BIS Publishes Security ICTS Supply Chain (UAS) ANPRM
Friday, the DOC’s Bureau of Industry and Security (BIS) published an advanced notice of proposed rulemaking (ANPRM) in the federal register (90 FR 271-279) on “Securing the Information and Communications Technology and Services Supply Chain: Unmanned Aircraft Systems”. This ANPRM is looking at implementing the securing the information and communications technology and services supply chain requirements of EO 13873 with regards to unmanned aircraft systems that are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries.
Background
In EO 13873, President Trump declared a national emergency with respect to the “unrestricted acquisition or use in the United States of information and communications technology or services designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries augments the ability of foreign adversaries to create and exploit vulnerabilities in information and communications technology or services, with potentially catastrophic effects, and thereby constitutes an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”
In the EO the term ‘information and communications technology or services’ is defined as “any hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including transmission, storage, and display”.
Potential Rule
BIS is considering developing a new regulation that could include mitigation measures and prohibitions addressing:
Onboard computers responsible for processing data and controlling UAV flight
Communications systems including, but not limited to, flight controllers, transceiver/receiver equipment, proximity links such as Global Navigation Satellite Systems (GNSS) sensors, and flight termination equipment,
Flight control systems responsible for takeoff, landing, and navigation, including, but not limited to, exteroceptive and proprioceptive sensors,
Ground control stations (GCS) or systems including, but not limited to, handheld flight controllers,
Operating software including, but not limited to, network management software,
Mission planning software,
Intelligent battery power systems,
Local and external data storage devices and services, and
Artificial intelligence (AI) software or applications.
Request for Information
In addition comments on the above measures, BIS is requesting comments on the definition of unmanned aircraft systems (UAS), including answers to specific questions:
In what ways, if any, should BIS elaborate on or amend the potential definition(s) of UAS as stated above?
Is the term UAS broad enough to include the aircraft systems that may combine flight controllers, global navigation satellite systems (GNSS) modules, cameras, communication devices, surveillance modules, navigation devices, sensors with control systems, and/or software with onboard and offboard data storage capabilities?
Are there other commonly used definitions for UAS that BIS should consider when defining a class of transactions involving ICTS integral to UAS, including definitions from industry, civil society, or international standards organizations?
What is the appropriate focus of any BIS regulations in this sector, including, but not limited to, UAS platforms and subcomponent technology, UAS capabilities, or UAS end-user sectors, including entities providing services performed by UAS?
Are there commonly used definitions and standard capabilities for ICTS components, which BIS has preliminarily identified as integral to the UAS platform?
BIS is also looking for comments on the following topics related to the risk associated with UAS:
Are there other risks or factors contributing to the data exfiltration risk that BIS has not considered in their analysis?
Which specific sectors or elements of critical infrastructure operated by private organizations, specifically within the commercial market, are most at risk if UAS technology is compromised?
BIS has additional questions about the UAS threats specifically posed by foreign adversaries, including:
Has BIS fully captured and articulated the threat posed by transactions involving ICTS UAS related to China and Russia?
Do other foreign adversaries identified in 15 CFR 791.4, such as Iran, North Korea, Cuba, and the Maduro Regime of Venezuela, pose similar risks to the UAS ICTS supply chain that BIS should consider?
Which ICTS components integral to UAS are designed, developed, manufactured, or supplied predominantly or exclusively by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary?
What are the potential tradeoffs of a rule prohibiting the resale or rental in the United States of UAS or UAS components that are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary?
What are the software applications, whether freeware or requiring an account or purchase, that companies within the UAS supply chain generally develop or distribute in support of UAS, and/or sell or resell within the United States or to U.S. persons?
Which ICTS components integral to UAS, including but not limited to those identified in this ANPRM, pose the greatest risk to U.S. national security, including U.S. ICTS supply chains and critical infrastructure, or to the security and safety of U.S. persons if they are foreign adversary ICTS?
Finally, BIS is looking for information dealing with:
Consequences of Foreign Adversary Involvement in ICTS Integral to UAS,
Mitigations and authorizations, and
Economic impact.
Solicitation for Comments
BIS is soliciting public comments on these questions to advance their rulemaking process. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # BIS-2024-0058). Comments should be submitted by March 4th, 2025.
Commentary
I am disappointed that BIS did not include any questions about cybersecurity protections for UAS, and how the applications (or absence) of such protections could mitigate the risks discussed in this ANPRM. I would like to propose two questions that could provide additional information necessary for the BIS rulemaking:
What cybersecurity controls are in place that could prevent unauthorized access/control of UAS?
What aftermarket applications are available for UAS that could mitigate unauthorized access/control of UAS?
Could additional cybersecurity controls be developed that would prevent unauthorized access/control of UAS?