[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[S. 2040 Introduced in Senate (IS)]
<DOC>
119th CONGRESS
1st Session
S. 2040
To establish the Office of Information and Communications Technology
and Services within the Bureau of Industry and Security of the
Department of Commerce, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
June 11, 2025
Ms. Slotkin introduced the following bill; which was read twice and
referred to the Committee on Banking, Housing, and Urban Affairs
_______________________________________________________________________
A BILL
To establish the Office of Information and Communications Technology
and Services within the Bureau of Industry and Security of the
Department of Commerce, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Connected Vehicle National Security
Review Act''.
SEC. 2. OFFICE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY AND
SERVICES.
(a) In General.--The Export Control Reform Act of 2018 (50 U.S.C.
4801 et seq.) is amended by adding at the end the following:
``PART IV--OFFICE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY AND
SERVICES
``SEC. 1785. DEFINITIONS.
``In this part:
``(1) Agency.--The term `agency' has the meaning given that
term in section 551 of title 5, United States Code.
``(2) Commerce control list.--The term `Commerce Control
List' means the Commerce Control List set forth in Supplement
No. 1 to part 774 of the Export Administration Regulations.
``(3) Connected vehicle.--
``(A) In general.--Except as provided by
subparagraph (B), the term `connected vehicle' means a
vehicle driven or drawn by mechanical power and
manufactured primarily for use on public streets,
roads, and highways, that integrates onboard networked
hardware with automotive software systems to
communicate via dedicated short-range communication,
cellular telecommunications connectivity, satellite
communication, or other wireless spectrum connectivity
with any other network or device.
``(B) Exclusions.--The term `connected vehicle'
does not include a vehicle operated only on a rail
line.
``(4) Covered transaction.--The term `covered transaction'
means a transaction that--
``(A) is conducted by any person subject to the
jurisdiction of the United States or involves property
subject to the jurisdiction of the United States;
``(B) involves--
``(i) ICTS (as the term is defined by
Executive Order 13873) that is--
``(I) designed, developed,
manufactured, or supplied by persons
owned by, controlled by, or subject to
a jurisdiction or direction of a
jurisdiction of concern; and
``(II) used in a connected vehicle;
or
``(ii) an item on the Commerce Control List
that is used in a connected vehicle; and
``(C) is--
``(i) an ICTS transaction (as described in
section 791.1 of title 15, Code of Federal
Regulations (or any successor regulation)); or
``(ii) a transaction relating to the
export, reexport, or in-country transfer for an
item described in subparagraph (B)(ii).
``(5) Critical infrastructure.--The term `critical
infrastructure' means systems and assets, whether physical or
virtual, so vital to the United States that the incapacity or
destruction of such systems and assets would have a
debilitating impact on national security, national economic
security, national public health or safety, or any combination
of those matters.
``(6) Entity.--The term `entity' means any firm,
partnership, trust, joint venture, corporation, or other
association or organization.
``(7) Entity of concern.--The term `entity of concern'
means an entity owned or controlled by--
``(A) an entity listed on the Entity List set forth
in Supplement No. 4 to part 744 of the Export
Administration Regulation; or
``(B) a person subject to the jurisdiction of a
country that is under a comprehensive United States
arms embargo, as listed in Country Group D:5 in
Supplement No. 1 to part 740 of the Export
Administration Regulations.
``(8) Information and communications technology and
services; icts.--The terms `information and communications
technology and services' and `ICTS' have the meaning given the
term `information and communications technology or services' in
Executive Order 13873 (50 U.S.C. 1701 note; relating to
securing the information and communications technology and
services supply chain).
``(9) Jurisdiction of concern.--The term `jurisdiction of
concern' means any of the following:
``(A) The People's Republic of China.
``(B) The Russian Federation.
``(C) The Islamic Republic of Iran.
``(D) The Democratic People's Republic of Korea.
``(10) Relevant committees of congress.--The term `relevant
committees of Congress' means--
``(A) the Committee on Banking, Housing, and Urban
Affairs of the Senate; and
``(B) the Committee on Foreign Affairs of the House
of Representatives.
``(11) Undue risk.--The term `undue risk' means any of the
following:
``(A) The undue risk of sabotage to or subversion
of the design, integrity, manufacturing, production,
distribution, installation, operation, or maintenance
of ICTS in the United States.
``(B) The undue risk of catastrophic effects on the
security or resiliency of United States critical
infrastructure or the digital economy of the United
States.
