Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherJoin the NetworkGet StartedSubscribeSupport
Contact Us
Search
Close

Commerce Issues Final Rule Targeting Connected Software Applications

By Meredith Rathbone, Ed Krauland, Evan Abrams, Jack Hayes, Ryan Pereira & Peter Jeydel on June 27, 2023
Email this postTweet this postLike this postShare this post on LinkedIn

On June 16, 2023, the US Department of Commerce published a final rule (the “June 16 rule”) to implement Executive Order (EO) 14034, Protecting Americans’ Sensitive Data From Foreign Adversaries, by amending Commerce’s previously-issued Securing the Information and Communications Technology Supply Chain regulations (the “ICTS rule”).   Among other requirements, EO 14034 directed the Secretary of Commerce to consider the risks posed by “connected software applications” and take “appropriate action” in accordance with the previously issued ICTS rule and EO 13873, Securing the Information and Communications Technology and Services Supply Chain, pursuant to which the ICTS rule was issued. 

The ICTS rule authorizes Commerce to prohibit or otherwise regulate certain transactions involving information and communications technology or services (“ICTS”) with a nexus to “foreign adversaries” that pose an “undue or unacceptable risk” to US national security.  (For additional detail on the ICTS rule, see our prior blog post.)  The June 16 rule amends the ICTS rule to clarify Commerce’s ability to regulate transactions involving software, including so-called “connected software applications,” and to further enumerate the criteria that Commerce will consider when reviewing such transactions.   The changes are effective July 17, 2023.

Link to Changes to Definitions in ICTS Rule Changes to Definitions in ICTS Rule

Under the current regulations, available at 15 CFR Part 7, Commerce may review a transaction involving a “foreign adversary,” currently determined to be China (including Hong Kong), Cuba, Iran, North Korea, Russia, and the Maduro Regime of Venezuela, and meeting other enumerated criteria, that involves one or more specific categories of ICTS.  Among the listed categories is “[s]oftware designed primarily for connecting with and communicating via the internet that is in use by greater than one million U.S. persons at any point over the twelve (12) months preceding an ICTS Transaction.”  This includes: “(A) [d]esktop applications; (B) [m]obile applications; (C) [g]aming applications; and (D) [w]eb-based applications.”  It is important to note that for purposes of calculating whether a connected software application is in use by greater than one million US persons, the June 16 rule states, in response to public comments, that Commerce counts both active users as well as inactive and historical users whose data is still stored in the application.

The June 16 rule revises the above definition by clarifying that it applies to software designed to enable connecting and communicating via the internet, “which is accessible through cable, telephone line, wireless, or satellite or other means….”  It also revises the list of application types to add a fifth type called “connected software applications.” 

A connected software application is defined broadly to include “software, a software program, or a group of software programs, that is designed to be used on an end-point computing device and includes as an integral functionality, the ability to collect, process, or transmit data via the internet.”  The June 16 rule defines “end-point computing device” to mean “a device that can receive or transmit data and includes as an integral functionality the ability to collect or transmit data via the internet.” 

The June 16 rule also adds a new definition of “via the internet,” which it similarly defines to mean “using internet protocols to transmit data, including, but not limited to, transmissions by cable, telephone lines, wireless methods, satellites, or other means.” 

Link to Additional Criteria for Review of ICTS Connected Software Application Transactions Additional Criteria for Review of ICTS Connected Software Application Transactions

The ICTS rule currently lists ten broad criteria that Commerce may consider when determining whether ICTS transactions present “undue or unacceptable risks” to US national security.  The June 16 rule adds eight new criteria specific to connected software applications (to be considered in connection with the10 broader criteria). 

These new criteria include:

  1. Ownership, control, or management by persons that support a foreign adversary’s military, intelligence, or proliferation activities;
  2. Use of connected software applications to conduct surveillance that enables espionage, including through a foreign adversary’s access to sensitive or confidential government or business information, or sensitive personal data;
  3. Ownership, control, or management of connected software applications by persons subject to the jurisdiction or direction of a foreign adversary;
  4. Ownership, control, or management of connected software applications by persons involved in malicious cyber activities;
  5. Whether there is regular, thorough, and reliable third-party auditing of connected software applications;
  6. The scope and sensitivity of the data collected;
  7. The number and sensitivity of the users with access to the connected software application; and
  8. The extent to which identified risks have been or can be mitigated using measures that can be verified by independent third parties.

