Appropriate agency heads means the Secretary of the Treasury, the Secretary of State, the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, the United States Trade Representative, the Director of National Intelligence, the Administrator of General Services, the Chairman of the Federal Communications Commission, and the heads of any other executive departments and agencies the Secretary determines is appropriate.

Commercial item has the same meaning given to it in Federal Acquisition Regulation (48 CFR part 2.101).

Connected software application means software, a software program, or a group of software programs, that is designed to be used on an end-point computing device and includes as an integral functionality, the ability to collect, process, or transmit data via the internet.

Department means the United States Department of Commerce.

End-point computing device means a device that can receive or transmit data and includes as an integral functionality the ability to collect or transmit data via the internet.

Entity means a partnership, association, trust, joint venture, corporation, group, subgroup, or other non-U.S. governmental organization.

Executive Order means Executive Order 13873, May 15, 2019, “Securing the Information and Communications Technology and Services Supply Chain”.

Foreign adversary means any foreign government or foreign non-government person determined by the Secretary to have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons.

ICTS Transaction means any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service, including ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download. An ICTS Transaction includes any other transaction, the structure of which is designed or intended to evade or circumvent the application of the Executive Order. The term ICTS Transaction includes a class of ICTS Transactions.

IEEPA means the International Emergency Economic Powers Act (50 U.S.C. 1701, et seq.).

Information and communications technology or services or ICTS means any hardware, software, including connected software applications, or other product or service, including cloud-computing services, primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means (including electromagnetic, magnetic, and photonic), including through transmission, storage, or display.

Party or parties to a transaction means a person engaged in an ICTS Transaction, including the person acquiring the ICTS and the person from whom the ICTS is acquired. Party or parties to a transaction include entities designed, or otherwise used with the intention, to evade or circumvent application of the Executive Order. For purposes of this rule, this definition does not include common carriers, except to the extent that a common carrier knew or should have known (as the term “knowledge” is defined in 15 CFR 772.1) that it was providing transportation services of ICTS to one or more of the parties to a transaction that has been prohibited in a final written determination made by the Secretary or, if permitted subject to mitigation measures, in violation of such mitigation measures.

Person means an individual or entity.

Person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary means any person, wherever located, who acts as an agent, representative, or employee, or any person who acts in any other capacity at the order, request, or under the direction or control, of a foreign adversary or of a person whose activities are directly or indirectly supervised, directed, controlled, financed, or subsidized in whole or in majority part by a foreign adversary; any person, wherever located, who is a citizen or resident of a nation-state controlled by a foreign adversary; any corporation, partnership, association, or other organization organized under the laws of a nation-state controlled by a foreign adversary; and any corporation, partnership, association, or other organization, wherever organized or doing business, that is owned or controlled by a foreign adversary.

Secretary means the Secretary of Commerce or the Secretary's designee.

Sensitive personal data means:

(1) Personally-identifiable information, including:

(i) Financial data that could be used to analyze or determine an individual's financial distress or hardship;

(ii) The set of data in a consumer report, as defined under 15 U.S.C. 1681a, unless such data is obtained from a consumer reporting agency for one or more purposes identified in 15 U.S.C. 1681b(a);

(iii) The set of data in an application for health insurance, long-term care insurance, professional liability insurance, mortgage insurance, or life insurance;

(iv) Data relating to the physical, mental, or psychological health condition of an individual;

(v) Non-public electronic communications, including email, messaging, or chat communications, between or among users of a U.S. business's products or services if a primary purpose of such product or service is to facilitate third-party user communications;

(vi) Geolocation data collected using positioning systems, cell phone towers, or WiFi access points such as via a mobile application, vehicle GPS, other onboard mapping tool, or wearable electronic device;

(vii) Biometric enrollment data including facial, voice, retina/iris, and palm/fingerprint templates;

(viii) Data stored and processed for generating a Federal, State, Tribal, Territorial, or other government identification card;

(ix) Data concerning U.S. Government personnel security clearance status; or

(x) The set of data in an application for a U.S. Government personnel security clearance or an application for employment in a position of public trust; or

(2) Genetic information, which includes the results of an individual's genetic tests, including any related genetic sequencing data, whenever such results, in isolation or in combination with previously released or publicly available data, constitute identifiable data. Such results shall not include data derived from databases maintained by the U.S. Government and routinely provided to private parties for purposes of research. For purposes of this paragraph, “genetic test” shall have the meaning provided in 42 U.S.C. 300gg-91(d)(17).

Undue or unacceptable risk means those risks identified in Section 1(a)(ii) of the Executive Order.

United States person means any United States citizen; any permanent resident alien; or any entity organized under the laws of the United States or any jurisdiction within the United States (including such entity's foreign branches).

Via the internet means using internet protocols to transmit data, including, but not limited to, transmissions by cable, telephone lines, wireless methods, satellites, or other means.

[86 FR 4923, Jan. 19, 2021, as amended at 88 FR 39357, June 16, 2023]