Tag: national security

BIOSECURE Act: Anticipated Movement, Key Provisions, and Likely Impact

Last night, the House of Representatives passed the BIOSECURE Act (BIOSECURE or the Act) by a bipartisan vote of 306 to 81.

The BIOSECURE Act prohibits federal agencies from procuring or obtaining any biotechnology equipment or service produced or provided by a biotechnology company of concern. Subject to some exceptions, it also prohibits federal agencies from contracting with a company that uses equipment or services produced or provided by a biotechnology company of concern. Further, the Act prohibits recipients of a loan or grant from a federal agency from using federal funds to purchase equipment or services from a biotechnology company of concern.

The Senate version of BIOSECURE, sponsored by Sens. Gary Peters (D-MI) and Bill Hagerty (R-TN), was voted out of the Senate Committee on Homeland Security and Governmental affairs with bipartisan support in March 2024. Given its passage in the House last night, the BIOSECURE Act is likely to be signed into law by the end of the year. The House version of BIOSECURE is likely to be the version that becomes law. President Biden is unlikely to veto the Act given its bipartisan support, his previous executive actions to support domestic biotechnology development, and his Administration’s approach towards competition with China.

The Act defines “biotechnology company of concern” as any entity that:

  • is subject to the jurisdiction, direction, control, or operates on behalf of the government of a foreign adversary (defined as China, Cuba, Iran, North Korea, and Russia);
  • is involved in the manufacturing, distribution, provision, or procurement of a biotechnology equipment or service; and
  • poses a risk to U.S. national security based on:
    • engaging in joint research with, being supported by, or being affiliated with a foreign adversary’s military, internal security forces, or intelligence agencies;
    • providing multiomic data obtained via biotechnology equipment or services to the government of a foreign adversary; or
    • obtaining human multiomic data via the biotechnology equipment or services without express and informed consent.

Somewhat unusually, the Act names specific Chinese companies as automatically qualifying as “biotechnology companies of concern”:

  • BGI (formerly known as the Beijing Genomics Institute);
  • MGI;
  • Complete Genomics;
  • WuXi AppTec; and
  • WuXi Biologics.

Both categories include any subsidiary, parent, affiliate, or successor entities of biotechnology companies of concern.

The Act also has very broad definitions of “biotechnology equipment or service.” The definition of equipment encompasses any machine, device, or subcomponent, including software that is “designed for use in the research, development, production, or analysis of biological materials.” The definition of services is similarly broad.

The BIOSECURE Act also requires the Office of Management and Budget (OMB) to publish a list of additional biotechnology companies of concern. The list is prepared by the Secretary of Defense in coordination with the Secretaries of the Departments of Health and Human Services, Justice, Commerce, Homeland Security, and State, as well as the Director of National Intelligence and National Cyber Director. This list of companies must be published by OMB within one year of BIOSECURE’s enactment and reviewed annually by OMB in consultation with the other Departments.

Guidance and Regulatory Authorities

OMB is also tasked with developing guidance and has 120 days from enactment of the statute to do so for the named companies. For the list of biotechnology companies of concern, OMB’s guidance must be established within 180 days after the development of the list.

Beyond OMB, the Act requires the Federal Acquisition Regulatory Council to revise the Federal Acquisition Regulation (FAR) to incorporate its prohibitions. The FAR regulations must be issued within one year of when OMB establishes its guidance.

For named companies the Act’s prohibitions are effective 60 days after the issuance of the FAR regulations. For companies placed on the biotechnology company of concern list, the effective date for the Act’s prohibitions is 80 days after the issuance of FAR regulations.

Impact on Existing Business Relationships

In response to stakeholder concerns about disrupting existing commercial relationships and triggering delays in drug development, the House version of the BIOSECURE Act provides a five-year unwinding period for contracts and agreements entered into before the Act’s effective dates. Contracts entered into after the Act’s effective dates do not qualify for the five year unwinding period.

Process for Designating Companies

BIOSECURE specifies the process for designating a biotechnology company of concern. Critically, the Act does not require OMB to notify a company prior to the Department of Defense making the designation. Rather, a company will receive notice that it is being designated and placed on the biotechnology company of concern list. Moreover, the criteria for listing will only be provided “to the extent consistent with national security and law enforcement interests.” Thus, companies may face a circumstance where they are not provided the evidence supporting their designation.

