[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[S. 2040 Introduced in Senate (IS)]
<DOC>
119th CONGRESS
1st Session
S. 2040
To establish the Office of Information and Communications Technology
and Services within the Bureau of Industry and Security of the
Department of Commerce, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
June 11, 2025
Ms. Slotkin introduced the following bill; which was read twice and
referred to the Committee on Banking, Housing, and Urban Affairs
_______________________________________________________________________
A BILL
To establish the Office of Information and Communications Technology
and Services within the Bureau of Industry and Security of the
Department of Commerce, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Connected Vehicle National Security
Review Act''.
SEC. 2. OFFICE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY AND
SERVICES.
(a) In General.--The Export Control Reform Act of 2018 (50 U.S.C.
4801 et seq.) is amended by adding at the end the following:
``PART IV--OFFICE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY AND
SERVICES
``SEC. 1785. DEFINITIONS.
``In this part:
``(1) Agency.--The term `agency' has the meaning given that
term in section 551 of title 5, United States Code.
``(2) Commerce control list.--The term `Commerce Control
List' means the Commerce Control List set forth in Supplement
No. 1 to part 774 of the Export Administration Regulations.
``(3) Connected vehicle.--
``(A) In general.--Except as provided by
subparagraph (B), the term `connected vehicle' means a
vehicle driven or drawn by mechanical power and
manufactured primarily for use on public streets,
roads, and highways, that integrates onboard networked
hardware with automotive software systems to
communicate via dedicated short-range communication,
cellular telecommunications connectivity, satellite
communication, or other wireless spectrum connectivity
with any other network or device.
``(B) Exclusions.--The term `connected vehicle'
does not include a vehicle operated only on a rail
line.
``(4) Covered transaction.--The term `covered transaction'
means a transaction that--
``(A) is conducted by any person subject to the
jurisdiction of the United States or involves property
subject to the jurisdiction of the United States;
``(B) involves--
``(i) ICTS (as the term is defined by
Executive Order 13873) that is--
``(I) designed, developed,
manufactured, or supplied by persons
owned by, controlled by, or subject to
a jurisdiction or direction of a
jurisdiction of concern; and
``(II) used in a connected vehicle;
or
``(ii) an item on the Commerce Control List
that is used in a connected vehicle; and
``(C) is--
``(i) an ICTS transaction (as described in
section 791.1 of title 15, Code of Federal
Regulations (or any successor regulation)); or
``(ii) a transaction relating to the
export, reexport, or in-country transfer for an
item described in subparagraph (B)(ii).
``(5) Critical infrastructure.--The term `critical
infrastructure' means systems and assets, whether physical or
virtual, so vital to the United States that the incapacity or
destruction of such systems and assets would have a
debilitating impact on national security, national economic
security, national public health or safety, or any combination
of those matters.
``(6) Entity.--The term `entity' means any firm,
partnership, trust, joint venture, corporation, or other
association or organization.
``(7) Entity of concern.--The term `entity of concern'
means an entity owned or controlled by--
``(A) an entity listed on the Entity List set forth
in Supplement No. 4 to part 744 of the Export
Administration Regulation; or
``(B) a person subject to the jurisdiction of a
country that is under a comprehensive United States
arms embargo, as listed in Country Group D:5 in
Supplement No. 1 to part 740 of the Export
Administration Regulations.
``(8) Information and communications technology and
services; icts.--The terms `information and communications
technology and services' and `ICTS' have the meaning given the
term `information and communications technology or services' in
Executive Order 13873 (50 U.S.C. 1701 note; relating to
securing the information and communications technology and
services supply chain).
``(9) Jurisdiction of concern.--The term `jurisdiction of
concern' means any of the following:
``(A) The People's Republic of China.
``(B) The Russian Federation.
``(C) The Islamic Republic of Iran.
``(D) The Democratic People's Republic of Korea.
``(10) Relevant committees of congress.--The term `relevant
committees of Congress' means--
``(A) the Committee on Banking, Housing, and Urban
Affairs of the Senate; and
``(B) the Committee on Foreign Affairs of the House
of Representatives.
