On November 27, 2019, the Department of Commerce issued a proposed rule to implement the May 15, 2019 Executive Order entitled “Securing the Information and Communications Technology and Services Supply Chain.”  Once finalized and effective, the regulations will govern the process and procedures that the Secretary of Commerce will use to determine whether certain transactions involving information and communications technology or services (“ICTS”) should be prohibited or otherwise restricted.  As currently drafted, the proposed rule goes further than many other legal authorities, in that it allows the government to prohibit or otherwise restrict a broad range of wholly commercial transactions that the Secretary determines present national security risks.

Details on key aspects of the proposed rule are in a Client Alert that we published, available here.  The public comment period remains open until December 27.  Given the breadth of the proposed rule and the significant number of open questions, thoughtful comments will be critically important in scoping a final rule.

Under the proposed rule, the Secretary may review and mitigate, prohibit, or unwind transactions that: (1) are conducted by any person subject to the jurisdiction of the United States or involve property subject to the jurisdiction of the United States; (2) involve any property in which any foreign country or a national thereof has an interest (including through an interest in a contract for the provision of the technology or service); and (3) were initiated, pending, or completed after May 15, 2019, regardless of when agreements relating to those transactions were entered into, dated, or signed or when any license, permit, or authorization applicable to the transaction was granted.  The Secretary would also have the ability to review, and potentially prohibit, mitigate, or unwind transactions involving “ongoing” activities, even if a contract was entered into prior to May 15, 2019.

The review of a covered transaction could be commenced by the Secretary (or a designee): (1) at the Secretary’s own discretion; (2) upon request from a department head, agency, governmental body, or the Federal Acquisition Security Council, as appropriate; or (3) based on information submitted by private parties to the Secretary that the Secretary deems credible.  This third prong could allow business competitors to submit information triggering a review.  In all cases, the Secretary would have broad discretion under the proposed rule to initiate, conduct, and resolve an investigation.

The proposed rule leaves significant uncertainty for companies in the ICTS sector (and companies that procure ICTS) as to the types of transactions that may undergo review and be prohibited or otherwise restricted.  Companies in the ICTS sector must take account of the proposed rule in considering potential transactions, especially those involving countries that the U.S. Government considers to present national security concerns, such as China and Russia.  Our firm’s national security team stands ready to help businesses analyze the potential impacts of the proposed rule on their operations and consider how best to engage with the government, particularly during this month’s public comment phase.

*****

This post is being published concurrently on Covington’s Inside Government Contracts and Global Policy Watch blogs. 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ryan Burnette Ryan Burnette

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain…

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain, artificial intelligence, and software development requirements.

Ryan also advises on Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) compliance, public policy matters, agency disputes, and government cost accounting, drawing on his prior experience in providing overall direction for the federal contracting system to offer insight on the practical implications of regulations. He has assisted industry clients with the resolution of complex civil and criminal investigations by the Department of Justice, and he regularly speaks and writes on government contracts, cybersecurity, national security, and emerging technology topics.

Ryan is especially experienced with:

  • Government cybersecurity standards, including the Federal Risk and Authorization Management Program (FedRAMP); DFARS 252.204-7012, DFARS 252.204-7020, and other agency cybersecurity requirements; National Institute of Standards and Technology (NIST) publications, such as NIST SP 800-171; and the Cybersecurity Maturity Model Certification (CMMC) program.
  • Software and artificial intelligence (AI) requirements, including federal secure software development frameworks and software security attestations; software bill of materials requirements; and current and forthcoming AI data disclosure, validation, and configuration requirements, including unique requirements that are applicable to the use of large language models (LLMs) and dual use foundation models.
  • Supply chain requirements, including Section 889 of the FY19 National Defense Authorization Act; restrictions on covered semiconductors and printed circuit boards; Information and Communications Technology and Services (ICTS) restrictions; and federal exclusionary authorities, such as matters relating to the Federal Acquisition Security Council (FASC).
  • Information handling, marking, and dissemination requirements, including those relating to Covered Defense Information (CDI) and Controlled Unclassified Information (CUI).
  • Federal Cost Accounting Standards and FAR Part 31 allocation and reimbursement requirements.

Prior to joining Covington, Ryan served in the Office of Federal Procurement Policy in the Executive Office of the President, where he focused on the development and implementation of government-wide contracting regulations and administrative actions affecting more than $400 billion dollars’ worth of goods and services each year.  While in government, Ryan helped develop several contracting-related Executive Orders, and worked with White House and agency officials on regulatory and policy matters affecting contractor disclosure and agency responsibility determinations, labor and employment issues, IT contracting, commercial item acquisitions, performance contracting, schedule contracting and interagency acquisitions, competition requirements, and suspension and debarment, among others.  Additionally, Ryan was selected to serve on a core team that led reform of security processes affecting federal background investigations for cleared federal employees and contractors in the wake of significant issues affecting the program.  These efforts resulted in the establishment of a semi-autonomous U.S. Government agency to conduct and manage background investigations.