Je veux savoir à propos de…

53020

Federal Register / Vol. 86, No. 183 / Friday, September 24, 2021 / Proposed Rules
from the requirements of any rules issued pursuant to Section 1 to a provider, Account, or lessee that complies with security best practices to otherwise deter abuse of IaaS
products. 7
a. Should exemptions be granted on a one-time basis, or should such exemptions be time-limited, with an obligation of renewal after a certain period of time? If renewals are required, what should be the timeframe for renewals?
b. What security practices do U.S.
IaaS providers currently use to identify or detect foreign malicious cyber actors abuse of their services?
c. What IaaS industry standards or best practices should the Department use to assess the appropriateness of an exemption from the rules issued under Section 1? To what extent are these standards or best practices sufficient to deter abuse of U.S. IaaS products by foreign malicious cyber actors? Would existing standards or practices need to be adapted for purposes of E.O. 13984?
d. How might a framework for best practices account for the dynamic and ever-evolving threat environment while allowing U.S. IaaS providers to stay agile in their company-specific programs?
e. How should the Secretary assess compliance with any security best practices for purposes of determining whether an exemption should be granted for a U.S. IaaS provider, type of account, or type of lessee? Should U.S.
IaaS providers be permitted to conduct a self-assessment of such compliance, and if so, what type of documentation or certification should be required?
Should verification of compliance by an independent third-party be required? If so, what should be assessed by that third party and what documentation should the Secretary request?
f. When granting exemptions, should the Secretary consider granting partial exemptions from the rules issued under Section 1 i.e., should the Secretary consider exempting certain providers, types of Accounts, or types of lessees from initial customer due diligence verification procedures, but not any ongoing customer-due-diligence procedures?
g. What should the Department take into consideration when determining if specific types of Accounts or lessees should be exempt from Section 1 rules?
Special Measures Restrictions:
Section 2 permits the Secretary, in consultation with the Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Attorney 7 E.O.

13984 at 6838.

VerDate Sep<11>2014

16:14 Sep 23, 2021

Jkt 253001

General, the Secretary of Homeland Security, the Director of National Intelligence and, as the Secretary deems appropriate, the heads of other executive departments and agencies, to require U.S. IaaS providers to implement special measures to prohibit or impose conditions on Accounts upon a finding that reasonable grounds exist for concluding that either: 1 Certain foreign persons have established a pattern of offering or directly obtaining U.S. IaaS products that are used for malicious cyber-enabled activities; or 2
certain foreign jurisdictions have any significant number of foreign persons offering or directly obtaining U.S. IaaS
products that are used for malicious cyber-enabled activities.
6 Is there particular information or sources of information that the Secretary should consider when making a determination under Section 2?
7 Form of Finding: Should the Secretary be required to publish a finding in a particular form i.e., order, regulation, etc., and if so, what reasoning supports that form?
8 Duration of Finding: What, if any, suggested restrictions should there be regarding the duration of any special measure? Should the form of a particular finding vary depending on the special measure duration?
9 In making a reasonable grounds finding under Section 2, the E.O.
requires the Secretary to consider any information the Secretary determines to be relevant, but also weigh specific, enumerated factors articulated within Section 2b of E.O. 13984, depending on whether the special measures pertain to a foreign jurisdiction or a foreign person. Are the factors enumerated within Section 2b comprehensive, or should the Secretary consider other factors when making a finding?
10 In selecting which special measure or measures to take, Section 2c of the E.O. requires the Secretary to consider: i Whether the imposition of any special measure would create a significant competitive disadvantage, including any undue cost or burden associated with compliance, for U.S.
IaaS providers; ii the extent to which the imposition of any special measure or the timing of the special measure would have a significant adverse effect on legitimate business activities involving the particular foreign jurisdiction or foreign person; and iii the effect of any special measure on U.S. national security, law enforcement investigations, or foreign policy.
a. Could the Secretarys selection of types of conditions to impose under Section 2 effectively mitigate any competitive disadvantages to U.S. IaaS

PO 00000

Frm 00008

Fmt 4702

Sfmt 4702

providers or effects on legitimate business purposes? If so, how?
b. Are there any examples or frameworks that the Secretary should draw on in considering the factors listed in Section 2c i.e., in balancing any competitive disadvantage or impact on legitimate business activities against the impact of special measures on national security and law enforcement considerations?
11 Section 2d articulates the two specific special measures that the Secretary is able to take to condition or prohibit the opening or maintaining of Accounts by 1 foreign persons within certain foreign jurisdictions or by 2
certain foreign persons seeking to open or maintain an Account in the U.S.
a. Section 2di, Prohibitions or Conditions on Accounts within Certain Foreign Jurisdictions, permits the Secretary to prohibit or impose conditions on the opening or maintaining of an Account by any foreign person located in a foreign jurisdiction found to have any significant number of foreign persons offering U.S. IaaS products used for malicious cyber-enabled activities.8
When implementing this provision, should the Secretary consider using this provision to impose conditions or prohibitions on specific foreign persons located within foreign jurisdictions based on findings related to the jurisdiction? What should the Secretary consider in determining whether to impose conditions or prohibitions on all foreign persons located within the foreign jurisdiction in question or only specific foreign persons or Accounts?
i. How do U.S. IaaS providers expect to implement this special measure?
ii. How are providers able to assess and verify the jurisdiction from which persons are based? What tools are available to U.S. IaaS providers to assess or verify the jurisdiction from which persons are located?
b. Section 2dii, Prohibitions or Conditions on Certain Foreign Persons, permits the Secretary to prohibit or impose conditions on the opening or maintaining in the United States of an Account, including a Reseller Account, by any United States IaaS provider for or on behalf of a foreign person, if such an Account involves any such foreign person found to be offering or obtaining U.S. IaaS products for malicious cyberenabled activities.9 In implementing this provision, how should the Department assess whether an Account is opened or maintained in the United States? For example, should the 8 E.O.

13984 at 6839.

9 Id.

E:FRFM24SEP1.SGM

24SEP1