The Department of Commerce is proposing new safety criteria for connected software to help better secure information and communications technology and services (ICTS) supply chains, including potential third-party audits of connected software and ICTS transactions, according to a proposed rule posted to the Federal Register Nov. 26.
The proposed rule falls in line with two executive orders (EO) on securing the ICTS supply chain and protecting sensitive data from adversaries. The first EO on securing the ICTS supply chain was signed by President Trump in May 2019. The new rule completes tasks ordered by President Biden’s follow-up EO from June 2021 on ““Protecting Americans’ Sensitive Data from Foreign Adversaries.”
The EO from President Trump led to the creation of the Supply Chain Rule, which included a provision with procedures on how the Secretary of Commerce would decide whether ICTS transactions would put the nation at risk due to an adversary nation’s involvement. This new proposed rule would further define the criteria for how the Secretary would make that decision.
The rule proposes the following criteria to make the decision on whether ICTS transactions or connected software would pose a threat due to adversarial involvement:
- “Ownership, control, or management by persons that support a foreign adversary’s military, intelligence, or proliferation activities;
- Use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary’s access to sensitive or confidential government or business information, or sensitive personal data;
- Ownership, control, or management of connected software applications by persons subject to coercion or cooption by a foreign adversary;
- Ownership, control, or management of connected software applications by persons involved in malicious cyber activities;
- A lack of thorough and reliable third-party auditing of connected software applications;
- The scope and sensitivity of the data collected;
- The number and sensitivity of the users of the connected software application; and
- The extent to which identified risks have been or can be addressed by independently verifiable measures.”
The Department of Commerce is seeking feedback on the rule in its entirety but is also specifically looking for feedback on how to define what is a “reliable third-party” for the purposes of the rule. The agency also wants to know if its criteria of “third-party auditing of connected software applications” is sufficiently descriptive or whether the agency needs to get more specific.
The agency will accept public comment on the proposed rule until Dec. 30.