Update on ICTS Rules: Recent Actions and Path Ahead in 2025

The Department of Commerce’s Bureau of Industry and Security (BIS) has been very active so far this year with respect to its Information and Communications Technology and Services (ICTS) authorities, issuing an advance notice of proposed rule on drones and a final rule on so-called “connected vehicles.” Although those actions were taken in the final days of the Biden administration, early signs suggest the Trump administration is likely to keep those rulemakings in place and target other industries for ICTS-based prohibitions or restrictions. Notably, the authorities underlying the ICTS rules were initially established during the first Trump administration.

The ICTS rules give BIS and the newly created Office of Information and Communications Technology and Services (OICTS), the power to prohibit or impose restrictions on a broad range of ICTS transactions involving certain “foreign adversaries” where there is a threat to U.S. national security. The rules can be used to target broad “classes of transactions” or transactions that involve specific parties (for example the recent action against the Russian cybersecurity company Kaspersky).

This overview provides an analysis of the ICTS rulemaking activity that has happened so far this year and explores what is likely to lie ahead under the Trump administration.

Commerce Department Publishes Final Rule Securing Connected Vehicle Supply Chains

On January 14, 2025, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) issued a Final Rule to regulate connected vehicles and their components linked to foreign adversaries, specifically China and Russia. Building on the Proposed Rule (NPRM) published in September 2024 (which Steptoe previously covered here), the Final Rule aims to mitigate national security risks posed by connected vehicle systems vulnerable to data exfiltration and cyberattacks. The Final Rule will take effect on March 17, 2025.

The Final Rule retains the same general prohibitions that were set out in the NPRM. Specifically, the Final Rule:

1. Prohibits Vehicle Connectivity System (VCS) Hardware Importers from importing into the United States VCS Hardware designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the China or Russia;
2. Prohibits Connected Vehicle Manufacturers from knowingly importing into or selling within the United States completed connected vehicles that incorporate Covered Software designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the China or Russia; and
3. Prohibits Connected Vehicle Manufacturers who are owned by, controlled by, or subject to the jurisdiction or direction of the China or Russia from knowingly selling in the United States complete connected vehicles that incorporate VCS Hardware or Covered Software regardless of whether such VCS Hardware or Covered Software is designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the China or Russia. Such manufacturers are also prohibited from offering commercial services in the United States that utilize completed connected vehicles that incorporate an Automated Driving System (ADS).

Although the Final Rule will take effect on March 17, 2025 the prohibitions on the import or sale of connected vehicles that incorporate Covered Software will take effect for vehicle Model Year 2027, and the prohibitions on the import of VCS Hardware will take effect for vehicle Model Year 2030 (or January 1, 2029, for hardware not associated with a specific model year). 

Key Changes from the NPRM

The Final Rule retains the core framework of the NPRM but incorporates the following notable changes:

Refinement of Definitions

• Vehicle Connectivity Systems: VCS is now defined as hardware or software that “directly enables” radio frequency communication at over 450 MHz. The Final Rule excludes items supporting non-critical functions, such as LiDAR, key fobs, and AM/FM radio; thus, narrowing the scope compared to the NPRM.
• VCS Hardware: BIS amended this definition to narrow the scope of what constitutes VCS Hardware. Specifically, VCS Hardware is defined in the Final Rule to encompass software-enabled or programmable components that directly enable the function of, or are directly connected to VCS, or are part of an item that directly enables the function of VCS. This replaces the use of the broader term “support” in the NPRM definition.
  • BIS further clarified that VCS Hardware sufficiently linked to China or Russia that has already been installed, incorporated, or integrated into a connected vehicle is covered under the Final Rule’s import prohibition.