Once a company receives the notice, it will have 90 days to submit information and arguments opposing the listing. The Act does not require a hearing or any formal administrative process. If practicable, the notice may also include steps the company could take to avoid being listed, but it is not required.

Safe Harbor, Waivers and Exceptions

The Act only has one safe harbor for biotechnology equipment or services that were formerly but no longer provided or produced by a biotechnology company of concern. This safe harbor seems intended to allow a biotechnology company of concern to sell their ownership of a product or service to another company without prohibitions applying to the new owner.

Agency heads may waive the Act’s prohibitions on a case-by-case basis, but only with the approval of OMB acting “in coordination with the Secretary of Defense.” Waivers must be reported to Congress within 30 days of being granted. The waiver may last for up to a year with an additional “one time” extension of 180 days allowed if an agency head determines it is “in the national security interests of the United States.” The 180-day extension must be approved by OMB and the agency head must notify and submit a justification to Congress within 10 days of the waiver being granted.

The Act has only two exceptions. First, its prohibitions do not apply to intelligence activities. Second, the prohibitions do not apply to health care services provided to federal employees, members of the armed services, and government contractors who are stationed in a foreign country or on official foreign travel.

Impact and Considerations for Clients

1. Increased Risk of Partnerships with Chinese Companies and Researchers:

Pharmaceutical and biotechnology companies that receive federal funding or contract with federal agencies should be prepared to wind down business ties to biotechnology companies in China. Impacted companies need to begin evaluating the risk to their supply chains, manufacturing capacity, and R&D pipelines in the event a business partner is listed.

Universities in the United States and other research institutes that receive federal funding will also need to undertake a similar assessment of their research partners and collaborators based in China.

2. Loss of CDMO capacity:

Wuxi App Tec is a large, global provider of contract development and manufacturing (CDMO) services to the life sciences industry. According to the New York Times “[b]y one estimate Wuxi has been involved in developing one-fourth of the drugs used in the United States.” BIOSECURE would effectively ban Wuxi from conducting business in the United States, and if passed, risks causing delays, shortages, and cost increases as companies seek to transition to other CDMOs. It will likely take years for competitors to replace the lost CDMO capacity.

3. Fate of Wuxi U.S. Facilities:

Wuxi has a large presence in the United States. It operates 12 facilities and employs almost 2,000 people. Normally, Wuxi would be expected to sell its U.S.-based facilities. However, based on Tiktok’s experience, it is unclear if the Government of China will permit Wuxi to sell its facilities as opposed to dismantling and/or relocating facilities outside of the United States.

4. OMB’s Management of Biotechnology Companies of Concern List

OMB does not typically manage processes like the one envisioned by BIOSECURE. How OMB interprets the broad criteria for listing companies will be critical. Which Departments, beyond the Department of Defense, will have the greatest influence on OMB’s decision making and how open OMB is to evidence from companies seeking to avoid listing will also need to be watched closely. Until OMB starts preparing its guidance and the FAR regulations are proposed, it is hard to anticipate the rate at which new companies will be added to the list. How the process established by BIOSECURE will interact with or leverage existing entity lists will be another development to closely monitor.

5. Retaliation by China

BIOSECURE’s passage is likely to trigger a response from the Government of China. Responses could range from imposing its own export controls to using the country’s sweeping national security laws to harass United States businesses and their employees. Companies doing business in China, particularly those in the pharmaceutical or biotech industries need to be prepared.

© 2024 Foley & Lardner LLP
For more on Biotechnology, visit the NLR Biotech Food Drug section

Understanding How U.S. Export Controls Affect Manufacturers’ Hiring Practices

The U.S. government has adjusted export control regulations in an effort to protect U.S. national security interests. The revisions primarily affect export of electronic computing items and semiconductors to prevent foreign powers from obtaining critical technologies that may threaten national security. As manufacturers are facing increased demand for their products and critical labor shortages, they may find themselves seeking to hire foreign national talent and navigating U.S. export control and immigration and anti-discrimination laws.

