The Department of Commerce (Commerce) Office of Information and Communications Technology and Services (OICTS) has broad authority—born out of executive action during the first Trump administration—to identify and mitigate national security risks in U.S. ICTS supply chains. Recently, OICTS has been implementing rules to broadly control risks in the technology supply chain of specific sectors, first targeting connected vehicles and now moving on to drones; datacenters and satellite technology are next. OICTS also just published a final rule regarding its review processes, replacing an interim final rule that had been in place since January 2021, and reportedly is soon to take action on China-origin router technology.
On January 3, 2025, OICTS issued a new Advanced Notice of Proposed Rulemaking (ANPRM), targeting technology and software used in unmanned aerial systems (UAS) and the impact of foreign adversaries on the UAS supply chain. UAS are the latest technology for which supply chain vulnerabilities have attracted the attention of the U.S. government, with Commerce issuing a proposed rule late last year banning the sale within or import into the United States of certain connected vehicle system hardware, software, or complete vehicles with a nexus to Russia and China.
In the new ANPRM, OICTS is seeking comment from industry participants regarding “transactions involving ICTS that are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries” and that are integral to UAS.[1] As UAS have applications in various parts of the U.S. economy, including agriculture, healthcare, infrastructure, and energy, the U.S. government assesses that foreign adversary involvement with such technology could pose serious risks to U.S. national security. Similar to the connected vehicles proposed rule, the ANPRM is predicated on the risk that foreign adversaries could exploit UAS ICTS for data exfiltration from and remote access control of UAS.
Preparatory to establishing a regulatory framework, the ANPRM identifies questions aimed at seeking to better understand the ICTS used in UAS and the risks posed by foreign adversary involvement in the supply chain. Specifically, OICTS is looking for information on the following topics:
Parties may submit comments on the ANPRM until March 4, 2025.
The January UAS ANPRM follows a series of actions by Commerce to shape the contours of its ITCS program. In early December, Commerce issued a final rule, replacing an interim rule that had been in place since January 2021, regarding the process for reviewing transactions pursuant to the ICTS program. The final rule clarifies the review process by providing more detail regarding procedures and timing.
Under the final rule, if Commerce finds that a transaction (1) is a covered ICTS transaction, (2) involves ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary, and (3) poses an undue or unacceptable risk based on several criteria, Commerce provides an assessment of the transaction to an interagency group, which has 21 days to comment. After considering any comments, Commerce notifies the parties of the initial determination, and the parties have 30 days to respond with arguments or evidence that the initial determination is erroneous or with proposed remedial measures. These submissions are reviewed by the appropriate agency heads within 14 days, and ultimately the Secretary issues a final determination (which must be issued within 180 days of the initial determination) classifying the ICTS transaction as either prohibited, not prohibited, or permitted pursuant to the adoption of mitigation measures.
The final rule also adds and revises several definitions in the regulations, including clarifying the scope of an “ICTS Transaction,” which is defined as:
any acquisition, importation, transfer, installation, dealing in, or use of any ICTS, including ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download.
In response to comments seeking clarification on some of the terms in this definition, Commerce added new definitions for “importation” and “dealing in”:
As we previewed last fall, the U.S. government continues to introduce controls to secure the supply chain for critical technology in the United States, such as for connected vehicles, and to restrict the supply chain for foreign adversaries in advanced technology, including semiconductors. The latest developments from OICTS to regulate UAS, build out its framework for assessing ICTS transactions more broadly, and target devices such as Chinese-produced routers, are part of a trend that we expect to continue in the Trump administration, which appears poised to take an aggressive posture towards perceived supply chain national security vulnerabilities.
Emilee Karr and Carina McMillin, associates in our Washington, D.C. office, contributed to this alert.
[1] 90 Fed. Reg. 271.