{"id":18396408,"url":"https://github.com/fearlesssolutions/icts","last_synced_at":"2026-03-19T04:10:25.272Z","repository":{"id":152875259,"uuid":"599158000","full_name":"FearlessSolutions/ICTS","owner":"FearlessSolutions","description":null,"archived":false,"fork":false,"pushed_at":"2023-02-13T14:37:14.000Z","size":7,"stargazers_count":0,"open_issues_count":90,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-12T15:15:09.203Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/FearlessSolutions.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-02-08T15:17:03.000Z","updated_at":"2023-03-31T17:26:44.000Z","dependencies_parsed_at":null,"dependency_job_id":"088f604e-b11b-4647-8c5c-2a3957ddebc7","html_url":"https://github.com/FearlessSolutions/ICTS","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/FearlessSolutions/ICTS","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FearlessSolutions%2FICTS","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FearlessSolutions%2FICTS/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FearlessSolutions%2FICTS/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FearlessSolutions%2FICTS/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/FearlessSolutions","download_url":"https://codeload.github.com/FearlessSolutions/ICTS/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FearlessSolutions%2FICTS/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265636857,"owners_count":23802574,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-06T02:13:42.554Z","updated_at":"2026-02-04T08:31:04.666Z","avatar_url":"https://github.com/FearlessSolutions.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# ICTS\n\nThe Problem\nINTAKE ISSUE:  Department of Commerce (DOC) Bureau of Industry and Security (BIS) expects to publish a final rule in April 2023 that prohibits a specific party from continuing to provide ICTS services to both critical infrastructure entities (banks, energy sectors, police departments, commercial farming, etc.) and individual citizens.  Upon publishing this rule in the federal register, it is expected that entities using these services may seek waivers or exceptions to this prohibition. Currently, BIS has created one intake email to intake these requests.  There are more than 2 million active users and over 5000 companies using this specific service and it’s possible many of them will seek exceptions. \n\n\nLICENSING ISSUE: Second, in August 2023, BIS plans to publish a rule that allows the government to impose restrictions of US companies and citizens on the use of specific information and communications technology or services (ICTS) imported from foreign countries that pose a threat to US National Security. ICTS is defined as software services from China (including Hong Kong), Russia, Cuba, Iran, North Korea, and Venezuela’s Maduro Regime. As part of the Rule, affected US parties will receive written notification outlining the restrictions and impacted software or hardware/services that may require licensing/exceptions similar to that of the current controls on exports of critical technology. The draft Rule may also provide a time-limited opportunity for US parties to voluntarily disclose their use of these products and for the government to consider those responses before finalizing the Rule.  It is more than likely that this rule will go “final” into Q2 FY 24, which marks the point at which companies would seek licenses (aka exceptions) to specific prohibitions. The rules are still being drafted, and this requirement should be considered when establishing the immediate requirements for an intake system above. \n\n\nThe government currently does not have a system that supports the submission, adjudication, and determination of these disclosures in either circumstance. Without a clear process and system, the government will be in violation of the response deadlines set forth in the Rule. Additionally, poor management of these requests for disclosure creates additional risks for national security; creating significant roadblocks for effective management and analysis of growing risks to the supply chain.  \n\n\nMain Users\n\n\nRole\nResponsibilities\nEstimated Number of Users\nUS Parties notified as part of the Rule\nVerification of their identity as an employee of a US company impacted by the Rule\nSubmission of an exemption request for the Rule\nNotification of the final determination \n500,000\nDOC Employees\nReview and adjudication of the exemption request\nPassing a determination in regard to the exemption request\n15-80\n\n\n\n\n\nHigh-level Approach\nCreate low-fidelity submission and adjudication system for the processing of the intake exemption requests that will coincide with the delivery of the written notifications of the restrictions to US industry. Upon notification, US companies may be eligible to submit exemption requests through the system.\nMain Goal\nImproved operational efficiency, response speed, and visibility into the adjudication process for ICTS company disclosures and requests for extensions or exemptions. \nSuccess Metrics\nMetric\nHow will we measure it?\nBenchmark\n Adjudication time \nTime from submission receival to final determination\n\n\n \nDetermination Response \nNumber of exemptions where a final determination is passed and explained\n 100%\nVisibility\nAmount of information available to submitters\n5 Pieces of Information (Request, Request Date, Determination, Determination Reasoning, Determination)\n\n\nSolution Alignment\nKey Features\nRequired Features \nAbility for Industry to Submit Exemptions \u0026 Extension\nAbility for ICTS to Log-in to view submissions\nLink from BIS Website to application\nSubmission Success Notification\n\nSecurity Requirements\nFISMA high\nFedramp high\nPost-launch Features (updates, expansion)\nSSO\nCase Management System for Extensions and Exemptions Adjudication\nIntake of rule comments and feedback\nIntake of tips or disclosures for ICTS violations\nAdjudication Final Determination Notification\nReporting\nKey Flows\nShow some mocks/embeds of the experience. Link to any other documentation as necessary. In general, it’s helpful to organize these around certain user journeys/use cases. Show enough of a clickthrough where people can walk away with a reasonable understanding of how the product works.\nDesign Research, Prototypes, Content\nAdd helpful links here.\nOpen Issues + Key Decisions\nQuestion / Issue\nDecision / Mitigation Tactic\nNotes\nHow will we interview people (potential users) who aren’t supposed to know about this yet?\nUAT Testing post development with ICTS staff, BIS Staff, and proxy industry users from  Internal staff at Fearless\nThat’s tricky. How do we use usability testing, working in confidentiality?\nOne option the team could do is to neutralize the sensitivity component.\nAre there any existing exemption request systems in across agencies?\nCFIUS Case Management System | U.S. Department of the Treasury\nCFIUS and ICTS will not overlap\nWhat do you believe will be users’ biggest concerns around this action? \nCompanies want to submit an exemption so that they can use the product/service\nUser that needs to log in and submit data, review the data, submit corporate data and respond with the result, and ideally provide the status of that submission\n\n\nIs there an existing exemption process that is already in place?\nNot for ICTS, the team is only 4 people. Other exemption requests processes\n\n\nAre there parts of the exemption process that require paperwork? Where and when does that handoff happen?\n\n\n\n\nWhat is our end users' motivation? Are there any ramifications for using prohibited ICTS but not filing an exemption?\nLoss of operational efficiency after a product is ICTS restricted and sunset.\n\n\nWhat are the specific ICTS impacted? How many imports do we anticipate needing exemptions for?\n\n\n\n\nAre export companies the same as import companies? Will we be able to use any of the export discoveries for ICTS?\nNo \n\n\nWhen is the notification date?\nApril 1st\n\n\nHow long will DOC be excepting exemption requests?\nThe Final rule will be publish in August\n\n\nAre there any upstream or downstream data dependencies?\n\n\n\n\nWhat occurs during the adjudication of an exemption request? What is the workflow?\n\n\n\n\nWhat information is required to make an exemption request determination?\nCompany Name, Address, phone number \nPOC name, email, phone \nproduct(s) names (can we list all of their products where they can be selected as a drop down? I can provide a list.) and the ability to add more than one product as some companies have multiple products?\nMaybe a couple of narrative boxes the customer can use to explain the reason they are requesting an extension/exemption.  Maybe give them a choice via drop down to indicate whether they are asking for an extension or exclusion?\n\n\nHow can we verify that a US company was impacted by the Rule?\nWe have the subpoena list with the following information: Customer name, customer address, product group, product name\n\n\nWill Help Desk be supporting this effort?\n\n\n\n\nWho are our primary contacts at ICTS?\nEvan Broderick, Mark Johnson\n\n\nWho will be our PO?\nMark Johnson\n\n\nWill we be working on ICTS for just MVP and then switching back to export? Or is staying on ICTS?\n\n\n\n\nWould companies using  ICTS system have BIS CIN or other unique identification number? If no, how will the company be uniquely identifiable?\n\n\n\n\nWill users be submitting the request in the form of a document (e.g. PDF) or they are expected to fill out an online form?\n\n\n\n\nWill BIS Azure cloud be used for this project? Who will be managing the cloud etc.? (Simon computing? Or internal resources or Fearless).\n\n\n\n\nWhat is the target date for publishing the ICTS information on the BIS website?\nWaiting for Under Secretary announcement of office, should be ready to post 2/20 (BUT NOT POSTED UNTIL WE HAVE PA/OGC CONCURRENCE, AT LEAST A WEEK EARLIER)\n\n\nWhat information is required to be published on the BIS website?\n\n\n\n\nWill we be processing extension requests?\n\n\n\n\nWhat’s the difference between exemption requests and extension requests?\n\n\n\n\nAre these the only comments (20) that are being addresed re: the revised rule? Regulations.gov\n\n\n\n\nWill affected products be limited by product type or more specifically by version number/types?