The Software & Information Industry Association (SIIA) provided comments in response to the Bureau of Industry and Security’s (BIS) request for comment on the Notice of Proposed Rulemaking (NPRM) regarding two executive orders: the IaaS EO and the AI EO. The NPRM aims to address malicious cyber-enabled activities by requiring U.S. Infrastructure as a Service (IaaS) providers to implement customer identification programs, prevent misuse of IaaS products, and safeguard national security.
SIIA supports efforts to combat cyber threats but raises concerns about the NPRM’s potential negative impacts. SIIA argue that the proposed regulations suffer from legal inconsistencies, overly broad definitions, and burdensome compliance requirements. We believe that the proposed Customer Identification Program (CIP) may not effectively deter malicious actors and could lead to evasion, increased costs, and privacy concerns, particularly for small and medium-sized businesses.
SIIA suggests that instead of a CIP, BIS should focus on an Abuse Deterrence Program (ADP) centered on cybersecurity best practices, fostering collaboration between government, industry, and international partners. We propose separating the rulemaking processes for the two executive orders and urge further stakeholder engagement to better understand the implications of the proposed regulations.