Photo of Michael G. Gruden, CIPP/GPhoto of Kate GrowleyPhoto of Jacob HarrisonPhoto of Akanksha Sinha

On January 29, 2024, the Department of Commerce released a proposed rule:  Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities, which solicits comments regarding a proposed  new set of regulations that would introduce significant new requirements for U.S.-based Infrastructure as a Service (IaaS) providers.  The proposed rule implements requirements from the January 2021 Executive Order Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities and part of the October 2023 Executive Order Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.  If Commerce implements the regulations as proposed, IaaS providers would be required to create a Customer Identification Program (CIP), ensure any foreign resellers maintain a CIP, track all customer identities, verify the identities of foreign customers, and report certain transactions implicating large AI models that could be used for malicious cyber-enabled activities.  The Department is soliciting comments on all aspects of the proposed rule by April 29, 2024.

Application

The proposed rule applies to all U.S.-based providers of IaaS products.  An organization will be considered U.S.-based if it is owned by a U.S. person or if it is operated within the territory of the U.S.  Resellers of U.S. IaaS products also will be subject to these regulations.  IaaS is defined broadly to include any product or service offered to a consumer that provides processing, storage, networks, or other fundamental computing resources and with which the customer can deploy and run software that is not predefined, including operating systems and applications.

Requirements

  1. Providers Must Create and Maintain a Customer Identification Program
    As proposed, the new regulations would require each U.S. IaaS provider to create a CIP explaining how it will collect, verify, store, and maintain identifying information about its customers, as well as how the provider will notify its customers about the disclosure of identifying information.  U.S. IaaS providers will be required to implement a CIP, ensure their foreign resellers also implement a CIP, and provide details of their CIP to the Department.
  2. Providers and Resellers Must Collect Identifying Information on All Customers
    Under the proposed regulations, the CIP must include procedures to collect data sufficient to determine whether each potential customer is a foreign person or U.S. person.  For potential foreign customers, the provider or reseller will be required to collect, at minimum, the customer’s account number, physical address, email addresses, means of payment, telephone numbers, and internet protocol (IP) addresses.  The proposed rule requires providers to implement procedures within the CIP to maintain, protect, and access these records.
  3. Providers and Resellers Must Verify the Identity of All Foreign Customers
    The proposed regulations also require providers and foreign resellers to develop procedures to verify the identity of any foreign persons obtaining an account from the provider.  In addition to the minimum data collection required for each customer, providers must verify the identity of each “foreign person that obtains an [a]ccount” or any customer with a “foreign beneficial owner” added to the account.
  4. Providers Must Report Knowledge of Foreign Transactions that Could Allow Training of Large AI Models with Possibility of Malicious Cyber-Enabled Activity
    U.S. IaaS providers will be required to report knowledge of any transactions with foreign persons that could allow the foreign entity to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity.  This will require providers to report transactions they know, have reason to know, or have reason to believe could be used in malicious activity. 

Enforcement

The proposed regulations contemplate civil and criminal penalties for noncompliance with the new requirements.  Violations, including failing to implement the CIP, failing to submit reports and certifications, providing IaaS products to a foreign person without complete compliance, and making any false or misleading statements, could result in severe civil and criminal penalties. 

Global Impact

The proposed rulemaking has garnered global attention, as its cross-border data collection requirements are unprecedented in the cloud computing space.  To the extent the U.S. alone imposes these requirements, there is concern that U.S. IaaS providers could face a competitive disadvantage, as U.S. allies have not yet announced similar foreign customer identification requirements.

The proposed regulations also could be viewed as a continuation of U.S. efforts to deter China’s AI capability.  It follows a series of amendments to U.S. export controls targeting the provision of advanced semiconductors to China and additional countries that pose a risk of diversion to China, as well as the U.S. Department of the Treasury’s recent issuance of an Advance Notice of Proposed Rulemaking aimed at curbing certain U.S. outbound investments in Chinese entities operating in the advanced semiconductor, AI software, and other national security technology arenas.  Public reporting suggests that Chinese companies have continued to train and develop their AI models using the same advanced semiconductors that are restricted for export to China through reliance on U.S. and non-U.S. cloud data centers.  The proposed new set of regulations could close down China’s remote access to the controlled chips.

Due to the novel nature of this proposed regulation and potential implications for Chinese firms, this development is being watched closely in Asia and has been reported widely by the regional media.

Key Takeaways and Recommendations

  • Under the new proposed regulations, U.S. IaaS providers would face significant new requirements with heavy consequences for noncompliance.
  • Companies should determine whether their products could be considered U.S. IaaS under the broad definitions provided by the rule.
  • Companies also should begin to analyze whether their resellers and customers are foreign-based, to determine the scope of their compliance requirements as well as whether they can securely collect, process, and maintain the requisite foreign customer data.
Tags: Cybersecurity, government contracts
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.

Read more about Michael G. Gruden, CIPP/G
Show more Show less
Photo of Kate Growley Kate Growley

Kate M. Growley (CIPP/US, CIPP/G) is a director with Crowell & Moring International and based in Hong Kong. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients understand, navigate, and shape the policy…

Kate M. Growley (CIPP/US, CIPP/G) is a director with Crowell & Moring International and based in Hong Kong. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients understand, navigate, and shape the policy and regulatory environment for some of the most complex data issues facing multinational companies, including cybersecurity, privacy, and digital transformation. Kate has worked with clients across every major sector, with particular experience in technology, health care, manufacturing, and aerospace and defense. Kate is a Certified Information Privacy Professional (CIPP) in both the U.S. private and government sectors by the International Association of Privacy Professionals (IAPP). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Read more about Kate Growley
Show more Show less
Photo of Jacob Harrison Jacob Harrison

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including for cybersecurity compliance reviews, risk assessments, and data breaches.

In his international practice, Jake represents foreign and domestic clients in Foreign Sovereign Immunities Act and Anti-Terrorism Act litigation. He also has experience advising clients involved in cross-border commercial arbitration proceedings.

During law school, Jake served as an associate editor of the Emory Law Journal and interned at the Supreme Court of Georgia and the Georgia House Democratic Caucus. Before attending law school, Jake worked in politics and state government.

Read more about Jacob Harrison
Show more Show less
Related Posts
Protester Files Comments Minutes Late, Resulting in Complete Dismissal of its Protest
January 16, 2026
CMMC for AI? Defense Policy Law Imposes AI Security Framework and Requirements on Contractors
January 8, 2026
Fastest 5 Minutes: NDAA
January 6, 2026