Establishes procedures by which the Secretary of Commerce may evaluate, direct, and/or prohibit information and communications technology or service (ICTS) transactions with foreign adversaries. Relevant ICTS include drones or any other unmanned aerial systems, autonomous systems, and artificial intelligence and machine learning software.
Analysis summaries, actor details, and coverage mappings were LLM-classified and may contain errors.
This is a binding federal regulation (15 CFR part 7) issued by the Department of Commerce under IEEPA authority, with explicit enforcement mechanisms including civil penalties up to $307,922 or twice the transaction value, and criminal penalties up to $1,000,000 fine and 20 years imprisonment.
The document has good coverage of approximately 6-8 subdomains, with strong focus on malicious actors (4.1, 4.2), AI system security (2.2), competitive dynamics (6.4), and governance failure (6.5). Coverage is concentrated in security, national security threats, and supply chain risks. The document addresses risks from foreign adversaries using ICTS (including AI) for surveillance, cyberattacks, and threats to critical infrastructure.
The regulation governs ICTS transactions across all critical infrastructure sectors as defined by Presidential Policy Directive 21. It has particularly strong coverage of Information, Finance and Insurance, Health Care, Public Administration, and National Security sectors due to explicit references to telecommunications, data services, sensitive personal data, and national security functions.
The document primarily covers the Deploy and Operate and Monitor stages of the AI lifecycle, as it regulates the acquisition, importation, installation, and use of ICTS including AI/ML systems. It does not substantively address earlier stages like planning, data collection, or model development, focusing instead on transaction review and ongoing compliance monitoring.
The document explicitly mentions AI systems, AI models (through 'artificial intelligence and machine learning'), and various AI applications including autonomous systems, drones, and advanced robotics. It does not distinguish between frontier AI, general purpose AI, or task-specific AI, nor does it mention foundation models, generative AI, predictive AI, or compute thresholds. It does not explicitly address open-weight or open-source models.
Department of Commerce, Secretary of Commerce (implementing Executive Order 13873 issued by the President)
The regulation was promulgated by the Department of Commerce under authority granted by Executive Order 13873 and IEEPA. The Secretary of Commerce has rulemaking authority to establish these procedures.
Secretary of Commerce, Department of Commerce, U.S. district courts, appropriate agency heads (Secretary of Treasury, Secretary of State, Secretary of Defense, Attorney General, Secretary of Homeland Security, U.S. Trade Representative, Director of National Intelligence, Administrator of General Services, Chairman of FCC)
The Secretary of Commerce has primary enforcement authority to issue determinations, impose penalties, conduct investigations, and bring civil actions. Multiple federal agencies consult on enforcement decisions.
Secretary of Commerce, Department of Commerce, appropriate agency heads, Department of Homeland Security Cybersecurity and Infrastructure Security Agency, Director of National Intelligence, Federal Acquisition Security Council
The Secretary monitors compliance with final determinations and mitigation agreements. Multiple agencies provide ongoing threat assessments and vulnerability reports. The regulation establishes recordkeeping requirements and information-sharing mechanisms.
Persons engaged in ICTS transactions involving products/services from foreign adversaries (China, Cuba, Iran, North Korea, Russia, Maduro Regime); entities using ICTS in critical infrastructure sectors; providers of AI/ML systems, drones, autonomous systems, cloud services, data hosting services
The regulation applies to any person subject to U.S. jurisdiction engaging in ICTS transactions with foreign adversary-linked entities, specifically covering AI developers, deployers, and infrastructure providers dealing with AI/ML, autonomous systems, drones, and data services affecting over 1 million U.S. persons.
8 subdomains (3 Good, 5 Minimal)