This bill would create the Office of Information and Communications Technology and Services within the Bureau of Industry and Security (BIS) to identify and mitigate undue risk in ICTS transactions. It draws on existing export control authorities and national security framing, codifying a dedicated mechanism to review and manage risks linked to information and communications technology and services.
It also establishes a transaction review process, empowers BIS to require information, impose mitigations, or prohibit transactions, and authorizes the Secretary to regulate classes of covered transactions connected to entities or jurisdictions of concern. The bill requires risk assessments from the Director of National Intelligence and sets up enforcement, judicial review, and penalties to ensure compliance.
The overall aim is to safeguard the ICTS supply chain while creating a formalized process for industry, government, and oversight.
At a Glance
What It Does
Establishes an Office within BIS to identify and mitigate undue risk in ICTS transactions and to educate industry on risks. Establishes a regulated process for reviewing “covered transactions” and for imposing mitigations or prohibitions.
Who It Affects
ICTS exporters, manufacturers, and suppliers; entities subject to U.S. jurisdiction; critical infrastructure operators; and private-sector partners in the ICTS supply chain; DNI risk assessments will inform the process.
Why It Matters
Creates a formal, government-wide mechanism to manage national-security risks in ICTS, potentially reshaping supply-chain decisions and the boundaries of permissible transactions.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill creates a new Office of Information and Communications Technology and Services inside the BIS, led by an Executive Director, to identify and mitigate undue risk in ICTS-related transactions. Its core function is to examine covered transactions—those involving ICTS and subject to U.S. jurisdiction—and to mitigate risks through measures such as cyber security standards, partial component exclusions, or outright prohibitions when risks cannot be managed.
To guide this work, the bill authorizes the Secretary to issue regulations for certain classes of transactions and to establish criteria for recognizing categories of transactions or participants that require extra scrutiny. It also requires risk assessments from the Director of National Intelligence on threats to supply chains, with products and entities posing high risk identified and reported to Congress in unclassified form (with a classified annex for sensitive detail).Enforcement provisions give BIS the authority to investigate violations, issue subpoenas, and impose civil or criminal penalties for noncompliance.
The bill also provides avenues for judicial review, and it preserves certain preexisting authorities while adding new ones, including a technical advisory committee and confidentiality protections for sensitive information.
The Five Things You Need to Know
The Office of Information and Communications Technology and Services is established within BIS and led by an Executive Director.
The Secretary may review covered ICTS transactions, request information under oath, and mitigate or prohibit transactions posing undue risk.
Regulations may be issued to identify classes of transactions or entities of concern requiring special mitigation or prohibitions.
DNI risk assessments are required (180 days post-enactment and annually), with unclassified summaries to Congress.
Penalties (criminal and civil) and enforcement tools are created, including investigations, subpoenas, and court actions.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Establishment of the ICTS Office
There is established within BIS an Office of Information and Communications Technology and Services. The Office is led by an Executive Director appointed by the Secretary and reporting to the Under Secretary for Industry and Security (through its future Assistant Secretary). The Executive Director also has a transition path allowing the incumbent to continue serving after enactment. This sets the governance backbone for the new Office and its authority over ICTS risk management.
Transaction Review Process
The Secretary, via the ICTS Office, shall review covered transactions suspected of posing an undue risk. The review process authorizes demanding information under oath, requiring specific forms, and conducting investigations, hearings, and subpoenas as needed. If a risk is found, the Secretary may mitigate through negotiated agreements, cybersecurity or other mitigation measures, or exclude certain components; if mitigation is not possible, the transaction may be prohibited with required notice and Federal Register publication.
Regulating Covered Transactions (Entities/Jurisdictions of Concern)
The Secretary may issue regulations for certain classes of covered transactions to identify entities of concern or jurisdictions of concern and to establish mitigations or prohibitions. Regulations may classify transactions as categorically included or excluded from mitigation measures and set procedures to authorize or license otherwise prohibited transactions.
