The Department of Commerce is seeking comment on questions related to the development of regulations to govern process and procedures the Commerce Secretary will use to deter foreign malicious cyber actors’ use of U.S. Infrastructure as a Service (IaaS) products and investigate foreign malicious cyber actors.
The development of these regulations comes following the implementation of executive order (EO) 13984, Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities, signed by former President Trump on January 19, 2021.
“EO 13984 addresses the threat posed by the use of U.S. cloud infrastructure by foreign malicious cyber actors to conduct malicious cyber-enabled activities, including theft of sensitive data and intellectual property and targeting of U.S. critical infrastructure,” a Federal register notice said. “IaaS products provide the ability to run software and store data on servers offered for rent or lease without responsibility for the maintenance and operating costs of those servers.”
EO 13984 requires “more robust” record-keeping practices and user identification and verification standards to better assist investigative efforts. It also encourages adopting and adhering to security best practices to deter abuse of IaaS products by allowing the Commerce secretary to take compliance into account with best practices in deciding to exempt certain U.S. IaaS providers, accounts, or lessees from any final regulations from Section 1 of the EO.
Commerce says that it is interested in obtaining comments on all aspects of how it should implement Sections 1, 2, and 5 of the EO, but is particularly interested in information on the following four categories: customer due diligence regulations and relevant exemptions; special measures; definitions; and overarching inquiries.
Comments should be submitted 30 days after the publication of the notice, which was published Sept. 16, 2021.