``(C) The undue risk of an entity of concern
acquiring an item on the Commerce Control List.
``SEC. 1785A. OFFICE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY AND
SERVICES.
``(a) Establishment.--There is established within the Bureau of
Industry and Security of the Department of Commerce an Office of
Information and Communications Technology and Services (in this section
referred to as the `Office').
``(b) Executive Director.--The head of the Office shall be an
Executive Director, who shall--
``(1) be appointed by the Secretary; and
``(2) report to the Assistant Secretary appointed under
section 1782(a)(2).
``(c) Duties.--The Office shall--
``(1) identify and prevent through mitigation or
prohibition the undue risk posed by certain transactions; and
``(2) educate industry and other partners on relevant risks
and communicate decisions.
``(d) Special Hiring Authority.--The Executive Director may
appoint, without regard to the provisions of sections 3309 through 3318
of title 5, United States Code, candidates directly to positions in the
competitive service (as defined in section 2102 of that title).
``(e) Transition Rules.--
``(1) Continuation in office of the executive director.--An
individual serving as the Executive Director before the date of
the enactment of this part may serve as the Executive Director
on and after that date without the need for appointment under
subsection (b).
``(2) Reporting.--The Executive Director shall report to
the Under Secretary for Industry and Security until such time
as an Assistant Secretary is appointed, by and with the advice
and consent of the Senate, under section 1782(a)(2).
``SEC. 1785B. TRANSACTION REVIEW PROCESS.
``(a) In General.--The Secretary, acting through the Office of
Information and Communications Technology and Services, shall review
covered transactions according to the following procedures:
``(1) Review.--The Secretary may review any covered
transaction that the Secretary suspects poses an undue risk.
``(2) Investigative authority.--In reviewing a covered
transaction described in paragraph (1) the Secretary may do the
following:
``(A) Require any person subject to the
jurisdiction of the United States to furnish under
oath, in the form of a report or otherwise, at any time
as may be required by the Secretary, complete
information relative to any such transaction.
``(B) Require that any such report take a
particular form as directed in a request, regulation,
or other guidance provided by the Secretary, which may
be required before, during, or after any such
transaction.
``(C) Through any agency, conduct investigations,
hold hearings, administer oaths, examine witnesses,
receive evidence, take depositions, and require by
subpoena the attendance and testimony of witnesses and
the production of any book, contract, letter, paper,
and other hard copy or document relating to any matter
under investigation, regardless of whether any such
report has been required or filed.
``(b) Mitigation of Risk.--
``(1) In general.--If the Secretary finds under subsection
(a) that a covered transaction poses an undue risk, the
Secretary shall mitigate the undue risk as described in
paragraph (2) or prohibit the transaction.
``(2) Mitigation of risk authority.--The Secretary may
choose to mitigate any undue risk posed by a covered
transaction reviewed under subsection (a). To mitigate the
undue risk, the Secretary may do any of the following with
regard to any party to the covered transaction:
``(A) Negotiate, enter into or impose, and enforce
any agreement or condition.
``(B) Require adherence to certain cybersecurity
standards and other mitigation requirements determined
to be necessary by the Secretary.
``(C) Require the exclusion (in whole or in part)
of certain components, including physical parts or
hardware, software, digital services, and digital
components, of any ICTS or any sub-component of ICTS
from any such transaction.
``(D) Anything else the Secretary determines to be
appropriate or necessary to mitigate the undue risk.
``(3) Prohibition of transaction.--If the Secretary
determines that the undue risk posed by a covered transaction
cannot be effectively mitigated for any reason, the Secretary--
``(A) may prohibit the covered transaction; and
``(B) if the Secretary prohibits the transaction,
shall--
``(i) notify any party subject to the
review of the covered transaction of the
prohibition; and
``(ii) publish the prohibition in the
Federal Register.
``SEC. 1785C. REGULATING COVERED TRANSACTIONS CONNECTED TO ENTITIES OR
JURISDICTIONS OF CONCERN.
``(a) Authorization To Issue Rules for Certain Classes of Covered
Transactions.--The Secretary may determine that, for certain classes of
covered transactions, a review conducted under section 1785B may not
effectively address undue risks and may promulgate, in accordance with
section 553 of title 5, United States Code, regulations that do the
following:
``(1) Identify particular covered transactions, entities of
concern, or jurisdictions of concern that warrant particular
scrutiny for undue risk.
