Page:Executive Order 13984.pdf/3

Rh

1. Factors related to a particular foreign jurisdiction, including: 1. evidence that foreign malicious cyber actors have obtained United States IaaS products from persons offering United States IaaS products in that foreign jurisdiction, including whether such actors obtained such IaaS products through Reseller Accounts;

2. the extent to which that foreign jurisdiction is a source of malicious cyber-enabled activities; and

3. Whether the United States has a mutual legal assistance treaty with that foreign jurisdiction, and the experience of United States law enforcement officials and regulatory officials in obtaining information about activities involving United States IaaS products originating in or routed through such foreign jurisdiction; and

2. Factors related to a particular foreign person, including: 1. the extent to which a foreign person uses United States IaaS products to conduct, facilitate, or promote malicious cyber-enabled activities;

2. the extent to which United States IaaS products offered by a foreign person are used to facilitate or promote malicious cyber-enabled activities;

3. the extent to which United States IaaS products offered by a foreign person are used for legitimate business purposes in the jurisdiction; and

4. the extent to which actions short of the imposition of special measures pursuant to subsection (d) of this section are sufficient, with respect to transactions involving the foreign person offering United States IaaS products, to guard against malicious cyber-enabled activities. (c) In selecting which special measure or measures to take under this section, the Secretary shall consider: 1. whether the imposition of any special measure would create a significant competitive disadvantage, including any undue cost or burden associated with compliance, for United States IaaS providers;

2. the extent to which the imposition of any special measure or the timing of the special measure would have a significant adverse effect on legitimate business activities involving the particular foreign jurisdiction or foreign person; and

3. the effect of any special measure on United States national security, law enforcement investigations, or foreign policy. (d) The special measures referred to in subsections (a), (b), and (c) of this section are as follows: 1. Prohibitions or Conditions on Accounts within Certain Foreign Jurisdictions: The Secretary may prohibit or impose conditions on the opening or maintaining with any United States IaaS provider of an Account, including a Reseller Account, by any foreign person located in a foreign jurisdiction found to have any significant number of foreign persons offering United States IaaS products used for malicious cyber-enabled activities, or by any United States IaaS provider for or on behalf of a foreign person; and

2. Prohibitions or Conditions on Certain Foreign Persons: The Secretary may prohibit or impose conditions on the opening or maintaining in the United States of an Account, including a Reseller Account, by any United States IaaS provider for or on behalf of a foreign person, if such an Account involves any such foreign person found to be offering United States IaaS products used in malicious cyber-enabled activities or directly obtaining United States IaaS products for use in malicious cyber-enabled activities. (e) The Secretary shall not impose requirements for United States IaaS providers to take any of the special measures described in subsection (d) of this section earlier than 180 days following the issuance of final regulations described in section 1 of this order.