``(11) Undue risk.--The term `undue risk' means any of the
following:
``(A) The undue risk of sabotage to or subversion
of the design, integrity, manufacturing, production,
distribution, installation, operation, or maintenance
of ICTS in the United States.
``(B) The undue risk of catastrophic effects on the
security or resiliency of United States critical
infrastructure or the digital economy of the United
States.
``(C) The undue risk of an entity of concern
acquiring an item on the Commerce Control List.
``SEC. 1785A. OFFICE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY AND
SERVICES.
``(a) Establishment.--There is established within the Bureau of
Industry and Security of the Department of Commerce an Office of
Information and Communications Technology and Services (in this section
referred to as the `Office').
``(b) Executive Director.--The head of the Office shall be an
Executive Director, who shall--
``(1) be appointed by the Secretary; and
``(2) report to the Assistant Secretary appointed under
section 1782(a)(2).
``(c) Duties.--The Office shall--
``(1) identify and prevent through mitigation or
prohibition the undue risk posed by certain transactions; and
``(2) educate industry and other partners on relevant risks
and communicate decisions.
``(d) Special Hiring Authority.--The Executive Director may
appoint, without regard to the provisions of sections 3309 through 3318
of title 5, United States Code, candidates directly to positions in the
competitive service (as defined in section 2102 of that title).
``(e) Transition Rules.--
``(1) Continuation in office of the executive director.--An
individual serving as the Executive Director before the date of
the enactment of this part may serve as the Executive Director
on and after that date without the need for appointment under
subsection (b).
``(2) Reporting.--The Executive Director shall report to
the Under Secretary for Industry and Security until such time
as an Assistant Secretary is appointed, by and with the advice
and consent of the Senate, under section 1782(a)(2).
``SEC. 1785B. TRANSACTION REVIEW PROCESS.
``(a) In General.--The Secretary, acting through the Office of
Information and Communications Technology and Services, shall review
covered transactions according to the following procedures:
``(1) Review.--The Secretary may review any covered
transaction that the Secretary suspects poses an undue risk.
``(2) Investigative authority.--In reviewing a covered
transaction described in paragraph (1) the Secretary may do the
following:
``(A) Require any person subject to the
jurisdiction of the United States to furnish under
oath, in the form of a report or otherwise, at any time
as may be required by the Secretary, complete
information relative to any such transaction.
``(B) Require that any such report take a
particular form as directed in a request, regulation,
or other guidance provided by the Secretary, which may
be required before, during, or after any such
transaction.
``(C) Through any agency, conduct investigations,
hold hearings, administer oaths, examine witnesses,
receive evidence, take depositions, and require by
subpoena the attendance and testimony of witnesses and
the production of any book, contract, letter, paper,
and other hard copy or document relating to any matter
under investigation, regardless of whether any such
report has been required or filed.
``(b) Mitigation of Risk.--
``(1) In general.--If the Secretary finds under subsection
(a) that a covered transaction poses an undue risk, the
Secretary shall mitigate the undue risk as described in
paragraph (2) or prohibit the transaction.
``(2) Mitigation of risk authority.--The Secretary may
choose to mitigate any undue risk posed by a covered
transaction reviewed under subsection (a). To mitigate the
undue risk, the Secretary may do any of the following with
regard to any party to the covered transaction:
``(A) Negotiate, enter into or impose, and enforce
any agreement or condition.
``(B) Require adherence to certain cybersecurity
standards and other mitigation requirements determined
to be necessary by the Secretary.
``(C) Require the exclusion (in whole or in part)
of certain components, including physical parts or
hardware, software, digital services, and digital
components, of any ICTS or any sub-component of ICTS
from any such transaction.
``(D) Anything else the Secretary determines to be
appropriate or necessary to mitigate the undue risk.
``(3) Prohibition of transaction.--If the Secretary
determines that the undue risk posed by a covered transaction
cannot be effectively mitigated for any reason, the Secretary--
``(A) may prohibit the covered transaction; and
``(B) if the Secretary prohibits the transaction,
shall--
``(i) notify any party subject to the
review of the covered transaction of the
prohibition; and
``(ii) publish the prohibition in the
Federal Register.
