The Cloud Service Providers-Advisory Board (CSP-AB) welcomes the opportunity to engage with the Department of Commerce on the notice of proposed rulemaking (NPRM) addressing new regulations for Infrastructure as a Service (IaaS) providers. These regulations aim to implement the Executive Orders of January 19, 2021, and October 30, 2023, focusing on identity verification of foreign customers and reporting for AI model training transactions. While the CSP-AB aligns with the U.S. Government’s national security objectives, we urge a balanced approach that protects privacy, fosters innovation, and maintains operational feasibility for IaaS providers.
Addressing Overarching Concerns
The CSP-AB recognizes the importance of preventing malicious cyber-enabled activities and deterring foreign actors from exploiting U.S. cloud infrastructure. However, we express reservations about the Proposal’s effectiveness and its potential unintended consequences, including:
- Overbroad Know Your Customer (KYC) Requirements:
- The proposed bank-like identity verification requirements are impractical and unlikely to enhance national security. These prescriptive measures risk diverting resources from more effective security initiatives.
- CSP-AB encourages the Department to reconsider and refine these requirements, ensuring they are targeted and operationally feasible.
- Definition of Foreign Ownership:
- The definition outlined in the Proposal is overly broad, potentially capturing entities that do not pose risks. The CSP-AB recommends aligning these standards with the Office of Foreign Assets Control (OFAC) guidelines to avoid unnecessary burdens.
- Focus on Abuse Deterrence Programs (ADPs):
- Rather than implementing the proposed Customer Identification Program (CIP) Rule, the CSP-AB advocates for focusing on Abuse of IaaS Products Deterrence Programs (ADPs). Leveraging FedRAMP as a baseline for ADP requirements can streamline compliance and avoid fragmentation.
- Challenges in AI Reporting Requirements:
- Reporting requirements for large AI model training transactions present significant concerns, including potential conflicts with FedRAMP’s shared responsibility model and established privacy standards. CSP-AB recommends bifurcating this aspect into a separate dialogue with the private sector.
Fostering Effective Collaboration
The CSP-AB emphasizes the need for a collaborative approach between the government and private sector. By leveraging industry expertise, the Department can develop regulations that achieve security goals without hindering innovation or burdening service providers. Specific recommendations include:
- Revisiting Scope and Definitions: Align definitions and requirements with existing regulatory frameworks, such as OFAC and FedRAMP, to ensure clarity and reduce redundancy.
- Engaging Stakeholders on AI Reporting: Establish a separate process to address AI-related reporting, focusing on actionable outcomes that protect privacy and promote trust.
- Targeting Resources Effectively: Concentrate on measures that directly deter malicious actors, ensuring the best use of resources for both the government and CSPs.
Conclusion
The CSP-AB shares the U.S. Government’s commitment to safeguarding critical infrastructure and deterring foreign malicious cyber actors. However, regulations must strike a careful balance between security, innovation, and practicality. We look forward to continued dialogue with the Department of Commerce to refine these proposals and build a secure, resilient, and innovative cloud ecosystem.
Call to Action: Stakeholders in the cloud industry are encouraged to provide feedback on the proposed regulations. Together, we can shape policies that enhance national security while preserving the foundational principles of privacy and innovation.
Read our full response here:
