Photo of Michael G. Gruden, CIPP/GPhoto of Evan D. WolffPhoto of Jana del-CerroPhoto of Kate GrowleyPhoto of Jacob HarrisonPhoto of Alexis WardPhoto of Akanksha Sinha

On January 29, 2024, the Department of Commerce released a proposed rule:  Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities, which solicits comments regarding a proposed  new set of regulations that would introduce significant new requirements for U.S.-based Infrastructure as a Service (IaaS) providers.  The proposed rule implements requirements from the January 2021 Executive Order Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities and part of the October 2023 Executive Order Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.  If Commerce implements the regulations as proposed, IaaS providers would be required to create a Customer Identification Program (CIP), ensure any foreign resellers maintain a CIP, track all customer identities, verify the identities of foreign customers, and report certain transactions implicating large AI models that could be used for malicious cyber-enabled activities.  The Department is soliciting comments on all aspects of the proposed rule by April 29, 2024.

Application

The proposed rule applies to all U.S.-based providers of IaaS products.  An organization will be considered U.S.-based if it is owned by a U.S. person or if it is operated within the territory of the U.S.  Resellers of U.S. IaaS products also will be subject to these regulations.  IaaS is defined broadly to include any product or service offered to a consumer that provides processing, storage, networks, or other fundamental computing resources and with which the customer can deploy and run software that is not predefined, including operating systems and applications.

Requirements

  1. Providers Must Create and Maintain a Customer Identification Program
    As proposed, the new regulations would require each U.S. IaaS provider to create a CIP explaining how it will collect, verify, store, and maintain identifying information about its customers, as well as how the provider will notify its customers about the disclosure of identifying information.  U.S. IaaS providers will be required to implement a CIP, ensure their foreign resellers also implement a CIP, and provide details of their CIP to the Department.
  2. Providers and Resellers Must Collect Identifying Information on All Customers
    Under the proposed regulations, the CIP must include procedures to collect data sufficient to determine whether each potential customer is a foreign person or U.S. person.  For potential foreign customers, the provider or reseller will be required to collect, at minimum, the customer’s account number, physical address, email addresses, means of payment, telephone numbers, and internet protocol (IP) addresses.  The proposed rule requires providers to implement procedures within the CIP to maintain, protect, and access these records.
  3. Providers and Resellers Must Verify the Identity of All Foreign Customers
    The proposed regulations also require providers and foreign resellers to develop procedures to verify the identity of any foreign persons obtaining an account from the provider.  In addition to the minimum data collection required for each customer, providers must verify the identity of each “foreign person that obtains an [a]ccount” or any customer with a “foreign beneficial owner” added to the account.
  4. Providers Must Report Knowledge of Foreign Transactions that Could Allow Training of Large AI Models with Possibility of Malicious Cyber-Enabled Activity
    U.S. IaaS providers will be required to report knowledge of any transactions with foreign persons that could allow the foreign entity to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity.  This will require providers to report transactions they know, have reason to know, or have reason to believe could be used in malicious activity. 

Enforcement

The proposed regulations contemplate civil and criminal penalties for noncompliance with the new requirements.  Violations, including failing to implement the CIP, failing to submit reports and certifications, providing IaaS products to a foreign person without complete compliance, and making any false or misleading statements, could result in severe civil and criminal penalties. 

Global Impact

The proposed rulemaking has garnered global attention, as its cross-border data collection requirements are unprecedented in the cloud computing space.  To the extent the U.S. alone imposes these requirements, there is concern that U.S. IaaS providers could face a competitive disadvantage, as U.S. allies have not yet announced similar foreign customer identification requirements.

The proposed regulations also could be viewed as a continuation of U.S. efforts to deter China’s AI capability.  It follows a series of amendments to U.S. export controls targeting the provision of advanced semiconductors to China and additional countries that pose a risk of diversion to China, as well as the U.S. Department of the Treasury’s recent issuance of an Advance Notice of Proposed Rulemaking aimed at curbing certain U.S. outbound investments in Chinese entities operating in the advanced semiconductor, AI software, and other national security technology arenas.  Public reporting suggests that Chinese companies have continued to train and develop their AI models using the same advanced semiconductors that are restricted for export to China through reliance on U.S. and non-U.S. cloud data centers.  The proposed new set of regulations could close down China’s remote access to the controlled chips.

