HR 8742 Introduced - ICTS Security Oversight

Back in June, Rep Slotkin (D,MI) introduced HR 8742, the Information and Communication Technology and Services (ICTS) National Security Review Act. The bill would codify the establishment of the current Office of Information and Communications Technology and Services (OICTS) within the Department of Commerce’s Bureau of Industry and Security (BIS). It would provide specific authority to monitor and mitigate risks associated with ICTS transactions. No new funding is authorized by this legislation.

This bill is very similar to HR 8741 [subscription required], the Connected Vehicle National Security Review Act, also introduced by Slotkin. The difference is that this bill does not contain the definition and references to motor vehicles that limited the application of many of the provisions of that bill to only foreign made motor vehicles or components.

Definitions

Section 11 of the bill provides definitions for 12 key terms used in this legislation. Terms of specific interest here include:

• Covered ICTS transaction,

• ICTS transaction,

• Information and communications technology and services; icts,

• Undue or unacceptable risk

OICTS Establishment

Section 2 of the bill formally establishes the Office of Information and Communications Technology and Services (OICTS) within BIS. The Office will be responsible for:

• Identifying and preventing through mitigation or prohibition the undue or unacceptable risk posed by certain ICTS transactions, and

• Educating industry and other partners on relevant risks and communicate decisions.

Subsection 3(a) authorizes OICTS to conduct investigations of ICTS transactions the Department suspects pose an undue or unacceptable risk. The bill provides authority to:

• Require any person subject to the jurisdiction of the United States to furnish under oath, in the form of a report or otherwise, at any time as may be required by the Secretary, complete information relative to any such transaction.

• Require that any such report take a particular form as directed in a request, regulation, or other guidance provided by the Secretary, which may be required before, during, or after any such transaction.

• Through any agency, conduct investigations, hold hearings, administer oaths, examine witnesses, receive evidence, take depositions, and require by subpoena the attendance and testimony of witnesses and the production of any book, contract, letter, paper, and other hard copy or document relating to any matter under investigation, regardless of whether any such report has been required or filed.

Covered ICTS Transactions

Subsection 3(b) requires the DOC to either mitigate or prohibit covered ICTS transactions that present an undue or unacceptable risk. The bill specifically authorizes the following mitigation measures:

• Negotiate, enter into or impose, and enforce any agreement or condition with any such party.

• Require adherence to certain cybersecurity standards and other mitigation requirements determined to be necessary by the Secretary.

• Require the exclusion (in whole or in part) of certain components, including physical parts or hardware, software, digital services, and digital components, of any ICTS or any sub-component of ICTS from any such transaction.

• Anything else the Secretary determines to be appropriate or necessary to mitigate the undue or unacceptable risks.

Alternatively, the subsection authorizes DOC to prohibit the covered ICTS transaction. In that event DOC is required to notify any party subject to the covered ICTS transaction review of the prohibition. DOC is allowed to publish any such prohibition in the Federal Register.

Section 4 would provide DOC authority to issue regulations that:

• Identify particular covered ICTS transactions and person or jurisdiction of concern which warrant particular scrutiny for undue or unacceptable risk.

• Establish mitigation measures to address undue or unacceptable risk, to include prohibitions related to entities of concern or for classes of covered ICTS transactions.

• Establish criteria by which particular covered ICTS transactions or particular classes of participants in the covered ICTS transaction supply chain may be recognized as categorically included in or as categorically excluded from mitigation measures or prohibitions.

• Establish particular classes of covered ICTS transactions or parties to transactions that must abide by certain prohibitions or mitigation measures.

• Establish procedures to authorize or license transactions otherwise prohibited pursuant to a regulation promulgated under this section.

Section 5 would require the Director of National Intelligence to provide to DOC “a risk assessment that relates to threats posed by persons or jurisdictions of concern to the United States by the supply chain of covered ICTS transactions”. The assessment would include:

• Includes specific criteria to evaluate any undue or unacceptable risk to the national security of the United States, and

• Identifies any person or jurisdiction of concern, participants in such supply chain, and covered ICTS transactions or classes of covered ICTS transactions posing the highest risks to the national security of the United States.

Advisory Committee

Subsection 6(c) would require DOC to establish a CITS technical advisory committee that would report to OCITS. The advisory committee would consist of:

• Industry academic experts on covered ICTS transaction supply chains,

• Representatives of private sector companies, industry associations, and academia, and

• A designated Federal officer to administer the advisory committee and report to the Executive Director.

Moving Forward

Slotkin is not a member of the House Foreign Affairs Committee to which this bill was assigned for consideration. This means that there would not be enough influence to see this bill considered by the Committee. I expect that there would be some level of bipartisan support for this bill were it considered. I suspect that there would be sufficient support for it to be considered under the suspension of the rules process.

Commentary

It is interesting that Slotkin introduced two nearly identical bills. HR 8742. She represents Lansing, MI which is still an automotive town, and really close to Motor City. HR 8741 was crafted to specifically target Chinese made electric vehicles and Chinese components going into other cars. That would draw support both from union workers and automotive management. I would be surprised if Slotkin (or her staff) thought that that bill had a good chance of reaching the President’s desk; it was just too narrowly focused.

The provisions of this bill would still allow OICTS to go after Chinese automotive imports, but it would also allow the agency to target any number of other connected Chinese products, potentially providing more sources of support for the legislation. Still, without cosponsors that are members of the House Foreign Affairs Committee, this bill is not going anywhere.