Export Control Laws in United States

The primary export control laws in the United States are the International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR). Under these regulations, U.S. Persons working for U.S. companies can access export-controlled items without authorization from the U.S. government. U.S. Persons include: U.S. citizens, U.S. nationals, Lawful permanent residents, Refugees, and Asylees. Employers might need authorization from the appropriate federal agency to “export” (in lay terms, share or release) export-controlled items to workers who are not U.S. Persons, which the regulations call foreign persons. Employers apply for such authorization from either the U.S. Department of State or the U.S. Department of Commerce, depending on the item.

The release of technical data or technology to a foreign person that occurs within the United States is “deemed” to be an export to the foreign person’s “home country.” Whether an export license is required for a particular release may depend on both the nature of export controls applicable to the technology or technical data (including whether it is subject to the ITAR or EAR) and the citizenship of the foreign person.

Recent revisions to the EAR cover controls on advanced computing integrated circuits (ICs), computer commodities that contain such ICs, and certain semiconductor manufacturing items, among other controls. These revisions particularly affect semiconductor and chip manufacturers and exporters.

Intersection With Immigration and Anti-Discrimination Laws

The U.S. Immigration and Nationality Act (INA) and Title VII of the Civil Rights Act 1964 prohibit discrimination based on protected characteristics.

The INA prohibits discrimination based on national origin or citizenship, among other characteristics. Title VII prohibits discrimination based on race and national origin, which typically includes discrimination based on citizenship or immigration status. Furthermore, the INA prohibits “unfair documentary practices,” which are identified as instances where employers request more or different documents than those necessary to verify employment eligibility or request such documents with the intent to discriminate based on national origin or citizenship.

The intersection of export control laws, immigration, and anti-discrimination laws can create a confusing landscape for employers, particularly manufacturers or exporters of export-controlled items. Manufacturers and exporters, like all employers, must collect identity and employment authorization documentation to ensure I-9 compliance. At the same time, however, they must collect information relating to a U.S. Person in connection with export compliance assessments. To address these areas of exposure for employers, the U.S. Department of Justice’s Civil Rights Division released an employer fact sheet to provide guidance for employers that includes best practices to avoid discrimination.

Implications

To ensure compliance under these rules, employers should separate the I-9 employment authorization documentation process from the export control U.S. Person or foreign person identification process. Employers should implement or revisit internal procedures and provide updated training to employees.

The export rule revisions highlight the challenges for employers in avoiding discrimination when complying with export control laws. Manufacturers and exporters should review their compliance practices regarding U.S. export control, immigration, and anti-discrimination laws with experienced counsel. Employers should implement policies and procedures reasonably tailored to address export control compliance requirements while not engaging in discrimination on the basis of citizenship or national origin.

Jackson Lewis P.C. © 2024

by: Maurice G. Jenkins , Kimberly M. Bennett of Jackson Lewis P.C.

For more news on Export Control Laws, visit the NLR Antitrust & Trade Regulation section.

Continuing Effort to Protect National Security Data and Networks

CMMC 2.0 – Simplification and Flexibility of DoD Cybersecurity Requirements

Evolving and increasing threats to U.S. defense data and national security networks have necessitated changes and refinements to U.S. regulatory requirements intended to protect such.

In 2016, the U.S. Department of Defense (DoD) issued a Defense Federal Acquisition Regulation Supplement (DFARs) intended to better protect defense data and networks. In 2017, DoD began issuing a series of memoranda to further enhance protection of defense data and networks via Cybersecurity Maturity Model Certification (CMMC). In December 2019, the Department of State, Directorate of Defense Trade Controls (DDTC) issued long-awaited guidance in part governing the minimum encryption requirements for storage, transport and/or transmission of controlled but unclassified information (CUI) and technical defense information (TDI) otherwise restricted by ITAR.

DFARs initiated the government’s efforts to protect national security data and networks by implementing specific NIST cyber requirements for all DoD contractors with access to CUI, TDI or a DoD network. DFARs was self-compliant in nature.

CMMC provided a broad framework to enhance cybersecurity protection for the Defense Industrial Base (DIB). CMMC proposed a verification program to ensure that NIST-compliant cybersecurity protections were in place to protect CUI and TDI that reside on DoD and DoD contractors’ networks. Unlike DFARs, CMMC initially required certification of compliance by an independent cybersecurity expert.

