Information and Communications Technology and Services National Security Review Act
This bill would create a new Office of Information and Communications Technology and Services (OICTS) within the Bureau of Industry and Security (BIS) of the Department of Commerce. The goal is to identify and mitigate or prohibit certain information and communications technology and services (ICTS) transactions that pose an undue national security risk. The Office would review “covered transactions”—transactions involving ICTS linked to entities or jurisdictions of concern (notably China, Russia, Iran, and North Korea) and/or items on the Commerce Control List—and could impose conditions, cybersecurity requirements, or exclude components, or outright prohibit transactions if risks cannot be mitigated. It would also require risk assessments from the Director of National Intelligence (DNI) and establish a framework for advisory input, enforcement, and judicial review. The bill would amend the Export Control Reform Act of 2018 to add Part IV creating this Office, and would adjust related reporting and staffing authorities. In short, the bill aims to create a centralized, Commerce-led process to screen and constrain ICTS transactions deemed to threaten U.S. national security, with formal mechanisms for investigation, mitigation, regulation, and penalties, and with DNI input for risk assessments. It would also preserve some existing authorities under other orders and laws while adding a new, more formal, cross-agency review framework focused specifically on ICTS supply chain security.
Key Points
- 1Establishment and scope of the Office: Creates the Office of Information and Communications Technology and Services (OICTS) within BIS, led by an Executive Director, to identify and mitigate undue risk in ICTS transactions and to educate industry about risks and decisions.
- 2Defined terms and risk standard: Introduces specific definitions (e.g., covered transaction, entities of concern, jurisdictions of concern, undue risk) and centers the review on ICTS transactions that involve entities or jurisdictions of concern or items on the Commerce Control List, with a focus on critical infrastructure and national security risk.
- 3Transaction review and mitigation authority: The Secretary, via OICTS, can review covered transactions, compel information, conduct investigations, and impose mitigation measures (cybersecurity standards, component/exclusion requirements) or prohibit transactions if risks cannot be mitigated, with publication of prohibitions in the Federal Register.
- 4Risk assessments and advisory input: Requires DNI to provide risk assessments on entities/jurisdictions of concern and supply chains, with unclassified summaries to Congress and a possible classified annex; establishes a technical advisory committee to inform the Office.
- 5Enforcement, penalties, and judicial review: Grants enforcement tools (investigations, subpoenas, court orders), criminal penalties (up to $1 million per violation and/or up to 20 years' imprisonment), civil penalties (monetary fines, mitigation revocation, or transaction prohibitions), and a DC Circuit exclusive venue for challenges to the part, with specific review procedures.
- 6Regulatory framework and interagency design: The Secretary may issue regulations for classes of covered transactions, aligned with broader export control authorities; the bill contemplates ongoing use and potential licensing mechanisms for transactions that are otherwise prohibited.
- 7Relationship to other laws: The act does not remove existing authorities (e.g., EO 13873, EO 14034, CFIUS under the Defense Production Act) and explicitly preserves those authorities, while adding Part IV to the Export Control Reform Act of 2018. It also includes conforming amendments to reference Part IV in related sections.