• Covered Software: This term now explicitly includes application, middleware, and system software while continuing to exclude firmware. 
  • BIS created an exemption for legacy software. In particular, Covered Software subcomponents designed or developed before March 17, 2026, are exempt unless maintained or altered by a foreign adversary after this date.
  • Similar to its revision to the VCS Hardware definition, BIS narrowed the scope of Covered Software to cover software-based components, in which there is a foreign interest, executed by the primary processing unit or units of an item that directly enables (rather than “supports”) the function of VCS or ADS at the vehicle level.
  • BIS clarified that if just one software subcomponent of an ADS software suite is designed, developed, manufactured, or supplied by a Chinese or Russian entity, then the entire ADS software suite would be considered designed, developed, manufactured, or supplied by a foreign adversary entity.
• Exclusion for Certain Commercial Vehicles: The Final Rule excludes vehicles with a gross vehicle weight rating exceeding 10,000 pounds, addressing concerns raised by commercial vehicle manufacturers. BIS stated that it intends to issue a separate rulemaking specifically regulating commercial vehicles, which will be tailored to the distinct characteristics of the commercial vehicle industry and supply chain.
• Connected Vehicle Manufacturer: BIS revised the definition of Connected Vehicle Manufacturer to clarify that this term encompasses entities that purchase completed connected vehicles from a third party and subsequently integrate their proprietary ADS on the vehicle to enable autonomous driving.

• Person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary: BIS did not alter the definition from the NPRM. However, it did clarify that VCS Hardware and Covered Software would not be considered designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of China or Russia based solely on the country of citizenship of one or more natural persons who are employed by, contracted by, or otherwise similarly engaged in such actions through the entity designing, developing, manufacturing, or supplying the VCS Hardware or Covered Software.

Changes to General and Specific Authorizations

• General Authorizations: Rather than set out predetermined categories of General Authorizations directly in the regulations, the Final Rule indicates BIS will separately issue General Authorizations on its website and in the Federal Register. BIS stated that it plans to issue a set of General Authorizations that mirror the types of General Authorizations identified in the NPRM – i.e., for small businesses; for connected vehicles used infrequently on public roads; for display, testing, or research purposes; and for repair, alteration, or competition.
• Specific Authorizations: BIS made multiple changes and clarifications to the Specific Authorization process:
  • BIS clarified that it will utilize applicant-specific criteria in assessing and providing Specific Authorizations, allowing BIS to grant authorizations for otherwise prohibited transactions based on security controls tailored to mitigate specific risks. Accordingly, BIS explained that a “combination of security controls” could successfully mitigate the national security risk relating to certain connected vehicles.
  • BIS also indicated it would address a range of specific circumstances and concerns identified by commenters in subsequent Specific Authorizations.
• Appeal process: The Final Rule allows for any person directly and adversely affected by specific administrative actions taken by BIS – including the denial of an application for a specific authorization, suspension or revocation of an issued specific authorization, or determination of ineligibility for a general authorization – to file an appeal of the decision to a higher-level official within the Commerce Department. Appeals must be submitted within 45 days of the date on the written notice of administrative action.

Compliance Adjustments

• Declarations of Conformity: BIS retained the requirement for VCS Hardware Importers and Connected Vehicle Manufacturers to (at least) annually submit a Conformity Declaration certifying compliance with the Final Rule before importing or selling any covered products. However, BIS substantially altered the structure and requirements for submission of Conformity Declarations, in order to streamline the process and reduce the compliance burden on regulated entities.
  • BIS relaxed the requirements for what materials must be included in a Conformity Declaration. In contrast to the NPRM, in the Final Rule supporting documentation, such as Hardware Bills of Materials (HBOMs) and Software Bills of Materials (SBOMs), need not be affirmatively submitted as part of a Conformity Declaration. Rather, the declarant need only certify that (1) it has conducted due diligence to inform the certification, and (2) that all possible measures, either contractually or otherwise, have been taken to ensure any necessary documentation and assessments from suppliers will be furnished to BIS upon request.
  • In connection with the changes to the Conformity Declaration requirements, BIS enhanced the Final Rule’s recordkeeping requirements. Specifically, regulated entities and/or third-party assessors, as applicable, will be required to maintain “all primary business records related to the execution of each transaction” for which a Declaration of Conformity (as well as General Authorizations, or Specific Authorizations) would be required, for a period of at least 10 years from such transaction. Third-party assessors specifically are required to maintain all records relating to third-party verification or assessment of a U.S. person’s compliance with the Final Rule.
  • The Final Rule adds an exemption from the requirement to submit a Conformity Declaration where “the only foreign interest in a transaction arises from a foreign person’s equity ownership of a U.S. person, whether through ownership of public shares or otherwise.” However, BIS clarifies that this exemption does not apply where the foreign person’s equity ownership “allows a foreign person to exercise control over the U.S. person.”