``SEC. 1785C. REGULATING COVERED TRANSACTIONS CONNECTED TO ENTITIES OR
JURISDICTIONS OF CONCERN.
``(a) Authorization To Issue Rules for Certain Classes of Covered
Transactions.--The Secretary may determine that, for certain classes of
covered transactions, a review conducted under section 1785B may not
effectively address undue risks and may promulgate, in accordance with
section 553 of title 5, United States Code, regulations that do the
following:
``(1) Identify particular covered transactions, entities of
concern, or jurisdictions of concern that warrant particular
scrutiny for undue risk.
``(2) Establish mitigation measures to address undue risk,
to include prohibitions related to entities of concern or
jurisdictions of concern or for classes of covered
transactions.
``(3) Establish criteria by which particular covered
transactions or particular classes of participants in the
covered transaction supply chain may be recognized as
categorically included in or as categorically excluded from
mitigation measures or prohibitions.
``(4) Establish particular classes of covered transactions
or parties to covered transactions that must abide by certain
prohibitions or mitigation measures.
``(5) Establish procedures to authorize or license
transactions otherwise prohibited pursuant to a regulation
promulgated under this section.
``(6) Any other rule the Secretary determines to be
appropriate.
``(b) Other Review by Secretary Permitted.--The promulgation of any
regulation under subsection (a) does not preclude the Secretary from
initiating a review of any covered transaction, including a covered
transaction that belongs to an identified category under this section.
``SEC. 1785D. RISK ASSESSMENTS.
``(a) DNI Risk Assessments.--Not later than 180 days after the date
of the enactment of this part, and annually thereafter, the Director of
National Intelligence shall submit to the Secretary--
``(1) a risk assessment related to the threats posed by
entities of concern or jurisdictions of concern to the United
States by the supply chain of covered transactions that--
``(A) includes specific criteria to evaluate any
risk to the national security of the United States; and
``(B) identifies any entities of concern,
jurisdictions of concern, participants in such supply
chain, and covered transactions or classes of covered
transactions posing the highest risks to the national
security of the United States; and
``(2) a risk assessment of the threats posed by the supply
chains of covered transactions to the national security of the
United States.
``(b) Submission of Risk Assessment.--
``(1) In general.--Not later than 90 days after the date on
which the risk assessments required by subsection (a) are
submitted to the Secretary, the Director of National
Intelligence shall submit the risk assessments to the relevant
committees of Congress in unclassified format.
``(2) Classified annex.--The risk assessments submitted
under paragraph (1)--
``(A) may include a classified annex; and
``(B) shall include in the classified annex only
the identification of specific participants in the
supply chain of covered transactions that pose risk to
the national security of the United States.
``SEC. 1785E. OTHER AUTHORITIES.
``(a) Regulations.--Any regulation the Secretary promulgated under
Executive Order 13873 (50 U.S.C. 1701 note; relating to securing the
information and communications technology and services supply chain)
and Executive Order 14034 (50 U.S.C. 1701 note; relating to protecting
Americans' sensitive data from foreign adversaries) before the date of
the enactment of this part shall continue in effect on and after such
date of enactment. In carrying out the requirements of this part, the
Secretary may amend regulations or promulgate new regulations and
procedures as the Secretary considers appropriate.
``(b) Guidance.--The Secretary may issue guidance and establish
procedures to carry out this part.
``(c) Technical Advisory Committee.--
``(1) In general.--Not later than 180 days after the date
of the enactment of this part, the Secretary shall establish an
ICTS technical advisory committee to report to the Executive
Director of the Office of Information and Communications
Technology and Services.
``(2) Membership.--The ICTS advisory committee established
under paragraph (1) shall include the following:
``(A) Industry academic experts on covered
transaction supply chains.
``(B) Representatives of private sector companies,
industry associations, and academia.
``(C) A designated Federal officer to administer
the advisory committee and report to the Executive
Director.
