- the types of documentation and procedures required to verify the identity of any foreign person acting as a lessee or sub-lessee of these products or services;
- records that United States IaaS providers must securely maintain regarding a foreign person that obtains an Account, including information establishing:
- the identity of such foreign person and the person’s information, including name, national identification number, and address;
- means and source of payment (including any associated financial institution and other identifiers such as credit card number, account number, customer identifier, transaction identifiers, or virtual currency wallet or wallet address identifier);
- electronic mail address and telephonic contact information, used to verify a foreign person’s identity; and
- internet Protocol addresses used for access or administration and the date and time of each such access or administrative action, related to ongoing verification of such foreign person’s ownership of such an Account; and
- methods for limiting all third-party access to the information described in this subsection, except insofar as such access is otherwise consistent with this order and allowed under applicable law;
(b) take into consideration the type of Account maintained by United States IaaS providers, methods of opening an Account, and types of identifying information available to accomplish the objectives of identifying foreign malicious cyber actors using any such products and avoiding the imposition of an undue burden on such providers; and
(c) permit the Secretary, in accordance with such standards and procedures as the Secretary may delineate and in consultation with the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, to exempt any United States IaaS provider, or any specific type of Account or lessee, from the requirements of any regulation issued pursuant to this section. Such standards and procedures may include a finding by the Secretary that a provider, Account, or lessee complies with security best practices to otherwise deter abuse of IaaS products.
Sec. 2. Special Measures for Certain Foreign Jurisdictions or Foreign Persons. (a) Within 180 days of the date of this order, the Secretary shall propose for notice and comment regulations that require United States IaaS providers to take any of the special measures described in subsection (d) of this section if the Secretary, in consultation with the Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, the Director of National Intelligence and, as the Secretary deems appropriate, the heads of other executive departments and agencies (agencies), finds:
- that reasonable grounds exist for concluding that a foreign jurisdiction has any significant number of foreign persons offering United States IaaS products that are used for malicious cyber-enabled activities or any significant number of foreign persons directly obtaining United States IaaS products for use in malicious cyber-enabled activities, in accordance with subsection (b) of this section; or
- that reasonable grounds exist for concluding that a foreign person has established a pattern of conduct of offering United States IaaS products that are used for malicious cyber-enabled activities or directly obtaining United States IaaS products for use in malicious cyber-enabled activities.
(b) In making findings under subsection (a) of this section on the use of United States IaaS products in malicious cyber-enabled activities, the Secretary shall consider any information the Secretary determines to be relevant, as well as information pertaining to the following factors:
