Federal Register / Vol. 86, No. 14 / Monday, January 25, 2021 / Presidential Documents
6837
Presidential Documents
Executive Order 13984 of January 19, 2021
Taking Additional Steps To Address the National Emergency
With Respect to Significant Malicious Cyber-Enabled Activities
By the authority vested in me as President by the Constitution and the
laws of the United States of America, including the International Emergency
Economic Powers Act (50 U.S.C. 1701 et seq.) (IEEPA), the National Emergencies Act (50 U.S.C. 1601 et seq.) (NEA), and section 301 of title 3,
United States Code:
I, DONALD J. TRUMP, President of the United States of America, find
that additional steps must be taken to deal with the national emergency
related to significant malicious cyber-enabled activities declared in Executive
Order 13694 of April 1, 2015 (Blocking the Property of Certain Persons
Engaging in Significant Malicious Cyber-Enabled Activities), as amended,
to address the use of United States Infrastructure as a Service (IaaS) products
by foreign malicious cyber actors. IaaS products provide persons the ability
to run software and store data on servers offered for rent or lease without
responsibility for the maintenance and operating costs of those servers.
Foreign malicious cyber actors aim to harm the United States economy
through the theft of intellectual property and sensitive data and to threaten
national security by targeting United States critical infrastructure for malicious cyber-enabled activities. Foreign actors use United States IaaS products
for a variety of tasks in carrying out malicious cyber-enabled activities,
which makes it extremely difficult for United States officials to track and
obtain information through legal process before these foreign actors transition
to replacement infrastructure and destroy evidence of their prior activities;
foreign resellers of United States IaaS products make it easier for foreign
actors to access these products and evade detection. This order provides
authority to impose record-keeping obligations with respect to foreign transactions. To address these threats, to deter foreign malicious cyber actors’
use of United States IaaS products, and to assist in the investigation of
transactions involving foreign malicious cyber actors, the United States must
ensure that providers offering United States IaaS products verify the identity
of persons obtaining an IaaS account (‘‘Account’’) for the provision of these
products and maintain records of those transactions. In appropriate circumstances, to further protect against malicious cyber-enabled activities,
the United States must also limit certain foreign actors’ access to United
States IaaS products. Further, the United States must encourage more robust
cooperation among United States IaaS providers, including by increasing
voluntary information sharing, to bolster efforts to thwart the actions of
foreign malicious cyber actors.
jbell on DSKJLSW7X2PROD with EXECORD2
Accordingly, I hereby order:
Section 1. Verification of Identity. Within 180 days of the date of this
order, the Secretary of Commerce (Secretary) shall propose for notice and
comment regulations that require United States IaaS providers to verify
the identity of a foreign person that obtains an Account. These regulations
shall, at a minimum:
(a) set forth the minimum standards that United States IaaS providers
must adopt to verify the identity of a foreign person in connection with
the opening of an Account or the maintenance of an existing Account,
including:
VerDate Sep<11>2014
17:24 Jan 22, 2021
Jkt 253001
PO 00000
Frm 00001
Fmt 4790
Sfmt 4790
E:\FR\FM\25JAE2.SGM
25JAE2