``(d) Confidentiality and Disclosure of Information.--Any
information or document not otherwise publicly or commercially
available that has been submitted to the Secretary under this part
shall not be released publicly excepted to the extent required by
Federal law.
``SEC. 1785F. ENFORCEMENT.
``(a) Investigations.--
``(1) In general.--The Secretary may conduct an
investigation of any violation of an authorization, order,
mitigation measure, regulation, or prohibition issued under
this part.
``(2) Actions by designees.--In conducting an investigation
described in paragraph (1), the Assistant Secretary of Commerce
for Export Enforcement, or designated officers or employees of
the Secretary may, to the extent necessary or appropriate to
enforce this part, exercise such authority as is conferred upon
them by any other Federal law, subject to policies and
procedures approved by the Attorney General.
``(b) Permitted Activities.--An officer or employee authorized to
conduct investigations under subsection (a) by the Secretary may do any
of the following:
``(1) Inspect, search, detain, seize, or impose a temporary
denial order with respect to any item, in any form, or
conveyance on which it is believed that there are items that
have been, are being, or are about to be imported into the
United States in violation of this part or any other applicable
Federal law.
``(2) Require, inspect, and obtain any book, record, and
any other information from any person subject to the provisions
of this part or other applicable Federal law.
``(3) Administer an oath or affirmation and, by subpoena,
require any person to appear and testify or to appear and
produce books, records, and other writings.
``(4) Obtain a court order and issue legal process to the
extent authorized under chapters 119, 121, and 206 of title 18,
United States Code, or any other applicable Federal law.
``(c) Enforcement of Subpoenas.--In the case of contumacy by, or
refusal to obey a subpoena issued to, any person under subsection
(b)(3), a district court of the United States, after notice to such
person and a hearing, shall have jurisdiction to issue an order
requiring such person to appear and give testimony or to appear and
produce books, records, and other writings, regardless of format, that
are the subject of the subpoena. Any failure to obey such order of the
court may be punished by such court as a contempt thereof.
``(d) Actions by the Attorney General.--The Attorney General may
bring an action in an appropriate district court of the United States
for appropriate relief, including declaratory and injunctive, or
divestment relief, against any person who violates this part or any
regulation, order, direction, mitigation measure, prohibition, or other
authorization or directive issued under this part.
``SEC. 1785G. JUDICIAL REVIEW.
``(a) Right of Action.--A claim or petition challenging this part
or any action, finding, or determination under this part may be filed
only in the United States Court of Appeals for the District of Columbia
Circuit.
``(b) Exclusive Jurisdiction.--The United States Court of Appeals
for the District of Columbia Circuit shall have exclusive jurisdiction
over claims or petitions arising under this part against the United
States, any agency, or any component or official of an agency, subject
to review by the Supreme Court of the United States under section 1254
of title 28, United States Code.
``(c) In Camera and Ex Parte Review.--The following information may
be included in the administrative record and shall be submitted to the
court only ex parte and in camera:
``(1) Sensitive security information, as defined in section
1520.5 of title 49, Code of Federal Regulations.
``(2) Records or information compiled for law enforcement
purposes, as described in section 552(b)(7) of title 5, United
States Code.
``(3) Classified information, meaning any information or
material that has been determined by the United States
Government pursuant to an Executive order, statute, or
regulation, to require protection against unauthorized
disclosure for reasons of national security and any restricted
data, as defined in section 11 of the Atomic Energy Act of 1954
(42 U.S.C. 2014).
``(4) Information subject to privilege or protections under
any other provision of law, including subchapter II of chapter
53 of title 31, United States Code.
``(d) Information Under Seal.--Any information that is part of the
administrative record filed ex parte and in camera under subsection
(c), or cited by the court in any decision, shall be treated by the
court consistent with the provisions of this section. In no event shall
such information be released to the claimant or petitioner or as part
of the public record.
``(e) Return of Administrative Record.--After the expiration of the
time to seek further review, or the conclusion of further proceedings,
the court shall return the administrative record, including any and all
copies, to the United States.