The DoD has announced an updated cybersecurity framework, referred to as CMMC 2.0. The announcement comes after a months-long internal review of the proposed CMMC framework. It still could take nine to 24 months for the final rule to take shape. But for now, CMMC 2.0 promises to be simpler to understand and easier to comply with.

Three Goals of CMMC 2.0

Broadly, CMMC 2.0 is similar to the earlier-proposed framework. Familiar elements include a tiered model, required assessments, and contractual implementation. But the new framework is intended to facilitate three goals identified by DoD’s internal review.

  • Simplify the CMMC standard and provide additional clarity on cybersecurity regulations, policy, and contracting requirements.
  • Focus on the most advanced cybersecurity standards and third-party assessment requirements for companies supporting the highest priority programs.
  • Increase DoD oversight of professional and ethical standards in the assessment ecosystem.

Key Changes under CMMC 2.0

The most impactful changes of CMMC 2.0 are

  • A reduction from five to three security levels.
  • Reduced requirements for third-party certifications.
  • Allowances for plans of actions and milestones (POA&Ms).

CMMC 2.0 has only three levels of cybersecurity

An innovative feature of CMMC 1.0 had been the five-tiered model that tailored a contractor’s cybersecurity requirements according to the type and sensitivity of the information it would handle. CMMC 2.0 keeps this model, but eliminates the two “transitional” levels in order to reduce the total number of security levels to three. This change also makes it easier to predict which level will apply to a given contractor. At this time, it appears that:

  • Level 1 (Foundational) will apply to federal contract information (FCI) and will be similar to the old first level;
  • Level 2 (Advanced) will apply to controlled unclassified information (CUI) and will mirror NIST SP 800-171 (similar to, but simpler than, the old third level); and
  • Level 3 (Expert) will apply to more sensitive CUI and will be partly based on NIST SP 800-172 (possibly similar to the old fifth level).

Significantly, CMMC 2.0 focuses on cybersecurity practices, eliminating the few so-called “maturity processes” that had baffled many DoD contractors.

CMMC 2.0 relieves many certification requirements

Another feature of CMMC 1.0 had been the requirement that all DoD contractors undergo third-party assessment and certification. CMMC 2.0 is much less ambitious and allows Level 1 contractors — and even a subset of Level 2 contractors — to conduct only an annual self-assessment. It is worth noting that a subset of Level 2 contractors — those having “critical national security information” — will still be required to seek triennial third-party certification.

CMMC 2.0 reinstitutes POA&Ms

An initial objective of CMMC 1.0 had been that — by October 2025 — contractual requirements would be fully implemented by DoD contractors. There was no option for partial compliance. CMMC 2.0 reinstitutes a regime that will be familiar to many, by allowing for submission of Plans of Actions and Milestones (POA&Ms). The DoD still intends to specify a baseline number of non-negotiable requirements. But a remaining subset will be addressable by a POA&M with clearly defined timelines. The announced framework even contemplates waivers “to exclude CMMC requirements from acquisitions for select mission-critical requirements.”

Operational takeaways for the defense industrial base

For many DoD contractors, CMMC 2.0 will not significantly impact their required cybersecurity practices — for FCI, focus on basic cyber hygiene; and for CUI, focus on NIST SP 800-171. But the new CMMC 2.0 framework dramatically reduces the number of DoD contractors that will need third-party assessments. It could also allow contractors to delay full compliance through the use of POA&Ms beyond 2025.

Increased Risk of Enforcement

Regardless of the proposed simplicity and flexibility of CMMC 2.0, DoD contractors need to remain vigilant to meet their respective CMMC 2.0 level cybersecurity obligations.

Immediately preceding the CMMC 2.0 announcement, the U.S. Department of Justice (DOJ) announced a new Civil Cyber-Fraud Initiative on October 6 to combat emerging cyber threats to the security of sensitive information and critical systems. In its announcement, the DOJ advised that it would pursue government contractors who fail to follow required cybersecurity standards.

