The Department of Commerce released a draft regulation for a case-by-case process of banning Americans from buying IT equipment from companies controlled by foreign interests, a power granted by May’s executive order on supply chain security.
According to a November 27 post in the Federal Register, Commerce will take a case-by-case approach to banning transactions of IT and communications technologies and services (ICTS) with foreign adversaries, instead of using categorical bans of companies like the department’s Bureau of Industry and Security’s Entity List.
“A case-by-case process allows for the deliberative application of the authority granted to the Secretary by the President in the Executive order as the Secretary seeks to calibrate properly the application of this new authority,” the department states.
The department will decide which transactions to evaluate based on referrals from other Federal agencies and Commerce’s own information about a transaction. Commerce will also decide which countries count as a foreign adversary, in consultation with the Department of State, the Department of Defense, the Secretary of Homeland Security, and others.
The process for banning a transaction would provide notice to parties of an evaluation, decide whether a party to the transaction is controlled by a foreign adversary, and hear feedback from both sides before making a final determination.
“If the Secretary determines that a transaction presents an undue or unacceptable risk, the Secretary may require measures to mitigate the transaction’s identified risks or may prohibit the transaction, including by requiring that the parties engaged in the transaction immediately cease the use of the ICTS that poses the undue or unacceptable risk, even if such ICTS has been installed or was in operation prior to the Secretary’s determination,” Commerce notes.
However, Commerce is seeking feedback on whether categorical exclusions are warranted, as the department notes in its questions for public feedback. The department also asks about technologies where risks might be mitigated, users that might be exempted from the bans, and recordkeeping requirements for Americans.