``(2) Establish mitigation measures to address undue risk,
to include prohibitions related to entities of concern or
jurisdictions of concern or for classes of covered
transactions.
``(3) Establish criteria by which particular covered
transactions or particular classes of participants in the
covered transaction supply chain may be recognized as
categorically included in or as categorically excluded from
mitigation measures or prohibitions.
``(4) Establish particular classes of covered transactions
or parties to covered transactions that must abide by certain
prohibitions or mitigation measures.
``(5) Establish procedures to authorize or license
transactions otherwise prohibited pursuant to a regulation
promulgated under this section.
``(6) Any other rule the Secretary determines to be
appropriate.
``(b) Other Review by Secretary Permitted.--The promulgation of any
regulation under subsection (a) does not preclude the Secretary from
initiating a review of any covered transaction, including a covered
transaction that belongs to an identified category under this section.
``SEC. 1785D. RISK ASSESSMENTS.
``(a) DNI Risk Assessments.--Not later than 180 days after the date
of the enactment of this part, and annually thereafter, the Director of
National Intelligence shall submit to the Secretary--
``(1) a risk assessment related to the threats posed by
entities of concern or jurisdictions of concern to the United
States by the supply chain of covered transactions that--
``(A) includes specific criteria to evaluate any
risk to the national security of the United States; and
``(B) identifies any entities of concern,
jurisdictions of concern, participants in such supply
chain, and covered transactions or classes of covered
transactions posing the highest risks to the national
security of the United States; and
``(2) a risk assessment of the threats posed by the supply
chains of covered transactions to the national security of the
United States.
``(b) Submission of Risk Assessment.--
``(1) In general.--Not later than 90 days after the date on
which the risk assessments required by subsection (a) are
submitted to the Secretary, the Director of National
Intelligence shall submit the risk assessments to the relevant
committees of Congress in unclassified format.
``(2) Classified annex.--The risk assessments submitted
under paragraph (1)--
``(A) may include a classified annex; and
``(B) shall include in the classified annex only
the identification of specific participants in the
supply chain of covered transactions that pose risk to
the national security of the United States.
``SEC. 1785E. OTHER AUTHORITIES.
``(a) Regulations.--Any regulation the Secretary promulgated under
Executive Order 13873 (50 U.S.C. 1701 note; relating to securing the
information and communications technology and services supply chain)
and Executive Order 14034 (50 U.S.C. 1701 note; relating to protecting
Americans' sensitive data from foreign adversaries) before the date of
the enactment of this part shall continue in effect on and after such
date of enactment. In carrying out the requirements of this part, the
Secretary may amend regulations or promulgate new regulations and
procedures as the Secretary considers appropriate.
``(b) Guidance.--The Secretary may issue guidance and establish
procedures to carry out this part.
``(c) Technical Advisory Committee.--
``(1) In general.--Not later than 180 days after the date
of the enactment of this part, the Secretary shall establish an
ICTS technical advisory committee to report to the Executive
Director of the Office of Information and Communications
Technology and Services.
``(2) Membership.--The ICTS advisory committee established
under paragraph (1) shall include the following:
``(A) Industry academic experts on covered
transaction supply chains.
``(B) Representatives of private sector companies,
industry associations, and academia.
``(C) A designated Federal officer to administer
the advisory committee and report to the Executive
Director.
``(d) Confidentiality and Disclosure of Information.--Any
information or document not otherwise publicly or commercially
available that has been submitted to the Secretary under this part
shall not be released publicly excepted to the extent required by
Federal law.
``SEC. 1785F. ENFORCEMENT.
``(a) Investigations.--
``(1) In general.--The Secretary may conduct an
investigation of any violation of an authorization, order,
mitigation measure, regulation, or prohibition issued under
this part.
``(2) Actions by designees.--In conducting an investigation
described in paragraph (1), the Assistant Secretary of Commerce
for Export Enforcement, or designated officers or employees of
the Secretary may, to the extent necessary or appropriate to
enforce this part, exercise such authority as is conferred upon
them by any other Federal law, subject to policies and
procedures approved by the Attorney General.
``(b) Permitted Activities.--An officer or employee authorized to
conduct investigations under subsection (a) by the Secretary may do any
of the following:
``(1) Inspect, search, detain, seize, or impose a temporary
denial order with respect to any item, in any form, or
conveyance on which it is believed that there are items that
have been, are being, or are about to be imported into the
United States in violation of this part or any other applicable
Federal law.
``(2) Require, inspect, and obtain any book, record, and
any other information from any person su