\n\n\n\n\n\n\n\nLaunch Readiness\nDate\nMilestone\nAudience\nDescription\n TBD\nICTS Exemption Request Discovery\nICTS Team, Other DOC Team, Impacted Companies\nGetting a detailed understanding of the requirements, workflow, and timelines for ICTS Exemption Requests.\nLean UX activities\nLow fidelity prototypes and workflows completed\nEstablished Vision and OKRs\n TBD\nTechnical Solution Approval\nBIS Team, ICTS Team\nApproval of low fidelity MVP Technical Approach\n3/16\nSystem Build\nBIS Team, ICTS Team\nCreation of the low fidelity system\n3/17-\n3/24\nSystem Testing\nBIS Team, ICTS Team\nRegression, accessibility, and penetration testing\n3/25-\n3/31\nTraining\nICTS Team, Other DOC Team, Impacted Companies\nTraining of DOC employees (BIS, ICTS, Help Desk) on the new system, training documentation \u0026 FAQs for external users \n2/20\nCommunications\nICTS Team, Impacted Companies\nIntegration of the following documentation into the restriction notification/ ICTS website:\nIntroduction/link to the system\nInstructions on how to set up a user\nInstructions on how to use the system\n\nOperational Readiness\nArea\nQuestion\nAnswer (Y/N)\nInstructions / Notes\nAccessibility\nIs this launch compliant with our accessibility standards?\n\n\nMust meet 508 and plain language standards\nSupport\nAre we clear with error and confirmation messaging across functionality?\n \n \nOnboarding\nWill new learning material be needed (or updates to existing documentation)?\n \n \nOnboarding\nHave we planned for how new users will learn about this product/feature? How?\n \n \nOnboarding\nIs this functionality available to all users at once, or phased rollout?\n \n All users at once\nHelp desk\nHave we provided documentation to help desk?\n \n \nHelp desk\nHave we demoed new functionality to help desk?\n \n \nHelp desk\nHave we determined the flow for problem escalation with help desk?\n \n \nArchitecture / Security\nAre we adding any new roles and permissions?\n \n Yes, internal adjudicators, Help Desk, role approvers, and submitters\nArchitecture\nIs data being transferred across products?\n \n \nArchitecture\nIs there a dependency on the architecture team’s workload? Is the architecture team aware?\n \n \nArchitecture\nAre we sunsetting any legacy systems?\n N\n \nSecurity\nAre we changing or affecting anything related to DOC security protocol?\n \n \nPolicy\nDo we have any requirements for Paperwork Reduction Act? Do we need to get started on PRA submission?\n \n \nPolicy\nAre there any other policy or legal aspects we need to consider before launch?\n \n \n\n\n\nTechnical Details\nAdd links to relevant technical details.\nData Elements\nRequested Technical Solutions\nAssociated Business Problem\nImplementation Approach\nMVP or Post-MVP\nBusiness Process Flow - ability to follow cases and assign persons.\nOperational Efficiency in Exemption Request Management\n\n\nMVP\nFISMA mid/high secure\nFedramp high\nSecure Exemption Request Management\nInvolve Vaultes\nMVP\nSearchable Exemptions\nManagement of Multiple Request\n\n\n\n\nMapping capability - Geolocation, and visual map\n\n\n\n\n\n\nCross domain solution 0 ability to upload or \"send\" a document to a JWICS email address, directly, and a high side \"database\" that mirrors the same database on unclass.\n\n\n\n\n\n\nAPI to customs data (both ACE and export data), that has entity resolution (automatic resolution of an \"entity name\", address, or phone, fax, to information submitted by a party under consideration)\n\n\n\n\nPost-MVP\nAbility to link to publicly available import information, such as Import Yeti\n\n\n\n\n\n\nAPI to a \"derogatory information\" flag\n\n\n\n\n\n\nAuto resolve and flag to a company listed in IMS-R as a company of concern or under investigation\n\n\n\n\n\n\nA way to track case flow (business process of \"who\" the case is with, internally, with visual analytics and who is \"next\" in the process flow)\nVisibility into the adjudication process\n\n\n\n\nAbility to rapidly upload case documents\nManagement of multiple documents associated with one case\n\n\n\n\nLink the DOC website to our BIS ICTS Portal. - Explain the entire ICTS program (leadership, policy, intent, and next steps in the development of the ICTS program - get messaging from OCPA.)\nLaunch, onboarding, training\n\n\nMVP\nAbility to upload information and have the system output a standardized set of information as a Report of Investigation (ROI)\nReporting\n\n\n\n\nAbility for any company to register, and submit their standard administrative information, name, address, phone fax, and the ability for another company to search and find that company, \"by name and address only\", in that database.\nUser Management\nis there a corporate database we can validate against so we’re not recreating the wheel as far as companies? Or products through HS codes? https://www.trade.gov/harmonized-system-hs-codes\n\nHow do foreign Saas companies handle import controls in the first place? @evan\n\n\nAbility to map international addresses.\n\n\n\n\n\n\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffearlesssolutions%2Ficts","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffearlesssolutions%2Ficts","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffearlesssolutions%2Ficts/lists"}