Commerce Rings in New Year with Proposed Rulemaking on Drones

The Department of Commerce (Commerce) Office of Information and Communications Technology and Services (OICTS) has broad authority—born out of executive action during the first Trump administration—to identify and mitigate national security risks in U.S. ICTS supply chains. Recently, OICTS has been implementing rules to broadly control risks in the technology supply chain of specific sectors, first targeting connected vehicles and now moving on to drones; datacenters and satellite technology are next. OICTS also just published a final rule regarding its review processes, replacing an interim final rule that had been in place since January 2021, and reportedly is soon to take action on China-origin router technology.

Proposed Rulemaking for Unmanned Aerial Systems

On January 3, 2025, OICTS issued a new Advanced Notice of Proposed Rulemaking (ANPRM), targeting technology and software used in unmanned aerial systems (UAS) and the impact of foreign adversaries on the UAS supply chain. UAS are the latest technology for which supply chain vulnerabilities have attracted the attention of the U.S. government, with Commerce issuing a proposed rule late last year banning the sale within or import into the United States of certain connected vehicle system hardware, software, or complete vehicles with a nexus to Russia and China.

In the new ANPRM, OICTS is seeking comment from industry participants regarding “transactions involving ICTS that are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries” and that are integral to UAS.[1] As UAS have applications in various parts of the U.S. economy, including agriculture, healthcare, infrastructure, and energy, the U.S. government assesses that foreign adversary involvement with such technology could pose serious risks to U.S. national security. Similar to the connected vehicles proposed rule, the ANPRM is predicated on the risk that foreign adversaries could exploit UAS ICTS for data exfiltration from and remote access control of UAS.

Preparatory to establishing a regulatory framework, the ANPRM identifies questions aimed at seeking to better understand the ICTS used in UAS and the risks posed by foreign adversary involvement in the supply chain. Specifically, OICTS is looking for information on the following topics:

• Types of ICTS most important to data collection and connectivity capabilities of UAS and most vulnerable to compromise by a foreign adversary. OICTS is seeking input on the type of ICTS that should be subject to potential mitigation measures or prohibitions and listed several kinds of ICTS that may be regulated, such as onboard computers, flight control systems, mission planning software, and artificial intelligence software.
• Risks posed by foreign adversaries. OICTS identified in the ANPRM several of the threats posed by ICTS transactions with a nexus to China or Russia and seeks input on the full scope of these threats and whether other foreign adversaries identified in the regulations—Iran, North Korea, Cuba, and the Maduro Regime of Venezuela—pose the same kinds of threats.
• The best ways OICTS can mitigate the risks of transactions involving foreign adversary ICTS concerning UAS. OICTS suggested some mitigation measures, including design requirements, machine learning controls, and ensuring security in the manufacturing process, and is seeking input on the effectiveness of these and other potential measures to mitigate risk and potentially permit what would otherwise be prohibited transactions.
• The economic consequences of mitigation measures or prohibitions on foreign adversary ICTS integral to UAS. OICTS is seeking input on potential economic consequences of regulation, such as anticompetitive effects and increased data protection costs, and how best to mitigate any negative impacts to businesses or the broader economy.

Parties may submit comments on the ANPRM until March 4, 2025.

Final Rule on ICTS Review Process

The January UAS ANPRM follows a series of actions by Commerce to shape the contours of its ITCS program. In early December, Commerce issued a final rule, replacing an interim rule that had been in place since January 2021, regarding the process for reviewing transactions pursuant to the ICTS program. The final rule clarifies the review process by providing more detail regarding procedures and timing.

Under the final rule, if Commerce finds that a transaction (1) is a covered ICTS transaction, (2) involves ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary, and (3) poses an undue or unacceptable risk based on several criteria, Commerce provides an assessment of the transaction to an interagency group, which has 21 days to comment. After considering any comments, Commerce notifies the parties of the initial determination, and the parties have 30 days to respond with arguments or evidence that the initial determination is erroneous or with proposed remedial measures. These submissions are reviewed by the appropriate agency heads within 14 days, and ultimately the Secretary issues a final determination (which must be issued within 180 days of the initial determination) classifying the ICTS transaction as either prohibited, not prohibited, or permitted pursuant to the adoption of mitigation measures.

The final rule also adds and revises several definitions in the regulations, including clarifying the scope of an “ICTS Transaction,” which is defined as:

any acquisition, importation, transfer, installation, dealing in, or use of any ICTS, including ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download.

In response to comments seeking clarification on some of the terms in this definition, Commerce added new definitions for “importation” and “dealing in”:

• “Importation” is “the process or activity of bringing foreign ICTS to or into the United States, regardless of the means of conveyance, including via electronic transmission.”
• “Dealing in” is the “activity of buying, selling, reselling, receiving, licensing, or acquiring ICTS, or otherwise doing or engaging in business involving the conveyance of ICTS.”

Outlook

As we previewed last fall, the U.S. government continues to introduce controls to secure the supply chain for critical technology in the United States, such as for connected vehicles, and to restrict the supply chain for foreign adversaries in advanced technology, including semiconductors. The latest developments from OICTS to regulate UAS, build out its framework for assessing ICTS transactions more broadly, and target devices such as Chinese-produced routers, are part of a trend that we expect to continue in the Trump administration, which appears poised to take an aggressive posture towards perceived supply chain national security vulnerabilities.

Emilee Karr and Carina McMillin, associates in our Washington, D.C. office, contributed to this alert.

[1] 90 Fed. Reg. 271.