United States of America: Implemented Final Rule on Securing the Information and Communications Technology and Services Supply Chain including connected software applications

On 17 July 2023, the final rule amending the "Securing the Information and Communications Technology and Services Supply Chain" (Executive Order 13873) entered into force. The final rule expands the scope of covered information and communications technologies or services transactions (ICTS Transactions) to include “connected software applications” defined as software, a software program, or a group of software programs designed to be used on an end-point computing device and includes as an integral functionality, the ability to collect, process, or transmit data via the internet. The final rule also establishes the procedure for the Secretary of Commerce to determine whether an ICTS Transaction provided by "foreign adversaries" poses unacceptable risks. In particular, for the review and authorisation of ICTS Transactions involving connected software applications the new final rule provides criteria to make a determination, including the number and sensitivity of the users with access to the connected software application, the scope and sensitivity of the data collected, a lack of thorough and reliable third-party auditing of connected software applications, and the extent to which identified risks have been or can be addressed by independently verifiable measures.