Commerce Department Seeks to Regulate Drones Under ICTS Rules

On January 3, 2025, BIS issued an advance notice of proposed rulemaking (ANPRM) regarding the potential application of supply chain restrictions to unmanned aircraft systems (UAS) (commonly referred to as drones) under the ICTS rules. The ANPRM is the first step in potentially prohibiting or requiring mitigation measures for certain transactions involving UAS linked to China or Russia. BIS is seeking comments on or before March 4, 2025.

This marks the second time BIS has sought to regulate a class of transactions under ICTS rules, following its final rulemaking to regulate “connected vehicles” linked to China and Russia (discussed above).

BIS seeks feedback on several broad areas of information:

1. Definitions of UAS and their components;
2. Assessments of how potential classes of ICTS technology may pose risks to national security;
3. Evaluations of risk posed by foreign adversaries;
4. Potential processes for the public to request approval to engage in an otherwise prohibited transaction;
5. Economic impact of regulation; and
6. Mitigation measures.

Within each of these broader areas, BIS provides further sub-questions for public input.

An eventual proposed rule seems likely to follow the broad structure in the connect vehicles rule, discussed above, with respect to certain key definitions, general and specific authorizations, and an appeals process. It is possible, however, that BIS deviates from the general structure of the connected vehicles rule in this rulemaking. The degree to which it follows the connected vehicles rulemaking with respect to overall structure will be important both with respect to the UAS rulemaking and to future rulemakings as well, as it will signal whether BIS intends to use the same general framework in each of its rules or intends to create an entirely unique regime for each class of transactions it addresses.

Regardless of the final structure of the regulations, the rulemaking process will undoubtedly have a deep impact on the industry. Chinese companies dominate in the field of UAS and their components — controlling up to 75% of the U.S. UAS market and an even greater percent for hobbyist drones.

This ANPRM follows a number of government contract-related restrictions, including:

• Section 848 of the National Defense Authorization Act (NDAA) for Fiscal Year 2020, which prohibits the U.S. Department of Defense from operating or procuring UAS manufactured in China or that use critical components manufactured in China.
• Section 817 of the NDAA for Fiscal Year 2023, which then extends this prohibition to DoD contractors in the performance of their contracts and to other countries and specific entities, including the largest drone manufacturer in China.
• The NDAA for Fiscal Year 2024, which extends the prohibition even further to all U.S. federal agencies and creates a mechanism by which entities located in China and other foreign jurisdictions be added to a prohibited list.

Early Signs from the Trump Administration

Early signs from the Trump administration, suggest it is unlikely to rollback these ICTS initiatives. Indeed, the America First Trade Policy Memorandum issued by President Trump directs the Secretary of Commerce to review the connected vehicles rulemaking and “consider whether controls on ICTS transactions should be expanded to account for additional connected products.” BIS also signaled its intent to publish an ICTS rule focused on “cloud computing products and services and data center products and services.” We expect that rulemaking process to continue given early statements from the administration focused on the need to secure U.S. critical infrastructure and prevent Chinese access to U.S. critical technologies.

Finally, as noted above, the authorities underlying the ICTS rules were created at the end of the first Trump administration and, therefore, are likely to be looked on positively by President Trump and his team, unlike certain other regulations that were initially promulgated under President Biden.

***

For more information on these actions, assistance with compliance or comment preparation, or to discuss how they may impact your business, please contact a member of Steptoe’s National Security & Cross-Border Transactions, Export Controls, and Government Contracts practices.