On January 3, 2025, the U.S. Department of Commerce Bureau of Industry and Security (BIS) Office of Information and Communications Technology and Services (OICTS) published an Advance Notice of Proposed Rulemaking (ANPRM) on the national security risks posed by foreign adversary involvement in the supply chain for unmanned aerial systems (UAS) (i.e., drones), including risks to critical infrastructure and U.S. sensitive data. BIS seeks public input to inform regulations on the supply of certain UAS components developed by entities linked to the People’s Republic of China (China) and Russia.
The full text of the UAS ANPRM is available here.1 BIS is seeking comments from interested parties until March 4, 2025. We offer high-level takeaways below.
1. BIS is contemplating a broad set of regulations that would apply across the UAS supply chain, particularly aimed at UAS data collection and connectivity capabilities.
The UAS ANPRM indicates that BIS will take a broad approach in drafting regulations to secure the information and communications technology and services (ICTS) supply chain for drones by regulating not only unmanned aerial vehicles (UAVs) but also other system elements, such as the ground control stations, communication links, and other associated components necessary for operation (collectively, unmanned aerial systems or UAS). BIS explicitly stated its intent to develop a rule that captures the full scope of aircraft systems that pose national security risks and seeks public comment on its proposed definition of UAS.2
The UAS ANPRM also indicates that BIS intends for any proposed regulations to apply to a broad set of actors across the UAS supply chain, including
• UAS companies — manufacturers or distributors of a finished UAS product
• UAS original equipment manufacturers (OEMs) — producers of the UAS components, including tier 1, tier 2, and tier 3 suppliers
• UAS service providers — entities responsible for desktop and mobile applications supporting UAS3
With respect to the ICTS components that will be subject to regulation, BIS appears to be targeting components that support the two capabilities that BIS believes pose the greatest national security threats — data collection and connectivity (including remote access and control). BIS therefore seeks industry feedback on the ICTS components integral to these functions most vulnerable to compromise by foreign adversaries.4
2. The framework of regulations on the ICTS supply chain for UAS may resemble forthcoming regulations on the ICTS supply chain for connected vehicles (CVs).
In September 2024, BIS proposed to ban certain ICTS transactions for CVs involving hardware and software linked to China and Russia (CV NPRM).5 BIS is expected to publish a final rule in the coming weeks. Sidley’s coverage of the CV NPRM is available here. The full text published in the Federal Register is available here.
Like the CV NPRM, BIS is targeting transactions involving ICTS components for UAS linked to China and Russia. In the UAS ANPRM, BIS notes that the governments of both China and Russia can compel companies under their jurisdiction to cooperate with government investigations, including by granting access to sensitive data on U.S. persons or critical infrastructure. BIS also states that entities linked to China and Russia may compromise ICTS components for UAS by introducing back doors or other malicious functionalities during the manufacturing process.
The framework of the UAS ANPRM is also quite similar to the advance notice that BIS published ahead of the CV NPRM.6 We therefore expect that BIS may develop a similar regulatory structure when issuing a proposed rule on ICTS components for UAS. That is, BIS may prohibit certain ICTS transactions involving UAS components linked to China and Russia and impose detailed requirements for subject parties to certify compliance when importing and/or selling certain UAS components in the United States.
Some key similarities:
• Refinements to products and services scope — BIS asked interested parties to comment on the specific ICTS components of UAS that pose the greatest threats to U.S. national security, including and in addition to the wide range of products and services identified in the UAS ANPRM.7 As it did in the CV NPRM, BIS could narrow the scope of ICTS products and services that will be subject to restrictions in response to industry feedback.
• “Linked to” a foreign adversary — BIS is likely to identify ICTS components linked to a foreign adversary using the same definition as under the CV NPRM. There, BIS identified ICTS hardware and software “designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary” as posing risks to national security. BIS interpreted this language to cover ICTS components designed, developed, or supplied in whole or in part by an entity with certain ownership, control, or other linkages to a foreign adversary.8 BIS used the same language in the UAS ANPRM,9 and we would therefore expect BIS to adopt the same interpretation in any future rule. In such case, restrictions would likely present significant challenges for UAS companies, OEMs, and service providers with development teams in China or Russia (or any other foreign adversary targeted under a new rule).