As Bradley has previously reported in more detail, the DOJ plans to utilize the False Claims Act to pursue cybersecurity-related fraud by government contractors or involving government programs, where entities or individuals, put U.S. information or systems at risk by knowingly:

  • Providing deficient cybersecurity products or services
  • Misrepresenting their cybersecurity practices or protocols, or
  • Violating obligations to monitor and report cybersecurity incidents and breaches.

The DOJ also expressed their intent to work closely on the initiative with other federal agencies, subject matter experts and its law enforcement partners throughout the government.

As a result, while CMMC 2.0 will provide some simplicity and flexibility in implementation and operations, U.S. government contractors need to be mindful of their cybersecurity obligations to avoid new heightened enforcement risks.

© 2021 Bradley Arant Boult Cummings LLP
For more articles about cybersecurity, visit the NLR Cybersecurity, Media & FCC section.

National Security Meets Teenage Dance Battles: Trump Issues Executive Orders Impacting TikTok and WeChat Business in the U.S.

On August 6, 2020, Trump issued two separate executive orders that will severely restrict TikTok and WeChat’s business in the United States.  For weeks, the media has reported on Trump’s desire to “ban” TikTok with speculation about the legal authority to do so.  We break down the impact of the Orders below.

The White House has been threatening for weeks to ban both apps in the interest of protecting “the national security, foreign policy, and economy of the United States.”  According to the Orders issued Thursday, the data collection practices of both entities purportedly “threaten[] to allow the Chinese Communist Party access to Americans’ personal and proprietary information — potentially allowing China to track the locations of Federal employees and contractors, build dossiers of personal information for blackmail, and conduct corporate espionage.”

This is not a new threat.  A variety of government actions in recent years have been aimed at mitigating the national security risks associated with foreign adversaries stealing sensitive data of U.S. persons.  For example, in 2018, the Foreign Investment Risk Review Modernization Act (FIRRMA) was implemented to expand the authority of the Committee on Foreign Investment in the United States (CFIUS) to review and address national security concerns arising from foreign investment in U.S. companies, particularly where foreign parties can access the personal data of U.S. citizens.  And CFIUS has not been hesitant about exercising this authority.  Last year, CFIUS required the divestment of a Chinese investor’s stake in Grindr, the popular gay dating app, because of concerns that the Chinese investor would have access to U.S. citizens’ sensitive information which could be used for blackmail or other nefarious purposes.  That action was in the face of Grindr’s impending IPO.

In May 2019, Trump took one step further, issuing Executive Order 13873 to address a “national emergency with respect to the information and communications technology and services supply chain.”  That Order stated that foreign adversaries were taking advantage of vulnerabilities in American IT and communications services supply chain and described broad measures to address that threat.  According to these new Orders, further action is necessary to address these threats.  EO 13873 and the TikTok and WeChat Orders were all issued under the International Emergency Economic Powers Act  (IEEPA), which provides the President broad authority to regulate transactions which threaten national security during a national emergency.

Order Highlights

Both Executive Orders provide the Secretary of Commerce broad authority to prohibit transactions involving the parent companies of TikTok and WeChat, with limitations on which transactions yet to be defined.

  • The TikTok EO prohibits “any transaction by any person, or with respect to any property, subject to the jurisdiction of the United States,” with ByteDance Ltd., TikTok’s parent company, “or its subsidiaries, in which any such company has any interest, as identified by the Secretary of Commerce”
  • The WeChat EO prohibits “any transaction that is related to WeChat by any person, or with respect to any property, subject to the jurisdiction of the United States, with Tencent Holdings Ltd., WeChat’s parent company “or any subsidiary of that entity, as identified by the Secretary of Commerce.”
  • Both Executive Orders will take effect 45 days after issuance of the order (September 20, 2020), by which time the Secretary of Commerce will have identified the transactions subject to the Orders.

Implications

Until the Secretary of Commerce identifies the scope of transactions prohibited by the Executive Orders, the ultimate ramifications of these Orders remain unclear.  However, given what we do know, we have some initial thoughts on how these new prohibitions may play out.  The following are some preliminary answers to the burning questions at the forefront of every American teenager’s (and business person’s) mind.

Q:  Do these Orders ban the use of TikTok or WeChat in the United States?

