Recent Developments in U.S. Supply Chain Security: Preparing for Compliance Risks Under the ICTS Rules, the Uyghur Forced Labor Prevention Act, and the National Critical Capabilities Defense Act

New York Law Journal

Supply chain security remains a key bipartisan policy goal and burgeoning compliance risk area. This article examines three recent initiatives that exemplify these trends: the regulations on securing the Information and Communications Technology and Services supply chain, the Uyghur Forced Labor Prevention Act, and the proposed National Critical Capabilities Defense Act.

Companies with cross-border supply chains should assess their exposure under these emerging regimes and prioritize their compliance efforts accordingly. The risk profile is greatest for companies developing technology and software across borders; companies importing items produced in (or incorporating components produced in) the Xinjiang region of China; parties seeking to invest in certain critical capabilities outside the United States; and government contractors that may be exposed to foreign adversaries in their supply chains.

Information and Communications Technology and Services Rules

One pillar of the U.S. government’s developing architecture for supply chain security is the U.S. Department of Commerce’s (Commerce’s) regulations on Securing the Information and Communications Technology and Services (ICTS) Supply Chain (ICTS Regulations), set out at 15 C.F.R. Part 7. Promulgated pursuant to Executive Order 13873, the rulemaking identifies the ICTS supply chain as critical to “nearly every aspect” of national security, acknowledging the degree to which American government, business, and the economy at large rely on ICTS. See Securing the Information and Communications Technology and Services Supply Chain, 86 Fed. Reg. 4909 (Jan. 19, 2021).

The ICTS Regulations empower Commerce to review, prohibit, or restrict specified “ICTS Transactions” that present national security risks. The term “ICTS Transactions” is defined broadly to include: “any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service, including ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download.”

This review authority governs transactions occurring on or after Jan. 19, 2021, that are within U.S. jurisdiction, involving property in which a foreign party has an interest, and involving any of the following types of ICTS:

  • ICTS that will be used in a designated critical infrastructure sector (as identified in Presidential Policy Directive 21, 2013 Daily Comp. Pres. Doc. 1 (Feb. 12, 2013));
  • network infrastructure and satellites;
  • data hosting or computer services that use, process, or retain sensitive personal data of more than one million U.S. persons over a 12-month period;
  • end-point surveillance/monitoring, home networking, and drones/UAVs, where more than one million units of the subject item have been sold to U.S. persons over a 12-month period;
  • software designed to connect over the internet and in use by over one million U.S. persons on an annual basis (g., desktop, mobile, gaming, and web-based applications); and
  • specified emerging technologies, including artificial intelligence, quantum key distribution and computing, drones, autonomous systems, and advanced robotics.

Commerce has since proposed amending the ICTS Regulations to apply to specify connected software applications, implementing Executive Order 14034 on “Protecting Americans’ Sensitive Data from Foreign Adversaries.” See Securing the Information and Communications Technology and Services Supply Chain; Connected Software Applications, 86 Fed. Reg. 67379 (Nov. 26, 2021).

The ICTS review authority empowers Commerce to compel production of records and to mitigate or prohibit covered transactions where they pose an “undue or unacceptable risk.” In particular, Commerce’s review will focus on whether a transaction has a nexus with a designated “foreign adversary,” which as of this writing includes China, Cuba, Iran, North Korea, Russia, and Venezuela. 15 C.F.R. §7.4.

Companies engaged in developing ICTS for use in the United States should be mindful of the impact of the ICTS regulations. This is particularly relevant for companies developing specified ICTS hardware and software in China and Russia, or sourcing inputs for such items from those countries.

For example, companies engaged in developing ICTS for use in a critical infrastructure sector (e.g., transportation), or in any application involving access to U.S. persons’ sensitive personal data, should assess any nexus with China and Russia, including through the use of local software developers or sourcing of equipment, potentially even with respect to suppliers up the chain that may not be the company’s immediate counterparty.

Uyghur Forced Labor Prevention Act

Increased monitoring of the supply chain is also reflected in the Uyghur Forced Labor Prevention Act (UFLPA, Pub. L. No. 117-78), which went into effect on June 21, 2022. The law is intended to ensure that goods made with forced labor in the Xinjiang region of China do not enter the U.S. market, based on Congress’s concerns related to the detention of Uyghurs, Kazakhs, Kyrgyz, and other minority groups in China.

Though the Xinjiang region is principally known for its role in global cotton, textile, and apparel supply chains, U.S. Customs and Border Protection (CBP) has identified a range of commodities that present a high risk, including polysilicon, a key input in solar cells. See U.S. Customs and Border Prot., Operational Guide for Importers (2022).

Notably, the Act creates a rebuttable presumption that all “goods, wares, articles, and merchandise mined, produced, or manufactured wholly or in part” in the Xinjiang region are produced using forced labor—and thus ineligible for importation into the United States pursuant to §307 of the Tariff Act of 1930. This means that CBP will detain, seize, or exclude importation of items it determines are sourced from Xinjiang and designated Xinjiang-linked entities, as well as items incorporating inputs from such sources, unless the importer can demonstrate by clear and convincing evidence that the items at issue are not the product of forced labor.

