Regulates transactions involving ICTS from foreign adversaries, with the Secretary of Commerce reviewing and potentially prohibiting such activities. Defines covered ICTS Transactions, foreign adversaries, and responsibilities. Imposes penalties for violations and mandates information disclosure and consultation among agency heads.
Analysis summaries, actor details, and coverage mappings were LLM-classified and may contain errors.
This is a binding federal regulation issued by the Department of Commerce under statutory authority (IEEPA and Executive Orders), with mandatory language throughout, explicit enforcement mechanisms including civil and criminal penalties, and formal administrative procedures for compliance.
The document primarily addresses security and malicious actor risks, with strong coverage of AI system security vulnerabilities (2.2), cyberattacks and weapons development (4.2), disinformation and surveillance (4.1), and competitive dynamics (6.4). It also covers governance failure risks (6.5) through its regulatory framework provisions. The document focuses on supply chain security risks from foreign adversaries rather than AI-specific harms.
This regulation has broad cross-sectoral application, governing ICTS transactions across virtually all economic sectors. It has particularly strong coverage of Information (telecommunications, data processing), Finance and Insurance, Health Care, Public Administration, and National Security sectors due to explicit mentions of critical infrastructure subsectors and sensitive data handling.
The document covers multiple lifecycle stages with primary focus on deployment and operation/monitoring of ICTS. It addresses the acquisition, importation, transfer, installation, dealing in, and use of technology, which spans deployment and operational phases. There is minimal coverage of earlier stages like design or data collection.
The document explicitly mentions AI as part of 'critical and emerging technologies' but does not provide detailed definitions or distinctions between AI models, systems, or specific AI types. It focuses on ICTS broadly, including connected software applications and data processing services. No compute thresholds or specific AI model categories (frontier, GPAI, foundation models, etc.) are mentioned.
Department of Commerce; Secretary of Commerce; Office of Information and Communications Technology and Services
The regulation is issued by the Department of Commerce under the authority of the Secretary of Commerce, implementing Executive Order 13873. The document is signed by the Executive Director of the Office of Information and Communications Technology and Services.
Secretary of Commerce; Department of Commerce; U.S. district court
The Secretary of Commerce has primary enforcement authority, including the power to issue determinations, impose penalties, conduct investigations, and take legal action. Civil penalties can be recovered through U.S. district court actions.
Secretary of Commerce; appropriate agency heads; Secretary of the Treasury; Secretary of State; Secretary of Defense; Attorney General; Secretary of Homeland Security; United States Trade Representative; Director of National Intelligence; Administrator of General Services; Chairman of the Federal Communications Commission
The Secretary of Commerce monitors compliance through recordkeeping requirements, information demands, and ongoing review authority. Multiple federal agency heads are consulted and provide oversight through the interagency process for determinations.
United States persons; parties to ICTS Transactions; persons engaged in acquisition, importation, transfer, installation, dealing in, or use of ICTS
The regulation applies to any person (including United States persons and entities) who engages in ICTS transactions involving technology from foreign adversaries. This includes designers, developers, providers, buyers, sellers, transferors, licensors, brokers, acquirors, intermediaries, and end users of ICTS.
7 subdomains (4 Good, 3 Minimal)