Due to the novel nature of this proposed regulation and potential implications for Chinese firms, this development is being watched closely in Asia and has been reported widely by the regional media.

Key Takeaways and Recommendations

  • Under the new proposed regulations, U.S. IaaS providers would face significant new requirements with heavy consequences for noncompliance.
  • Companies should determine whether their products could be considered U.S. IaaS under the broad definitions provided by the rule.
  • Companies also should begin to analyze whether their resellers and customers are foreign-based, to determine the scope of their compliance requirements as well as whether they can securely collect, process, and maintain the requisite foreign customer data.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.

Photo of Evan D. Wolff Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical…

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators. Evan also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework.

Photo of Jana del-Cerro Jana del-Cerro

Maria Alejandra (Jana) del-Cerro is a partner in Crowell & Moring’s Washington, D.C. office. She is a member of the firm’s International Trade Group. Jana’s practice focuses primarily on counseling and defending clients with respect to U.S. export controls, including the International Traffic…

Maria Alejandra (Jana) del-Cerro is a partner in Crowell & Moring’s Washington, D.C. office. She is a member of the firm’s International Trade Group. Jana’s practice focuses primarily on counseling and defending clients with respect to U.S. export controls, including the International Traffic in Arms Regulations (ITAR), the Export Administration Regulations (EAR), and the sanctions programs administered by the Office of Foreign Assets Controls (OFAC), as well as the U.S. Antiboycott Laws and the Helms-Burton Act.

Photo of Kate Growley Kate Growley

Kate M. Growley (CIPP/US, CIPP/G) is a director with Crowell & Moring International and based in Hong Kong. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients understand, navigate, and shape the policy…

Kate M. Growley (CIPP/US, CIPP/G) is a director with Crowell & Moring International and based in Hong Kong. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients understand, navigate, and shape the policy and regulatory environment for some of the most complex data issues facing multinational companies, including cybersecurity, privacy, and digital transformation. Kate has worked with clients across every major sector, with particular experience in technology, health care, manufacturing, and aerospace and defense. Kate is a Certified Information Privacy Professional (CIPP) in both the U.S. private and government sectors by the International Association of Privacy Professionals (IAPP). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Photo of Jacob Harrison Jacob Harrison

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including for cybersecurity compliance reviews, risk assessments, and data breaches.

In his international practice, Jake represents foreign and domestic clients in Foreign Sovereign Immunities Act and Anti-Terrorism Act litigation. He also has experience advising clients involved in cross-border commercial arbitration proceedings.

During law school, Jake served as an associate editor of the Emory Law Journal and interned at the Supreme Court of Georgia and the Georgia House Democratic Caucus. Before attending law school, Jake worked in politics and state government.

Photo of Alexis Ward Alexis Ward

Alexis Ward represents clients in a variety of matters at the intersection of government contracts and cybersecurity utilizing her experience in analytics and data architecture to counsel clients with a practical, real-world lens. As a member of Crowell & Moring’s Privacy and Cybersecurity

Alexis Ward represents clients in a variety of matters at the intersection of government contracts and cybersecurity utilizing her experience in analytics and data architecture to counsel clients with a practical, real-world lens. As a member of Crowell & Moring’s Privacy and Cybersecurity and Government Contracts groups, Alexis has assisted clients in matters including False Claims Act investigations; developing corporate policies, procedures and governance; and in diverse matters involving cybersecurity and data privacy compliance, risk assessment and mitigation, and incident response.

During law school, Alexis founded USC Gould’s Privacy and Cybersecurity Law Society and was on the board of OUTLaw. Alexis also worked as a teaching assistant for the graduate programs’ Information Privacy Law course. Her paper The Oldest Trick in the Facebook: Would the General Data Protection Regulation Have Stopped the Cambridge Analytica Scandal? was published by the Trinity College Law Review.