On January 29, 2024, the Department of Commerce's Bureau of Industry and Security (BIS) issued a Notice of Proposed Rulemaking, which would require U.S. Infrastructure as a Service providers (U.S. IaaS providers) and their foreign resellers to verify foreign customers' and their beneficial owners' identities. The Proposed Rule aims to implement Executive Orders (E.O.) 13984 and 14110, which were issued to combat foreign malign cyber actors' misappropriation of U.S. IaaS products that target U.S. critical infrastructure. BIS's Proposed Rule also invites public comments. 

Summary of the Proposed Rule

• Customer Identification Program (CIP). U.S. IaaS providers, including their foreign resellers, would be required to implement and enforce CIPs to collect and maintain personal identifying information about their current and prospective customers, including identifying the beneficial owner of all customer accounts. U.S. IaaS providers may only continue relationships with their foreign resellers if the latter maintains and implements their own CIPs. U.S. IaaS providers and their foreign resellers would be required to annually certify implementation of the CIP with BIS. 
• Artificial Intelligence (AI) Training. The Proposed Rule would require U.S. IaaS providers and their foreign resellers to submit reports to BIS detailing any transactions with foreign persons where U.S. IaaS products are used to "train large AI models with potential capabilities that could be used in malicious cyber-enabled activity." 
• Special Measures. Upon establishing reasonable grounds, BIS may impose special measures requiring U.S. IaaS providers to prohibit or limit access to IaaS products or services that foreign cyber actors may use to conduct malicious cyber-enabled activity. These measures are authorized if BIS concludes that either:
  • "A foreign jurisdiction has a significant number of foreign persons offering U.S. IaaS products that are, in turn, used for malicious cyber-enabled activities, or a significant number of foreign persons directly obtaining U.S. IaaS products and using them in malicious cyber-enabled activities," or
  • "A foreign person has established a pattern of conduct of offering U.S. IaaS products that are used for malicious cyber-enabled activities or directly obtaining U.S. IaaS products for use in malicious cyber-enabled activities." 

Key Takeaways

• The broad language of the Proposed Rule suggests it would impact a wide array of U.S. IaaS providers. Many cloud service providers may be subject to the extensive data collection and reporting obligations if it becomes final. 
• Should the Proposed Rule become final, U.S. IaaS providers will need to timely coordinate and consult with their foreign resellers to obtain the required information under the CIP and ensure the latter also implements CIPs. Under the Proposed Rule, BIS will allow U.S. IaaS providers up to one year to develop and enforce the CIPs and report to the agency accordingly. 
• Under the Proposed Rule, resellers that are small businesses may be burdened with implementing their own CIPs and should consider entering an agreement with their respective U.S. IaaS provider to "reference, use, rely on, or adopt their CIPs." 
• BIS requests comments on all aspects of the Proposed Rule by April 29, 2024, including, among other things, the potential challenges small businesses may face developing a CIP, how resellers are to verify the identity of their prospective foreign customers, and whether IaaS providers should be required to conduct third-party or internal audits to confirm their compliance with CIP. 

For more information, please contact:

Timothy O'Toole, totoole@milchev.com, 202-626-5552

Laura Deegan, ldeegan@milchev.com, 202-626-5942

Melissa Burgess, mburgess@milchev.com, 202-626-5914

Manuel Levitt, mlevitt@milchev.com, 202-626-5921

Annie Cho, acho@milchev.com, 202-626-1570

The information contained in this communication is not intended as legal advice or as an opinion on specific facts. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information, please contact one of the senders or your existing Miller & Chevalier lawyer contact. The invitation to contact the firm and its lawyers is not to be construed as a solicitation for legal work. Any new lawyer-client relationship will be confirmed in writing.

This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.