• Mitigation measures and compliance procedures — When developing the CV NPRM, BIS asked the public to comment on processes and mechanisms that BIS could implement to authorize otherwise prohibited transactions.10 BIS did the same here, suggesting that BIS might likewise propose a framework through which UAS companies, OEMs, and service providers will certify compliance as a condition of importing and/or selling UAS products in the United States.11 Such a framework could impose significant compliance obligations, including due diligence and recordkeeping requirements
• Temporary authorizations — BIS expressed a desire to avoid supply chain disruptions or unintended consequences contrary to U.S. national security interests. BIS might therefore propose a temporary authorization or, as it did in the CV NPRM, a delayed implementation date for proposed restrictions on UAS products.12
3. OICTS continues to be active, and we should expect more in 2025.
The UAS ANPRM kicks off 2025 following a busy year in which BIS’s OICTS issued its first final determination under the ICTS regulations and published several proposed rules. The UAS ANPRM also reflects increased attention on ICTS issues throughout the U.S. government that may increase in the coming year. In fact, the UAS ANPRM responds to a bipartisan congressional inquiry from June 2024 calling on Commerce to investigate the national security risks posed by Chinese-made drones pursuant to its authority under Executive Order (EO) 13873. The inquiry requested that OICTS expand the definition of CVs in its forthcoming final rule to include UAVs in light of the similar national security risks posed by connected software and hardware for drones or, alternatively, take up a separate investigation into the risks posed by Chinese-made drones. The UAS ANPRM published last week indicates that BIS will not incorporate drones into its final rule on CVs. Instead, BIS appears inclined to draft regulations more tailored to drones and the specific ICTS components integral to those UAS capabilities that pose the greatest national security risks. BIS is also expanding on the call to regulate UAVs by targeting UAS more broadly, as noted above.
We expect further developments with respect to both the UAS ANPRM and CV NPRM in 2025 as well as the results of ongoing OICTS investigations into entities involved in specific ICTS transactions that pose undue risks to U.S. national security. Last week, Liz Cannon, Executive Director of OICTS, announced that the office expects to publish final determinations in connection with several investigations in the coming year. To date, OICTS has published only one final determination, in which it banned Kaspersky Lab Inc., the U.S. subsidiary of a Russia-based antivirus software and cybersecurity company (and its affiliates, subsidiaries, and parent companies), from directly or indirectly providing its products or services in the United States or to U.S. persons. Sidley’s update on this determination is available here.
OICTS investigations adhere to procedures set forth in the ICTS provisions of the Export Administration Regulations, which were updated in a final rule published December 6, 2024, and effective February 4, 2025.13 The final rule formalized OICTS’s authorities under EO 13873, clarified the scope of the agency’s focus on ICTS transactions, and revised procedures for its investigations into specific ICTS transactions.
1Securing the Information and Communications Technology and Services Supply Chain: Unmanned Aircraft Systems, 90 Fed. Reg. 271 (January 3, 2025), available here.
2UAS ANPRM at 273-74.
3UAS ANPRM at 276.
4BIS has preliminarily identified the following products and services: (1) onboard computers responsible for processing data and controlling UAV flight; (2) communications systems including, but not limited to, flight controllers, transceiver/receiver equipment, proximity links such as Global Navigation Satellite Systems sensors, and flight termination equipment; (3) flight control systems responsible for takeoff, landing, and navigation, including, but not limited to, exteroceptive and proprioceptive sensors; (4) ground control stations or systems including, but not limited to, handheld flight controllers; (5) operating software including, but not limited to, network management software; (6) mission planning software; (7) intelligent battery power systems; (8) local and external data storage devices and services; and (9) artificial intelligence software or applications. UAS ANPRM at 273.
5Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles, 89 Fed. Reg. 79088 (September 26, 2024), available here.
6Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles, 89 Fed. Reg. 15066 (March 1, 2024), available here (CV ANPRM).
7UAS ANPRM at 273.
8CV NPRM at 79017.
9UAS ANPRM at 272-75.
10CV ANPRM at 15071-72.
11UAS ANPRM at 279.
12CV NPRM at 79120.
13Securing the Information and Communications Technology and Services Supply Chain, 89 Fed. Reg. 96872 (December 6, 2024), available here.
