[House Document 117-44]
[From the U.S. Government Publishing Office]
117th Congress, 1st Session - - - - - - - - - - - - - House Document 117-44
PROTECTING AMERICANS' SENSITIVE DATA FROM FOREIGN ADVERSARIES
__________
COMMUNICATION
from
THE PRESIDENT OF THE UNITED STATES
transmitting
AN EXECUTIVE ORDER THAT ELABORATES UPON THE NATIONAL EMERGENCY DECLARED
IN EXECUTIVE ORDER 13873 OF MAY 15, 2019, PURSUANT TO 50 U.S.C.
1703(b); PUBLIC LAW 95-223, SEC. 204(b); (91 STAT. 1627) AND 50 U.S.C.
1641(b); PUBLIC LAW 94-412, SEC. 401(b); (90 STAT. 1257)
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
June 11, 2021.--Referred to the Committee on Appropriations and ordered
to be printed
________
U.S. GOVERNMENT PUBLISHING OFFICE
19-011 WASHINGTON : 2021
The White House,
Washington, June 9, 2021.
Hon. Nancy Pelosi,
Speaker of the House of Representatives,
Washington, DC.
Dear Madam Speaker: Pursuant to the International Emergency
Economic Powers Act (50 U.S.C. 1701 et seq.), I hereby report
that I have issued an Executive Order addressing the threat
from certain connected software applications designed,
developed, manufactured, or supplied by persons owned by,
controlled by, or subject to the jurisdiction or direction of a
foreign adversary, to include the People's Republic of China,
among others.
I have determined that additional consideration must be
given in addressing the national emergency declared in
Executive Order 13873 of May 15, 2019 (Securing the Information
and Communications Technology and Services Supply Chain),
including the threat posed by certain connected software
applications designed, developed, manufactured, or supplied by
persons owned by, controlled by, or subject to the jurisdiction
or direction of a foreign adversary.
I am enclosing a copy of the Executive Order I have issued.
Sincerely,
Joseph R. Biden, Jr.
Executive Order
----------
Protecting Americans' Sensitive Data From Foreign Adversaries
By the authority vested in me as President by the
Constitution and the laws of the United States of America,
including the International Emergency Economic Powers Act (50
U.S.C. 1701 et seq.) (IEEPA), the National Emergencies Act (50
U.S.C. 1601 et seq.), and section 301 of title 3, United States
Code,
I, JOSEPH R. BIDEN JR., President of the United States of
America, find that it is appropriate to elaborate upon measures
to address the national emergency with respect to the
information and communications technology and services supply
chain that was declared in Executive Order 13873 of May 15,
2019 (Securing the Information and Communications Technology
and Services Supply Chain). Specifically, the increased use in
the United States of certain connected software applications
designed, developed, manufactured, or supplied by persons owned
or controlled by, or subject to the jurisdiction or direction
of, a foreign adversary, which the Secretary of Commerce acting
pursuant to Executive Order 13873 has defined to include the
People's Republic of China, among others, continues to threaten
the national security, foreign policy, and economy of the
United States. The Federal Government should evaluate these
threats through rigorous, evidence-based analysis and should
address any unacceptable or undue risks consistent with overall
national security, foreign policy, and economic objectives,
including the preservation and demonstration of America's core
values and fundamental freedoms.
By operating on United States information and
communications technology devices, including personal
electronic devices such as smartphones, tablets, and computers,
connected software applications can access and capture vast
swaths of information from users, including United States
persons' personal information and proprietary business
information. This data collection threatens to provide foreign
adversaries with access to that information. Foreign adversary
access to large repositories of United States persons' data
also presents a significant risk.
In evaluating the risks of a connected software
application, several factors should be considered. Consistent
with the criteria established in Executive Order 13873, and in
addition to the criteria set forth in implementing regulations,
potential indicators of risk relating to connected software
applications include: ownership, control, or management by
persons that support a foreign adversary's military,
intelligence, or proliferation activities; use of the connected
software application to conduct surveillance that enables
espionage, including through a foreign adversary's access to
sensitive or confidential government or business information,
or sensitive personal data; ownership, control, or management
of connected software applications by persons subject to
coercion or cooption by a foreign adversary; ownership,
control, or management of connected software applications by
persons involved in malicious cyber activities; a lack of
thorough and reliable third-party auditing of connected
software applications; the scope and sensitivity of the data
collected; the number and sensitivity of the users of the
connected software application; and the extent to which
identified risks have been or can be addressed by independently
verifiable measures.
The ongoing emergency declared in Executive Order 13873
arises from a variety of factors, including the continuing
effort of foreign adversaries to steal or otherwise obtain
United States persons' data. That continuing effort by foreign
adversaries constitutes an unusual and extraordinary threat to
the national security, foreign policy, and economy of the
United States. To address this threat, the United States must
act to protect against the risks associated with connected
software applications that are designed, developed,
manufactured, or supplied by persons owned or controlled by, or
subject to the jurisdiction or direction of, a foreign
adversary.
Additionally, the United States seeks to promote
accountability for persons who engage in serious human rights
abuse. If persons who own, control, or manage connected
software applications engage in serious human rights abuse or
otherwise facilitate such abuse, the United States may impose
consequences on those persons in action separate from this
order.
Accordingly, it is hereby ordered that:
Section 1. Revocation of Presidential Actions. The
following orders are revoked: Executive Order 13942 of August
6, 2020 (Addressing the Threat Posed by TikTok, and Taking
Additional Steps To Address the National Emergency With Respect
to the Information and Communications Technology and Services
Supply Chain); Executive Order 13943 of August 6, 2020
(Addressing the Threat Posed by WeChat, and Taking Additional
Steps To Address the National Emergency With Respect to the
Information and Communications Technology and Services Supply
Chain); and Executive Order 13971 of January 5, 2021
(Addressing the Threat Posed by Applications and Other Software
Developed or Controlled by Chinese Companies).
Sec. 2. Implementation. (a) The Director of the Office of
Management and Budget and the heads of executive departments
and agencies (agencies) shall promptly take steps to rescind
any orders, rules, regulations, guidelines, or policies, or
portions thereof, implementing or enforcing Executive Orders
13942, 13943, or 13971, as appropriate and consistent with
applicable law, including the Administrative Procedure Act, 5
U.S.C. 551 et seq. In addition, any personnel positions,
committees, task forces, or other entities established pursuant
to Executive Orders 13942, 13943, or 13971 shall be abolished,
as appropriate and consistent with applicable law.
(b) Not later than 120 days after the date of this order,
the Secretary of Commerce, in consultation with the Secretary
of State, the Secretary of Defense, the Attorney General, the
Secretary of Health and Human Services, the Secretary of
Homeland Security, the Director of National Intelligence, and
the heads of other agencies as the Secretary of Commerce deems
appropriate, shall provide a report to the Assistant to the
President and National Security Advisor with recommendations to
protect against harm from the unrestricted sale of, transfer
of, or access to United States persons' sensitive data,
including personally identifiable information, personal health
information, and genetic information, and harm from access to
large data repositories by persons owned or controlled by, or
subject to the jurisdiction or direction of, a foreign
adversary. Not later than 60 days after the date of this order,
the Director of National Intelligence shall provide threat
assessments, and the Secretary of Homeland Security shall
provide vulnerability assessments, to the Secretary of Commerce
to support development of the report required by this
subsection.
(c) Not later than 180 days after the date of this order,
the Secretary of Commerce, in consultation with the Secretary
of State, the Secretary of Defense, the Attorney General, the
Secretary of Homeland Security, the Director of the Office of
Management and Budget, and the heads of other agencies as the
Secretary of Commerce deems appropriate, shall provide a report
to the Assistant to the President and National Security Advisor
recommending additional executive and legislative actions to
address the risk associated with connected software
applications that are designed, developed, manufactured, or
supplied by persons owned or controlled by, or subject to the
jurisdiction or direction of, a foreign adversary.
(d) The Secretary of Commerce shall evaluate on a
continuing basis transactions involving connected software
applications that may pose an undue risk of sabotage or
subversion of the design, integrity, manufacturing, production,
distribution, installation, operation, or maintenance of
information and communications technology or services in the
United States; pose an undue risk of catastrophic effects on
the security or resiliency of the critical infrastructure or
digital economy of the United States; or otherwise pose an
unacceptable risk to the national security of the United States
or the security and safety of United States persons. Based on
the evaluation, the Secretary of Commerce shall take
appropriate action in accordance with Executive Order 13873 and
its implementing regulations.
Sec. 3. Definitions. For purposes of this order:
(a) the term ``connected software application'' means
software, a software program, or a group of software programs,
that is designed to be used on an end-point computing device
and includes as an integral functionality, the ability to
collect, process, or transmit data via the Internet;
(b) the term ``foreign adversary'' means any foreign
government or foreign non-government person engaged in a
longterm pattern or serious instances of conduct significantly
adverse to the national security of the United States or
security and safety of United States persons;
(c) the term ``information and communications technology or
services'' means any hardware, software, or other product or
service primarily intended to fulfill or enable the function of
information or data processing, storage, retrieval, or
communication by electronic means, including transmission,
storage, and display;
(d) the term ``person'' means an individual or entity; and
(e) the term ``United States person'' means any United
States citizen, lawful permanent resident, entity organized
under the laws of the United States or any jurisdiction within
the United States (including foreign branches), or any person
in the United States.
Sec. 4. General Provisions. (a) Nothing in this order shall
be construed to impair or otherwise affect:
(i) the authority granted by law to an executive department
or agency, or the head thereof; or
(ii) the functions of the Director of the Office of
Management and Budget relating to budgetary, administrative, or
legislative proposals.
(b) This order shall be implemented consistent with
applicable law and subject to the availability of
appropriations.
(c) This order is not intended to, and does not, create any
right or benefit, substantive or procedural, enforceable at law
or in equity by any party against the United States, its
departments, agencies, or entities, its officers, employees, or
agents, or any other person.
Joseph R. Biden, Jr.
The White House, June 9, 2021.
[all]