Complementing the statute, the U.S. Forced Labor Enforcement Task Force recently issued a strategy document regarding UFLPA enforcement on June 21, 2022, specifying voluminous evidence required to rebut the presumption of forced labor applicable to covered items. See U.S. Forced Labor Enforcement Task Force, Strategy To Prevent the Importation of Goods Mined, Produced, or Manufactured with Forced Labor in the People’s Republic of China (2022).

Furthermore, the Defense Acquisition Regulations Council is now working on a draft rule implementing §848 of FY2022 National Defense Authorization Act, which includes parallel prohibitions against the use of federal funds to procure products manufactured through forced labor from the Xinjiang region. Contractors should expect requirements to conduct screening that forced labor from Xinjiang was not (and will not be) used in the performance of covered contracts.

Companies with supply chains running through China at any tier face exposure under the UFLPA, particularly if they are importing items produced in Xinjiang or by a Xinjiang-linked entity, or that incorporate content derived from such sources. Specifically, companies importing items into the United States face the risk that CBP could seize the items on suspicion that they have a nexus with the Xinjiang region and should assess the level of supplier due diligence that is appropriate based on the risk profile presented by their supply chains. Particularly impacted will be importers of polysilicon (a key input in solar cells and electronics), cotton/apparel, and tomatoes. And end users of those products may also face supply chain disruptions.

National Critical Capabilities Defense Act

Supply chain security is the dominant theme of the National Critical Capabilities Defense Act (NCCDA), proposed legislation passed by the House of Representatives in February 2022 as part of the America COMPETES Act, a much larger package focused on U.S. domestic semiconductor production and other aspects of U.S. competitiveness (certain elements of which, not including the NCCDA, eventually were signed into law as part of the CHIPS and Science Act in August 2022). See National Critical Capabilities Defense Act of 2021, H.R. 6329, 117th Cong. (2021); see also the America COMPETES Act of 2022, H.R. 4521, 117th Cong. (2022); the CHIPS and Science Act, Pub. L. No. 117-167.

Most notably, the NCCDA would establish a multiagency Committee on National Critical Capabilities (the Committee) that would review certain U.S. transactions in “national critical capabilities” related to “countries of concern,” including China and Russia. Described as establishing a “reverse CFIUS,” i.e., a mirror image of the Committee on Foreign Investment in the United States (CFIUS), which applies to inbound investments, the bill would require Committee review of U.S. outbound investments in “countries of concern”—or entities “influenced by” or “affiliated with” such countries—in critical areas, including semiconductors, pharma, large-capacity batteries, critical minerals/materials, artificial intelligence, bioeconomy, and quantum technology.

Further, the NCCDA would require Committee review of U.S. offshoring of the above capabilities to countries of concern and the sharing of related technology with such countries, and also calls for heightened review of companies’ dealings with such countries and entities if they receive certain federal funding or benefit from federal procurement from U.S. national security agencies above a certain dollar threshold.

The NCCDA is sharply focused on key aspects of supply chain security, notably with respect to reviewing activities that bolster the capability of specified “countries of concern” in critical areas and, where a company receives funding under the broader domestic semiconductor production package or is a contractor to a U.S. national security agency, reviewing its broader relationship with such countries. The overall policy intent of the NCCDA seems oriented towards shifting critical supply chains out of countries assessed to present a threat to national security.

Cross-border investors in the critical capabilities specified in the NCCDA—which, as noted above, include semiconductors, pharma, certain emerging technologies, and critical minerals/materials—should anticipate the possibility of U.S. government scrutiny of investments that have a nexus with a “country of concern.”

Notably, this would include investments not only in the country of concern itself (e.g., China and Russia), but in entities “influenced by” and “affiliated with” such countries, which could end up as broadly defined terms in the final version of the bill. Depending on how Congress ultimately fleshes out the contours of these terms, it could be necessary to conduct substantial diligence on investment targets to assess the potential applicability of the NCCDA and the attendant U.S. government national security review.

It is also anticipated that U.S. government contractors active in the national security contracting space could be subject to enhanced scrutiny to the extent that they have any exposure to countries or entities of concern. This is particularly notable in that, in comparison to previous measures targeting areas of risk for contractors (e.g., §889 of the National Defense Authorization Act for Fiscal Year 2019, focusing on exposure to equipment produced by Huawei and certain other Chinese companies), the NCCDA would provide for a holistic review of certain contractors’ exposure to countries and entities of concern.


The ICTS regulations, the UFLPA, and the proposed NCCDA all demonstrate the emerging bipartisan emphasis on building and strengthening secure, resilient supply chains. The bottom line is that companies with international operations and supply chains—particularly in critical sectors like defense, aerospace, high technology, and pharmaceutical production—should anticipate enhanced scrutiny and oversight of their cross-border activities and investments in the coming years, and take steps to invest appropriate resources to manage the risks presented in this new environment.

"Recent Developments in U.S. Supply Chain Security: Preparing for Compliance Risks Under the ICTS Rules, the Uyghur Forced Labor Prevention Act, and the National Critical Capabilities Defense Act," by Anthony Rapa and Justin A. Chiarodo* was published on September 22, 2022, in the New York Law Journal

Reprinted with permission from the September 22, 2022, edition of the New York Law Journal © 2022 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. 

Summer associate Layla Najjar assisted in the preparation of this article.