What It Takes to Secure a Specific Authorization Under the CVR

You know, I think we're in the early days. We've been working on them, and we'll I think we'll start to build up some knowledge, you know, as we start getting those back, you know, and I think that not that the thinking is going on at at Commerce, and I think people are learning on the outside through that process. The specific authorization is, you know, again, these are situations basically where parties are not able to comply with the rule because they're clearly covered, you know, under one of the various prohibitions, and they're not gonna be in compliance by the time that the rule goes into effect. And in that case, you can go in and submit a specific authorization and basically explain why, you know, what what what is what the situation is and why commerce should authorize that. And, you know, I think some of the focuses on that will be things like supply chain, disruption, disruption to the US economy. But, also, what measures have you taken to actually mitigate the national security risk through cybersecurity measures, other compliance tools, and and structures corporate structures, etcetera, that really eliminate the risk and give commerce the ability to say, okay. We will allow this to, to go on. I don't my sense is that the approval of these will wane over time. You know, there'll be an initial as as Hillary was saying, there'll be an initial set that are approved. But, basically, these are, like, phase out, authorizations most likely that will lead towards scenarios where people have come into compliance with the ruling as opposed to acting in perpetuity under a specific authorization. Yeah. I just wanna briefly add to what you just said, Christian, because I think that's a really important point with specific authorizations. If you want to increase your likelihood of being granted one, you do need to do the cybersecurity work to show that you have mitigated the risks that are associated with that. They do call out some specific things in the rule. So, for example, if you are following, like, ISO two one four three four as your framework for cybersecurity and you can show that you've done threat modeling, You've done a vulnerability assessment. You're managing those. You've done a risk assessment. You've done your supply chain risk assessment. All of that needs to be compiled together into that specific authorization request, in order to show that you have a handle on this risk and, and that it is no longer a national security risk or it is an acceptable risk, at this time until you can find an alternative. And and it's worth noting that, you need to be prepared to document that and also be prepared for the possibility that commerce will ask follow-up questions, and maybe even make specific requests for additional security measures, to to try to mitigate the risk that they might see, of of, of Chinese government involvement.