A:  While the Orders do not necessarily ban the use of TikTok or WeChat itself, the app (or any future software updates) may no longer be available for download in the Google or Apple app stores in the U.S., and U.S. companies may not be able to purchase advertising on the social media platform – effectively (if not explicitly) banning the apps from the United States.

Q:  Will all transactions with ByteDance Ltd. and Tencent Holdings Ltd. (TikTok and WeChat’s parent companies, respectively) be prohibited?

A:  Given the broad language in the Orders, it does appear that U.S. app stores, carriers, or internet service providers (ISPs) will likely not be able to continue carrying the services while TikTok and WeChat are owned by these Chinese entities.  However, it is unlikely that the goal is to prohibit all transactions with these companies as a deterrent or punishment tool – which would essentially amount to designating them as Specially Designated Nationals (SDNs) – the  Orders clearly contemplate some limitations to be imposed on the types of transactions subject to the Order by the Secretary of Commerce.  Furthermore, the national security policy rationale for such restrictions will not be present in all transactions (i.e. if the concern is the ability of Chinese entities to access personal data of U.S. citizens in a manner that could be used against the interests of the United States, then presumably transactions in which ByteDance Ltd. and Tencent Holdings Ltd. do not have access to such data should be permissible.).  So while we do not know exactly what the scope of prohibited transactions will be, it would appear that the goal is to restrict these entities’ access to U.S. data and any transactions that would facilitate or allow such access.

Q:  What does “any property, subject to the jurisdiction of the United States” mean?

A:  Normally, the idea behind such language is to limit the prohibited transactions to those with a clear nexus to the United States: any U.S. person or person within the United States, or involving property within the United States.  It is unlikely that transactions conducted wholly outside the United States by non-U.S. entities would be impacted.  From a policy perspective, it would make sense that the prohibitions be limited to transactions that would facilitate these Chinese entities getting access to U.S.-person data through the use of TikTok and WeChat.

Q:  What about the reported sale of TikTok?

A: There is a chance the restrictions outlined in the TikTok EO will become moot.  Reportedly, Microsoft is in talks with ByteDance to acquire TikTok’s business in the United States and a few other jurisdictions.  If the scope of prohibited transactions are tailored to those involving access to U.S. person data and if a U.S. company can assure that U.S. user-data will be protected, then the national security concerns of continued use of the app would be mitigated.  Unless and until such acquisition takes place, U.S. companies investing in TikTok or utilizing it for advertising such be prepared for the restrictions to take effect.  At this time, there do not appear to be any U.S. buyers in the mix for WeChat.

Q:  The WeChat EO prohibits any transaction that is “related to” WeChat…what does that mean?

A:  The WeChat prohibition is more ambiguous and could have significantly wider impact on U.S. business interests. WeChat is widely used in the United States, particularly by people of Chinese descent, to carry out business transactions, including communicating with, and making mobile payments to, various service providers.  The WeChat EO prohibits “any transaction that is related to WeChat  with Tencent Holdings Ltd., or any of its subsidiaries.  Unlike TikTok, WeChat’s services extend beyond social media.  While the language of the ban is vague and the prohibited transactions are yet to be determined, it appears likely that using WeChat for these communications and transactions may no longer be legal. It is also unclear if the WeChat prohibition will extend to other businesses tied to Tencent, WeChat’s parent company, including major gaming companies Epic Games (publisher of the popular “Fortnite”), Riot Games (“League of Legends”), and Activision Blizzard, all in which Tencent has substantial ownership interests.  There has been some reporting that a White House official confirmed Tencent’s gaming interest are excluded from the Order as being unrelated to WeChat, but until the Secretary of Commerce specifies the prohibited transactions, the scope of the Order remains uncertain

Bottom Line

Until the Secretary of Commerce issues its list of transactions prohibited under these Executive Orders, the scope and effect of these Orders is conjectural.  This Administration’s all-in posture towards China would suggest that the prohibitions could be broad and severe.  U.S. companies utilizing WeChat or TikTok for business purposes or conducting business with the apps’ owners, should think carefully about ongoing and future transactions.  Of course, there is an election right around the corner and a new Administration may bring significant change to related foreign, trade and technology policy.  Thoughtful planning for a variety of scenarios will enable companies’ to respond appropriately as the restrictions on TikTok and WeChat are crystallized.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.