The Federal Register notice discussing these additional criteria, and changes to the criteria from those contained in the proposed version of the rule, reveal a number of interesting and important nuances:

  • Commerce may consider both permanent and sporadic “ownership, control, or management” by foreign adversaries, such as those where foreign adversaries have access to deploy updates and patches to software applications. 
  • For purposes of evaluating ICTS transactions involving connected software applications, Commerce will not consider the software’s ability to execute embedded out-going network calls or web server references, regardless of the “ownership, control, or management” of the software based on concerns that this criterion would inadvertently capture ICTS transactions involving “domestic vendors.”  However, Commerce suggested that such a factor could be considered in the future once the agency “gains experience” evaluating ICTS transactions involving connected software applications. 
  • Commerce is revising the third criterion to apply to situations where persons are “subject to the jurisdiction or direction of a foreign adversary,” as opposed to “subject to coercion or cooption” by a foreign adversary, as contained in the proposed version of the rule.
  • Also, with respect to the criterion regarding third-party auditing, Commerce clarifies that, while use of specific third-party standards such as ISO/IEC 207001 are encouraged, there is no specific standard that is mandated, and Commerce will consider the appropriateness of any standard on a case-by-case basis. 
  • Finally, Commerce “has determined that not all of the criteria … are applicable to transactions not involving connected software applications.”  For instance, Commerce distinguishes between ICTS transactions involving critical infrastructure services and consumer services, noting that “the number of users might not be an appropriate factor for evaluating ICTS transactions that have low numbers of users but that service critical infrastructure or that might have significant risks if misused.”  Therefore, parties to transactions involving other types of ICTS that do not involve connected software applications should not reflexively seek to apply all of the connected software criteria when seeking to assess the potential risk posed by their unrelated transaction.

Notably, the above criteria are factors Commerce will consider when assessing the national security risk posed by a given transaction, but they are not criteria to be used in assessing whether a given ICTS transaction is subject to Commerce’s jurisdiction under the ICTS rule (the jurisdictional scope is laid out in other parts of the rule, principally Section 7.3). 

Note on Implementation

Unlike the interim final rule promulgating the ICTS rule, the June 16 rule identifies the Under Secretary of Commerce for Industry and Security as the responsible person within Commerce, which indicates that implementation of the ICTS rule has been delegated to the Bureau of Industry and Security (BIS).  While many observers have long anticipated BIS would play a leading role, the publication of the June 16 rule confirms that expectation. 

Implications for Industry

To date, the ICTS rule has been used sparingly by Commerce.  Commerce has reportedly served subpoenas on multiple Chinese companies that provide ICTS in the United States and is also reportedly weighing additional actions under the rule.  However, concern has only continued to grow with respect to ICTS in the United States linked to “foreign adversaries.”  Members of Congress from both parties, as well as Biden administration officials, have been increasingly concerned by the use of such applications, particularly those with a nexus to China.  As the popularity of many of these applications, including social media, increases, it seems likely that Commerce will move to use the ICTS rule more aggressively as BIS builds out its team, expertise, and regulatory and enforcement infrastructure.  There has also been some uncertainty and likely delays in implementation caused by complementary efforts by key members of Congress to move legislation that would similarly regulate social media and other types of connected software applications and additional forms of ICTS.

The Federal Register notice mentions several times that, as Commerce gains experience reviewing ICTS transactions involving connected software applications, it may add additional review criteria or expand Commerce’s jurisdiction to review ICTS involving connected software applications by lowering the current user threshold of one million.  

Companies involved in ICTS transactions that are within the ICTS rule’s jurisdiction should consider whether their transactions are likely to generate concern from Commerce (or other US government agencies) and, if so, consider options to mitigate those concerns.

For additional information on this rule, please contact a member of Steptoe’s International Trade and Regulatory Compliance team.

Photo of Meredith Rathbone Meredith Rathbone

Meredith Rathbone focuses on export controls and economic sanctions, and has assisted clients in the energy, manufacturing, telecommunications, information security, banking, insurance, pharmaceutical, and service industries, among many others, in navigating the requirements of the Export Administration Regulations (EAR), International Traffic in Arms…

Meredith Rathbone focuses on export controls and economic sanctions, and has assisted clients in the energy, manufacturing, telecommunications, information security, banking, insurance, pharmaceutical, and service industries, among many others, in navigating the requirements of the Export Administration Regulations (EAR), International Traffic in Arms Regulations (ITAR) and US sanctions regulations administered by the Office of Foreign Assets Control (OFAC) and US Department of State. She regularly assists companies in developing compliance policies, conducting internal investigations, performing training, and conducting due diligence in M&A transactions. She has represented individuals and companies facing civil and criminal investigations in this area, and has also represented clients in their efforts to be removed from OFAC’s list of Specially Designated Nationals (SDNs). She is a frequent writer and speaker on export controls and sanctions topics. She is the co-chair of the American Bar Association’s Export Controls and Economic Sanctions Committee, and also serves on the Sanctions Subcommittee of the State Department’s Advisory Committee on International Economic Policy.

Read Meredith’s full bio.