``(f) Exclusive Remedy.--A determination by the court under this
section shall be the exclusive judicial remedy for any claim or
petition for review challenging this part or any action, finding, or
determination under this part against the United States, any agency, or
any component or official of any such agency.
``(g) Rule of Construction.--Nothing in this section shall be
construed as limiting, superseding, or preventing the invocation of,
any privileges or defenses that are otherwise available at law or in
equity to protect against the disclosure of information.
``(h) Statute of Limitations.--A challenge to any determination
under this part may only be brought not later than 180 days after the
date of such a determination.
``SEC. 1785H. PENALTIES.
``(a) Unlawful Acts.--It shall be unlawful for a person to violate,
attempt to violate, conspire to violate, or cause a violation of any
regulation, order, direction, prohibition, or other authorization or
directive issued under this part.
``(b) Criminal Penalties.--A person who willfully commits,
willfully attempts to commit, or willfully conspires to commit, or aids
and abets in the commission of a violation of subsection (a) shall be
fined not more than $1,000,000 for each violation, imprisoned for not
more than 20 years, or both.
``(c) Civil Penalties.--
``(1) In general.--The Secretary may impose the following
civil penalties on a person for each violation by that person
of a rule promulgated under this section:
``(A) A monetary penalty that is the greater of--
``(i) $250,000; or
``(ii) an amount that is twice the value of
the action that is the basis of the violation
with respect to which the penalty is imposed.
``(B) Revocation of any mitigation measure or
authorization issued under this part to the person.
``(C) A prohibition or other restriction on the
ability of the person to engage in any covered
transaction or class of such transactions.
``(2) Procedures.--Any civil penalty imposed under
paragraph (1) may be imposed only pursuant to a rule
promulgated under this section.
``(3) Standards for levels of civil penalty.--The Secretary
may, by rule, provide standards for establishing levels of
civil penalty under paragraph (1) based upon factors,
including--
``(A) the seriousness of the violation;
``(B) the culpability of the violator, including
any pattern of reckless behavior; and
``(C) any mitigating factors, such as the record of
cooperation of the violator with the Federal Government
in disclosing the violation.
``(d) Pre-Penalty Notices; Settlements.--
``(1) Pre-penalty notices.--
``(A) In general.--If the Secretary has reason to
believe that there has occurred a violation of
subsection (a) and determines that a civil monetary
penalty under subsection (c)(1)(A) is warranted, the
Secretary shall issue a pre-penalty notice informing
the alleged violator of the intent of the Secretary to
impose a monetary penalty. The Secretary shall consider
any voluntary disclosures of a violation before issuing
such notice.
``(B) Form of notice.--A pre-penalty notice issued
under subparagraph (A) shall be in writing and issued
either electronically or by mail to the alleged
violator.
``(C) Effects of actions of other agencies.--A pre-
penalty notice may be issued under subparagraph (A)
whether or not an agency other than the Department of
Commerce has taken any action with respect to the
matter.
``(2) Responses.--
``(A) Right to respond.--An alleged violator may
respond to a pre-penalty notice issued under paragraph
(1)(A) in writing to the Secretary.
``(B) Deadline for response.--
``(i) In general.--An alleged violator
shall respond to a pre-penalty notice issued
under paragraph (1)(A), except as provided by
clause (ii), on or before the 30th day after
the date of the issuance of the notice. Failure
to submit a response during the time required
by the previous sentence shall be deemed to be
a waiver of the right to respond.
``(ii) Extensions of deadline.--If the
deadline under clause (i) for a response to a
pre-penalty notice falls on a Federal holiday
or weekend, that deadline shall be extended to
the following business day. Any other
extensions of the deadline shall be granted, at
the discretion of the Secretary, only upon
specific request to the Secretary.
``(C) Form and method.--A response under
subparagraph (A) to a pre-penalty notice need not be in
any particular form, but it is required to be
typewritten and signed by the alleged violator or a
representative thereof, contain information sufficient
to indicate that it is in response to the pre-penalty
notice, and include the identification number listed on
the pre-penalty notice. A digital signature is
acceptable.
