Review – BIS Publishes Security ICTS Supply Chain (UAS) ANPRM

Friday, the DOC’s Bureau of Industry and Security (BIS) published an advanced notice of proposed rulemaking (ANPRM) in the federal register (90 FR 271-279) on “Securing the Information and Communications Technology and Services Supply Chain: Unmanned Aircraft Systems”. This ANPRM is looking at implementing the securing the information and communications technology and services supply chain requirements of EO 13873 with regards to unmanned aircraft systems that are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries.

Background

In EO 13873, President Trump declared a national emergency with respect to the “unrestricted acquisition or use in the United States of information and communications technology or services designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries augments the ability of foreign adversaries to create and exploit vulnerabilities in information and communications technology or services, with potentially catastrophic effects, and thereby constitutes an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”

In the EO the term ‘information and communications technology or services’ is defined as “any hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including transmission, storage, and display”.

Potential Rule

BIS is considering developing a new regulation that could include mitigation measures and prohibitions addressing:

• Onboard computers responsible for processing data and controlling UAV flight

• Communications systems including, but not limited to, flight controllers, transceiver/receiver equipment, proximity links such as Global Navigation Satellite Systems (GNSS) sensors, and flight termination equipment,

• Flight control systems responsible for takeoff, landing, and navigation, including, but not limited to, exteroceptive and proprioceptive sensors,

• Ground control stations (GCS) or systems including, but not limited to, handheld flight controllers

• Operating software including, but not limited to, network management software,

• Mission planning software,

• Intelligent battery power systems,

• Local and external data storage devices and services, and

• Artificial intelligence (AI) software or applications.

Solicitation for Comments

BIS is soliciting public comments on these questions to advance their rulemaking process. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # BIS-2024-0058). Comments should be submitted by March 4^th, 2025.

Commentary

I am disappointed that BIS did not include any questions about cybersecurity protections for UAS, and how the applications (or absence) of such protections could mitigate the risks discussed in this ANPRM. I would like to propose two questions that could provide additional information necessary for the BIS rulemaking:

 

• What cybersecurity controls are in place that could prevent unauthorized access/control of UAS?

• What aftermarket applications are available for UAS that could mitigate unauthorized access/control of UAS?

• Could additional cybersecurity controls be developed that would prevent unauthorized access/control of UAS?

 

For more information on this ANPRM, including discussion about the information that BIS is looking for, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bis-publishes-security-icts-supply - subscription required.