On June 9, 2021, President Biden signed an Executive Order (“June 9 E.O.”)¹ elaborating on measures to protect the information and communications technology and services (“ICTS”) supply chain with specific emphasis on connected software applications.² The June 9 E.O. directs federal agencies to (1) assess the threats posed by connected software applications controlled by foreign adversaries, (2) provide recommendations on how to protect sensitive personal data of U.S. persons, and (3) evaluate transactions involving connected software applications that pose risks to U.S. national security. The June 9 E.O. also revokes three Executive Orders issued last fall by former President Trump that targeted several Chinese communications and financial technology software applications, including TikTok and WeChat.

The June 9 E.O. also provides that the Department of Commerce is to take appropriate action in accordance with E.O. 13873³ and its implementing regulations with respect to transactions involving connected software. E.O. 13873 further gives the U.S. Government remedial authority over any transaction involving ICTS from foreign adversaries, including China and Russia.

Connected software applications are designed to be used on an end-point computing device and include the ability to collect, process, or transmit data via the Internet as an integral functionality. Connected software applications can access and capture vast swaths of information from users, including personal information and proprietary business information. Such data collection threatens to provide foreign adversaries with access to that information, which in turn presents a significant threat to U.S. national security.

According to E.O. 13873, ICTS transactions are prohibited if they pose an (i) undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States, (ii) undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy of the United States; or (iii) unacceptable risk to the national security of the United States or the security and safety of United States persons.⁴ (For additional context with respect to E.O. 13873 and its implementing regulations, see our previous article, New U.S. Rules on Securing the Information and Communications Technology and Services Supply Chain Mean Increased Scrutiny of ICTS Transactions.)

According to guidance published concurrently with the June 9 E.O., ICTS transactions involving connected software applications may be considered to present a heightened risk when the transactions involve applications that are “owned, controlled, or managed by persons that support foreign adversary military or intelligence activities, or are involved in malicious cyber activities, or involve applications that collect sensitive personal data.”⁵

As a result of the June 9 E.O., companies should be aware that connected software applications will be analyzed under the framework to protect the ICTS supply chain established under E.O. 13873. Specifically, companies should understand the capabilities of the software applications they use and whether a foreign adversary owns or controls those applications. Due diligence may require investigations into the ownership and management structures of companies operating such connected software applications. If you have any questions with respect to the June 9 E.O. or its impact on your operations, please do not hesitate to contact the attorneys at Torres Law.

*We would like to give a special thanks to our Law Clerk Claire Galasso for her contributions to this trade alert.

1^This Executive Order has not yet been assigned an E.O. number.

2^ Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries (June 9, 2021), available at https://www.whitehouse.gov/briefing-room/presidential-actions/2021/06/09/executive-order-on-protecting-americans-sensitive-data-from-foreign-adversaries/.

3^Exec. Order No. 13873, 84 FR 22689 (May 15, 2019), available at https://www.govinfo.gov/content/pkg/FR-2019-05-17/pdf/2019-10538.pdf.

4^ Id.

military or intelligence activities, or are involved in malicious cyber activities, or involve applications that collect sensitive personal data."1

As a result of the June 9 E.O., companies should be aware that connected software applications will be analyzed under the framework to protect the ICTS supply chain established under E.O. 13873. Specifically, companies should understand the capabilities of the software applications they use and whether a foreign adversary owns or controls those applications. Due diligence may require investigations into the ownership and management structures of companies operating such connected software applications. If you have any questions with respect to the June 9 E.O. or its impact on your operations, please do not hesitate to contact the attorneys at Torres Law.

5^ FACT SHEET: Executive Order Protecting Americans’ Sensitive Data from Foreign Adversaries (Jun. 9, 2021), available at https://www.whitehouse.gov/briefing-room/statements-releases/2021/06/09/fact-sheet-executive-order-protecting-americans-sensitive-data-from-foreign-adversaries/. ​