US Expands Security Review of ICT Supply Chains

- [The Department of Commerce's](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFZ184IWTiPOso-E_STKweHt1dutXgHub-kxlSmIMQyu6HQyjMGIt1kiWYFjlWrSO57_1ek82mA6KJk3igxlW2eSB6SMSrSTxJS2nxNiohGiAykMw-JVH2ZlUhHSlwI7FEDQ2QfBuIY2NsxiYlNBBjPwcm97RhcDfTDqWhpIDzfPBIAQqOW1JZ9Ep-E8gfwP4X7272pKOi0BiWIlVEHVV_5B8DpAK_X7fTH2zmDpZYeRZFJTexIDd0g_L_I74Rzwb93vbsR0eg=) Bureau of Industry and Security (BIS) is authorized to review and prohibit Information and Communications Technology and Services (ICTS) transactions with entities linked to designated "foreign adversaries." This authority stems from Executive Order 13873, first issued in 2019. The list of foreign adversaries currently includes China (including Hong Kong), Russia, Iran, North Korea, Cuba, and the Maduro Regime in Venezuela. - A final rule effective February 4, 2025, codifies the review framework, which is managed by the Office of Information and Communications Technology and Services (OICTS), established within BIS in March 2022. This rule applies to ICTS transactions initiated, pending, or completed on or after January 19, 2021. - The scope of review is broad, covering transactions in categories such as information and communications hardware and software, data hosting and computing services, connected software applications, and ICTS integral to critical infrastructure. It also explicitly includes 11 categories of "critical and emerging technologies," such as artificial intelligence, quantum information, semiconductors, and biotechnology. - In its first enforcement action under this authority, the Commerce Department prohibited the U.S. subsidiary of the Russian company Kaspersky Lab from selling its cybersecurity and anti-virus software within the United States, effective July 20, 2024. The determination cited Kaspersky's ability to install malicious software, withhold critical updates, and the potential for the Russian government to access sensitive U.S. customer data. - The regulations have been specifically extended to address the supply chain for "connected vehicles." A final rule issued in January 2025 prohibits certain transactions involving connected vehicle hardware and software with links to China or Russia, with restrictions being phased in starting with model year 2027. - The review process is not limited to new transactions; it can retroactively apply to agreements in effect before the rule's implementation. The Department of Commerce can initiate reviews on its own, or through referrals from other U.S. government agencies, as was the case with the Kaspersky review, which was requested by the Department of Justice. - The framework requires companies involved in the automotive sector to submit annual "Declarations of Conformity" to BIS. These declarations must verify that they have not engaged in prohibited transactions and provide detailed bills of material for both hardware and software. - Beyond connected vehicles, the Bureau of Industry and Security is also considering similar regulations for unmanned aerial systems (drones). This indicates a strategic, sector-by-sector approach to securing technology supply chains from perceived threats.