984.
E.O. 13984 tasks the Secretary, specifically, with implementing regulations that require U.S. IaaS
providers to: 1 Verify the identity of a foreign person that obtains an Account i.e., identification, verification, and recordkeeping obligations Section 1;
and 2 implement special measures to prohibit or impose conditions on Accounts within certain foreign jurisdictions or of certain foreign persons, where the Secretary, in consultation with specified agency heads, makes a finding that either i reasonable grounds exist for concluding that a foreign jurisdiction has any significant number of foreign persons offering U.S. IaaS products, as defined in Section 5 of E.O. 13984, that are used for malicious cyber-enabled activities or any significant number of foreign persons directly obtaining U.S. IaaS
products for use in malicious cyberenabled activities; or ii reasonable grounds exist for concluding that a foreign person has established a pattern of conduct of offering U.S. IaaS products that are used for malicious cyberenabled activities or directly obtaining U.S. IaaS products for use in malicious cyber-enabled activities Section 2.
Section 3 of E.O. 13984, which is not a part of this potential rulemaking, directs the Attorney General and the Secretary of Homeland Security, in coordination with the Secretary and the heads of other agencies, as deemed appropriate, to solicit feedback from industry that 6 Id.

E:FRFM24SEP1.SGM

24SEP1