January 11, 2022

WASHINGTON – Today, global tech trade association ITI offered recommendations to the U.S. government as it seeks to address risks to global information and communications technologies (ICTS) supply chains stemming from connected software transactions. In comments to the U.S. Department of Commerce, ITI continues to call for a clear and narrow scope for ICTS transactions subject to review, including those related to connected software applications.

ITI notes that the proposed rule attempts to maintain consistency in the review of connected software transactions by utilizing the process established under the ICTS Supply Chain interim final rule (IFR) and streamlines regulations by addressing both Executive Order 13873 and Executive Order 14034. However, ITI remains concerned that the proposed rule, which relies upon the process outlined in the Interim Final Rule on Securing the Information and Communications Technology and Services Supply Chain, is still too broad to be practically implementable.

“We fear that both the Notice of Proposed Rulemaking (NPRM) and Interim Final Rule (IFR) as currently formulated introduce regulatory uncertainty into the globalized software marketplace in which American companies are key industry participants,” ITI wrote in its submission. “We remain concerned that the IFR and now the NPRM’s breadth coupled with the broad discretion granted to the Secretary of Commerce will continue to cast a cloud of uncertainty over almost all ICTS transactions and could undermine the national security objectives they purport to address, while also severely hindering U.S. competitiveness and hurting U.S. businesses.”

In its submission, ITI offers a series of recommendations to the Department of Commerce on how to improve the proposed rule:

  • Identify the specific classes of ICTS transactions that lead to national security concerns;

  • Rely upon the criteria introduced in this NPRM over the criteria listed in the IFR and consider streamlining criteria between the IFR and the NPRM;

  • Consider adhering to globally recognized international standards as a mitigating factor, exempting connected software transactions from review that adhere to those standards;

  • Further narrow the definition of connected software applications by focusing on the type of data the software application is processing;

  • Clarify whether the connected software application rules will apply to some or all stakeholders across the software distribution and usage chain and further recognize that security is a shared responsibility and reflect that in the NPRM accordingly;

  • Leverage ongoing efforts related to software supply chain security pursuant to Section 4 of the Executive Order on Improving the Nation’s Cybersecurity and incorporate it into the IFR as appropriate; and

  • Rely upon international standards to define terms within the NPRM, including around “reliable third-party,” “independently verifiable measures,” and “third-party auditing.”

Read the full comments here.

Public Policy Tags: Public Sector