``(D) Content.--Any response under subparagraph (A)
to a pre-penalty notice is required--
``(i) to set forth in detail why the
alleged violator either believes that a
violation of subsection (a) did not occur or
why a civil monetary penalty under subsection
(c)(1)(A) is otherwise unwarranted under the
circumstances; and
``(ii) to include all documentary or other
evidence available to the alleged violator that
supports the arguments set forth in the
response.
``(3) Representation.--A representative of the alleged
violator may act on behalf of the alleged violator, but any
oral communication with the Secretary prior to a written
submission regarding the specific allegations contained in the
pre-penalty notice is required to be preceded by a written
letter of representation, unless the pre-penalty notice was
served upon the alleged violator in care of the representative.
``(4) Settlement.--Settlement discussions may be initiated
by the Secretary, the alleged violator, or the alleged
violator's authorized representative.
``(e) Penalty Imposition.--
``(1) In general.--If, after considering any written
response to a pre-penalty notice under subsection (d)(2) and
any relevant facts, including voluntary disclosure of a
violation of subsection (a), the Secretary determines that
there was a violation by the alleged violator named in the pre-
penalty notice and that a civil monetary penalty under
subsection (c)(1)(A) is appropriate, the Secretary may issue a
penalty notice to the violator containing a determination of
the violation and the imposition of the monetary penalty.
``(2) Final agency action.--The issuance of the penalty
notice shall constitute final agency action for purposes of
review under section 704 of title 5, United States Code.
``(3) Judicial review.--The violator may seek judicial
review of that final agency action under section 1785G.
``SEC. 1785I. RELATIONSHIP TO OTHER LAWS.
``(a) Rule of Construction Relating to Other Law.--Nothing in this
part shall be construed to alter or affect any other authority,
process, regulation, investigation, enforcement measure, or review
provided by or established under any other provision of Federal law.
``(b) Paperwork Reduction Act Exception.--The requirements of
chapter 35 of title 44, United States Code (commonly referred to as the
`Paperwork Reduction Act'), shall not apply to any action by the
Secretary to implement this part.
``(c) Committee on Foreign Investment in the United States.--
Nothing in this part shall prevent or preclude the President or the
Committee on Foreign Investment in the United States from exercising
any authority under section 721 of the Defense Production Act of 1950
(50 U.S.C. 4565 et seq.) as would be available in the absence of this
part.
``(d) Rule of Construction for the OICTS.--Nothing in this part may
be construed as altering any of the authority of the Office of
Information and Communications Technology and Services under Executive
Order 13873 (50 U.S.C. 1701 note; relating to securing the information
and communications technology and services supply chain) and Executive
Order 14034 (50 U.S.C. 1701 note; relating to protecting Americans'
sensitive data from foreign adversaries).''.
(b) Conforming Amendments to Export Control Reform Act of 2018.--
(1) Definition of united states person.--Section
1742(13)(A) of the Export Control Reform Act of 2018 (50 U.S.C.
4801(13)(1)) is amended, in the matter preceding clause (i), by
striking ``part I'' and inserting ``parts I and IV''.
(2) Annual report.--Section 1765(a) of the Export Control
Reform Act of 2018 (50 U.S.C. 4824(a)) is amended--
(A) in the matter preceding paragraph (1), by
inserting ``and part IV'' after ``this part'';
(B) in paragraph (8), by striking ``; and'' and
inserting a semicolon;
(C) in paragraph (9), by striking the period and
inserting ``; and''; and
(D) by adding at the end the following:
``(10) a summary of how authorities under part IV are being
used to ensure that entities of concern (as defined in section
1785) cannot undercut United States export controls by
acquiring sensitive technology within the United States.''.
(3) Assistant secretaries of commerce.--Section 1782(a) of
the Export Control Reform Act of 2018 (50 U.S.C. 4852(a)) is
amended--
(A) by striking ``Senate, two'' and inserting the
following: ``Senate--
``(1) two'';
(B) by striking the period at the end and inserting
``; and''; and
(C) by adding at the end the following:
``(2) one Assistant Secretary of Commerce to assist the
Under Secretary in carrying out part IV.''.
<all>