Risk Assessments by DNI
Not later than 180 days after enactment, the DNI must provide to the Secretary risk assessments on threats posed by entities or jurisdictions of concern to ICTS supply chains, including criteria to evaluate national security risk and to identify high-risk participants. The DNI must also assess threats to the broader ICTS supply chain and provide these assessments to Congress in unclassified form within 90 days of submission, with a classified annex for sensitive detail.
Other Authorities and Advisory Committee
The Secretary may preserve existing regulations under EO 13873 and EO 14034, issue new guidance, and establish an ICTS technical advisory committee to report to the Executive Director. The committee must include industry experts, private-sector representatives, and a designated Federal officer to administer the committee and report back.
Enforcement
The Secretary may investigate violations of any authorization, order, mitigation, or prohibition under this part. Designees may exercise enforcement powers such as inspections, subpoenas, and court-ordered actions, with authority extending to other federal laws as needed for enforcement.
Judicial Review
A right of action challenges this part or related actions in the U.S. Court of Appeals for the D.C. Circuit. The court has exclusive jurisdiction over such challenges against the United States, with certain information subject to in-camera or sealed review and potential protection under privilege.
Penalties
Unlawful acts are punishable; criminal penalties can include fines up to $1,000,000 per violation and up to 20 years’ imprisonment. Civil penalties may include monetary penalties, revocation of mitigations, or restrictions on covered transactions, with settlement and pre-penalty procedures to resolve alleged violations.
Relationship to Other Laws
This part does not negate other federal authorities or processes. It preserves the applicability of certain laws and exemptions (e.g., Paperwork Reduction Act exception) and maintains the ability of CFIUS to act under the Defense Production Act. It also preserves the Office’s authority under EO 13873 and EO 14034.
Conforming Amendments to Export Control Reform Act of 2018
The bill amends ECRA definitions and reporting to reflect the addition of Part IV. It expands the annual reporting requirement to include a summary of how Part IV authorities are used to block entities of concern from acquiring sensitive technology. It also adds an additional Assistant Secretary of Commerce to assist the Under Secretary in implementing Part IV.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- U.S. national security and critical infrastructure operators benefit from reduced risk exposure and clearer mitigations for ICTS transactions, improving resilience and incident response.
- ICTS exporters and suppliers gain a defined process for risk review, potentially reducing unilateral disruption by clarifying review triggers and mitigation options.
- Commerce Department, BIS, and national policy makers obtain a formalized framework and intelligence inputs (DNI risk assessments) to guide export controls and supply-chain protections.
- Congress receives periodic, unclassified risk assessments to inform oversight and policy decisions.
Who Bears the Cost
- ICTS providers and exporters face additional compliance costs and potential transaction delays due to review processes and information requests.
- Small or mid-sized ICTS firms may bear disproportionate burdens from information requests, audits, and potential mitigation measures.
- Entities of concern and jurisdictions of concern or participants in the supply chain may face prohibitions or restrictions on certain ICTS transactions.
- Private-sector entities may incur costs to meet cyber security standards or to implement mitigations required under risk mitigations.
- Federal agencies and BIS incur ongoing enforcement and administrative costs to administer reviews, investigations, and penalties.
Key Issues
The Core Tension
The central dilemma is whether the government can credibly mitigate national-security risks in the ICTS supply chain through broad, regulatory oversight without unduly constraining innovation, trade, and everyday business operations.
The bill creates a powerful framework for screening and mitigating risks in ICTS transactions, but the broad authorization to regulate classes of covered transactions and to impose mitigation measures or prohibitions raises concerns about overbreadth and potential disruption to legitimate commerce and innovation. The DNI risk assessments will inform decision-making, yet the process relies on intelligence inputs that can be incomplete or contested, and the reliance on executive-made regulations could lead to rapidly shifting requirements for industry.
Confidentiality protections exist, but the handling of sensitive data and the possibility of classified considerations may complicate compliance for non-governmental actors. The balance between risk mitigation, operational efficiency, and the need for global technology collaboration will be a central policy tension as the Part IV framework is implemented.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.