Read more about Meredith RathboneEmail
Show more Show less
Photo of Ed Krauland Ed Krauland

Edward J. Krauland focuses on export controls/economic sanctions. Ed’s extensive experience includes representing clients on matters involving US and multilateral economic sanctions, defense and nuclear export controls, dual-use export controls under the EAR, anti-boycott compliance, internal investigations and enforcement work, and review of…

Edward J. Krauland focuses on export controls/economic sanctions. Ed’s extensive experience includes representing clients on matters involving US and multilateral economic sanctions, defense and nuclear export controls, dual-use export controls under the EAR, anti-boycott compliance, internal investigations and enforcement work, and review of government procurement regulations in the cross-border context. His practice spans all aspects of these laws, including counseling, compliance work, transactional advice, licensing and opinion work, internal reviews, disclosures, and enforcement actions. He has served as co-chair of the International Trade Committee of the ABA Section of International Law and Practice. He is former Chairman of an ABA-wide Task Force on Gatekeeper Regulation (anti-money laundering compliance), and senior adviser to the ABA Section of International Law and Practice’s anti-money laundering committee.

Read Ed’s full bio.

Read more about Ed KraulandEmail
Show more Show less
Photo of Evan Abrams Evan Abrams

Evan Abrams counsels multinational corporations, financial institutions, and individuals on various international regulatory and compliance matters. He assists foreign and domestic companies in navigating national security reviews by the Committee on Foreign Investment in the United States (CFIUS). He has represented companies in…

Evan Abrams counsels multinational corporations, financial institutions, and individuals on various international regulatory and compliance matters. He assists foreign and domestic companies in navigating national security reviews by the Committee on Foreign Investment in the United States (CFIUS). He has represented companies in industries including semiconductors, metals, and digital security. Evan’s anti-money laundering (AML) practice focuses on helping financial institutions comply with federal and state AML rules, particularly money transmitters and entities involved in creating, exchanging, or dealing in cryptocurrencies and tokens. Evan counsels clients in a variety of export controls and sanctions matters related to the Export Administration Regulations (EAR), International Traffic in Arms Regulations (ITAR), and various sanctions programs under US and international law. In addition, Evan routinely assists clients on anti-corruption investigations and enforcement actions.

Read Evan’s full bio.

Read more about Evan AbramsEmail
Show more Show less
Photo of Jack Hayes Jack Hayes

Jack Hayes has extensive experience providing clients with advice and assistance under ITAR and EAR, as well as US economic sanctions and anti-boycott regulations. Jack frequently handles complex export control matters, including voluntary disclosures, internal investigations of apparent export control violations, pre-closing and…

Jack Hayes has extensive experience providing clients with advice and assistance under ITAR and EAR, as well as US economic sanctions and anti-boycott regulations. Jack frequently handles complex export control matters, including voluntary disclosures, internal investigations of apparent export control violations, pre-closing and post-closing acquisition export compliance due diligence, export control audits, and assessments of compliance obligations and risks in accordance with relevant international trade regulations. He also provides guidance on brokering requirements and reporting obligations for certain fees, commissions, and political contributions related to sales of defense articles and defense services, prepares export and reexport license and agreement applications for submission, undertakes commodity jurisdiction and export classification analyses of items and services under the ITAR and EAR, drafts registration material change notifications, and develops compliance policies, programs, and training materials.

Read Jack’s full bio.

Read more about Jack HayesEmail
Show more Show less
Photo of Peter Jeydel Peter Jeydel

Peter Jeydel‘s practice focuses on US export controls and economic sanctions, including the Commerce Department’s Export Administration Regulations (EAR), the State Department’s International Traffic in Arms Regulations (ITAR), and sanctions regulations administered by the Treasury Department’s Office of Foreign Assets Control (OFAC)…

Peter Jeydel‘s practice focuses on US export controls and economic sanctions, including the Commerce Department’s Export Administration Regulations (EAR), the State Department’s International Traffic in Arms Regulations (ITAR), and sanctions regulations administered by the Treasury Department’s Office of Foreign Assets Control (OFAC) and the State Department. His practice spans all aspects of these regimes, including counseling, compliance, transactional advice, licensing and opinions, disclosures, and enforcement actions. He has also represented companies and individuals seeking de-listing from OFAC’s sanctions list. In addition, Pete has assisted clients in anti-corruption matters, including under the US Foreign Corrupt Practices Act (FCPA), and has experience handling reviews and investigations by the Committee on Foreign Investment in the United States (CFIUS).

Read Pete’s full bio.

Read more about Peter JeydelEmail
Show more Show less
  • Posted in:
    Privacy and Cybersecurity, Technology and AI
  • Blog:
    International Compliance Blog
  • Organization:
    Steptoe LLP

Call us at 1-800-913-0988 or email sales@lexblog.com.

Facebook LinkedIn Twitter RSS
  • About LexBlog
  • The Field We Built
  • Our Beliefs
  • Our Team
  • Contact LexBlog
  • Disclaimer
  • Editorial Policy
  • Terms of Service
  • Get Started
  • Publishing Solutions
  • Compass
  • Submit a Request
  • Support Center
  • System Status
Copyright © 2026, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo