Software trade group BSA said the rules proposed under the Securing the Information and Communications Technology and Services Supply Chain executive order may give the Secretary of Commerce “unbounded discretion to review commercial ICT transactions, applying highly subjective criteria in an ad hoc and opaque process that lacks meaningful safeguards for companies.”
In comments on the proposed rules, BSA says that “it would be impossible for companies to create responsive compliance programs or to conduct business with a predictable and reliable understanding of the risks.” Because of this, BSA says that, with regards to improving supply chain security, the proposed framework would only provide a “marginal impact.”
BSA made recommendations for changes to the proposed rules to improve their effectiveness, including definitional changes, exclusions, and protections and safeguards.
For definitional changes, BSA recommends that phrasing in the proposed rules – such as “dealing in” and “transactions” – should be clarified, and provide more consistency.
Establishing well-defined exclusions, BSA says it “would support excluding from regulation entities that meet current and future Federal and/or industry-led supply chain security standards.” BSA has also identified exclusions from review for transactions.
Additionally, BSA is urging Commerce to consider safeguards to provide industry partners with greater certainty going forward. Some safeguards that BSA recommends include ensuring that “the process is overseen by an official with adequate levels of political accountability,” and establishing a formal interagency process to determine whether there are any “undue” or “unacceptable” risks to information and communications technology supply chains.