OMB Approves BIS Cyber-Enabled Activities NPRM

Yesterday, the OMB’s Office of Information and Regulatory Affairs announced that it had approved a notice of proposed rulemaking for DOC’s Bureau of Industry and Security on “Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities”. The NPRM was sent to OIRA on August 16^th, 2024.

According to the Fall 2023 Unified Agenda entry for this rulemaking:

“Executive Order 13984 [link added] of January 19, 2021, Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities, (EO 13984 or the EO) directs the Secretary of Commerce (Secretary) to propose regulations requiring certain providers and resellers of certain Infrastructure as a Service (IaaS) products to verify the identity of their foreign customers permitting the Secretary, in consultation with Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, to grant exemptions to the verification requirement; and authorizing the Secretary to impose special measures on providers with regard to certain foreign jurisdictions or foreign persons. The Department of Commerce (Department) issues this notice of proposed rulemaking (NPRM) to solicit comment on proposed regulations to implement Sections 1, 2, and 5 of EO 13984.”

BIS Sends EO 13984 Malicious Cyber-Enabled Activities NPRM to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking from the DOC’s Bureau of Industry and Security (BIS) for: “Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities”. This rulemaking was not listed in the Spring 2023 Unified Agenda.

This rulemaking would appear to be related to Executive Order 13984, “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities”. While BIS is not directly mentioned in that EO with responsibilities under the EO, section 7 of the Order provides DOC broad authority “to take such actions, including the promulgation of rules and regulations, and employ all powers granted to the President by IEEPA as may be necessary to carry out the purposes of this order.”

OMB Approves DOC Cybersecurity ANPRM

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an advanced notice of proposed rulemaking (ANPRM) for a Department of Commerce rulemaking on “Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities”. This rulemaking was not reported in the Spring 2021 Unified Agenda.

As I noted when this rulemaking was submitted to ORIA last month, I suspect that this is an action required under EO 13984 of the same name. We could see this being published in the Federal Register within the coming week.

DOC Sends Cybersecurity ANPRM to OMB – 8-6-21

Yesterday, OMB’s Office of Information and Regulatory Affairs announced that it had received an advanced notice of proposed rulemaking (ANPRM) from the Department of Commerce on “Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities”.

This rulemaking was not listed in the Spring 2021 Unified Agenda, which makes it difficult to tell for sure what the ANPRM may cover. There are, however, two regulation making requirements in EO 13984, Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities, for DOC.

NOTE: EO 13984 was not one of the Trump executive orders repudiated by the incoming Biden Administration in EO 13992.

The first is for DOC to “propose for notice and comment regulations that require United States IaaS [Infrastructure as a Service] providers to verify the identity of a foreign person that obtains an Account”. This requirement called for DOC to propose those regulations within 180 days of January 19^th 2021, or July 18^th.

The same deadline was set for the second regulation proposing requirement for “Special Measures for Certain Foreign Jurisdictions or Foreign Persons.”

In any case, without the listing in the Unified Agenda, it is not possible to say for sure if the rulemaking sent to OIRA yesterday was either, both, or something completely different.