Friday, the DOC’s Bureau of Industry and Security (BIS) published an advanced notice of proposed rulemaking (ANPRM) in the federal register (90 FR 271-279) on “Securing the Information and Communications Technology and Services Supply Chain: Unmanned Aircraft Systems”. This ANPRM is looking at implementing the securing the information and communications technology and services supply chain requirements of EO 13873 with regards to unmanned aircraft systems that are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries.
Background
In EO 13873, President Trump declared a national emergency with respect to the “unrestricted acquisition or use in the United States of information and communications technology or services designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries augments the ability of foreign adversaries to create and exploit vulnerabilities in information and communications technology or services, with potentially catastrophic effects, and thereby constitutes an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”
In the EO the term ‘information and communications technology or services’ is defined as “any hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including transmission, storage, and display”.
Potential Rule
BIS is considering developing a new regulation that could include mitigation measures and prohibitions addressing:
• Onboard computers
responsible for processing data and controlling UAV flight
• Communications
systems including, but not limited to, flight controllers, transceiver/receiver
equipment, proximity links such as Global Navigation Satellite Systems (GNSS)
sensors, and flight termination equipment,
• Flight control
systems responsible for takeoff, landing, and navigation, including, but not
limited to, exteroceptive and proprioceptive sensors,
• Ground control
stations (GCS) or systems including, but not limited to, handheld flight
controllers
• Operating software
including, but not limited to, network management software,
• Mission planning
software,
• Intelligent
battery power systems,
• Local and external
data storage devices and services, and
• Artificial intelligence (AI) software or applications.
Solicitation for Comments
BIS is soliciting public comments on these questions to advance their rulemaking process. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # BIS-2024-0058). Comments should be submitted by March 4th, 2025.
Commentary
I am disappointed that BIS did not include any questions about
cybersecurity protections for UAS, and how the applications (or absence) of
such protections could mitigate the risks discussed in this ANPRM. I would like
to propose two questions that could provide additional information necessary
for the BIS rulemaking:
• What cybersecurity
controls are in place that could prevent unauthorized access/control of UAS?
• What aftermarket
applications are available for UAS that could mitigate unauthorized
access/control of UAS?
• Could additional cybersecurity
controls be developed that would prevent unauthorized access/control of UAS?
For more information on this ANPRM, including discussion
about the information that BIS is looking for, see my article at CFSN Detailed
Analysis - https://patrickcoyle.substack.com/p/bis-publishes-security-icts-supply
- subscription required.