Commerce Department Issues Final Rule on Information and Communications Technology Supply Chain

On June 16, the U.S. Department of Commerce published a final rule, effective July 17, 2023, on Securing the Information and Communications Technology and Services ("ICTS") Supply Chain, signaling potential new actions on "connected software applications."

The Biden Administration has embraced a broad view of national security that encompasses personal data, civilian network security, and threats posed by disinformation. Among other tools to address these issues, the administration is formalizing a process for national security reviews (and potential industry-wide legal prohibitions) for certain imports of technology and software. The Commerce Department has drafted rules to govern this process and implement Executive Order 13873 (Securing the Information and Communications Technology and Services Supply Chain) and companion directive, Executive Order 14034 (Protecting Americans' Sensitive Data From Foreign Adversaries).

With the new final rule, the Commerce Department has moved to expand and institutionalize its new review process, broadening the factors it may use to determine whether a transaction involving "connected software applications" presents "undue or unacceptable risks." The rule defines these applications as "software, a software program, or a group of software programs, that is designed to be used on an end-point computing device and includes as an integral functionality, the ability to collect, process, or transmit data via the internet."

The new final rule provides eight criteria that the Commerce Department may consider when making this determination. These criteria include "[t]he number and sensitivity of the users of the connected software application," "[t]he scope and sensitivity of the data collected," "[a] lack of thorough and reliable third-party auditing of connected software applications," and "[t]he extent to which identified risks have been or can be addressed by independently verifiable measures."

The new rule may portend broader actions focused on connected software applications that collect or store personal data, potentially targeting specific products or classes of products. Companies that develop, use, or facilitate actions by software applications should be prepared to respond quickly as the Commerce Department implements its new authorities and review process.

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.