The Commerce Department published a notice of proposed rulemaking (NPRM) for establishing new requirements for Infrastructure as a Service providers (IaaS or “cloud infrastructure providers”).
The NPRM outlines proposed requirements to address the risk of foreign malicious actors using U.S. cloud services that could be used in malicious cyber-enabled activity to harm U.S. critical infrastructure or national security, including to train large artificial intelligence (AI) models.
This NPRM is a step in implementing the President’s Executive Order (EO) on “Safe, Secure, and Trustworthy Use and Development of Artificial Intelligence” (EO 14110) and the National Cybersecurity Strategy.
“Today’s rule puts foreign malicious cyber actors on notice that we are taking action to prevent them from using our own cloud infrastructure to undermine our national security interests,” said Under Secretary for Industry and Security Alan Estevez.
The proposed rule introduces potential regulations that require U.S. cloud infrastructure providers and their foreign resellers to implement and maintain Customer Identification Programs (CIPs), which would include the collection of “Know Your Customer” (KYC) information.
Similar KYC requirements already exist in other industries and seek to assist service providers in identifying and addressing potential risks posed by providing services to certain customers. Such risks include fraud, theft, facilitation of terrorism, and other activities contrary to U.S. national security interests.
The NPRM also authorizes the imposition of certain special measures that can restrict malicious cyber-enabled actors’ access to U.S. IaaS.
In this NPRM, the Department seeks feedback on a number of issues, including: minimum verification standards, access, and record-keeping requirements that providers must adopt; the procedures by which the Secretary of Commerce decides when and how to impose a special measure; and the definitions of several key IaaS and AI-related terms as they apply to the regulations.
This NPRM incorporates many of the public comments received in response to a September 24, 2021, Advanced Notice of Proposed Rulemaking (ANPRM). That ANPRM sought feedback on how the Department should implement various provisions of EO 13984, “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber Enabled Activities.”
Based on these comments, the Department has drafted the proposed rule to clarify requirements for the public in ways that are consistent with industry and public understanding of IaaS-related products and services.
The text of the proposed rule released today is available on the Federal Register’s website here. The deadline for public comments is April 29, 2024.
The ICTS program became a mission of BIS in 2022. OICTS is charged with implementing a series of Executive Orders (EOs) under the International Emergency Economic Powers Act (IEEPA) focused on protecting domestic information and communications systems from threats posed by foreign adversaries.
The ICTS program’s authorities include:
For more information, visit http://www.bis.doc.gov.