S3519-119

In Committee

Remote Access Security Act

119th Congress Introduced Dec 17, 2025

Analysis under review: This bill has generated analysis that may be too generic or incomplete. Clause-level evidence remains available below.

Summary

What This Bill Does

This bill closes a gap in U.S. export controls by extending them to cover remote access to controlled technology through cloud computing services. Currently, export controls apply when physical items or software are exported, but not when foreign adversaries access the same capabilities remotely through the cloud. The bill amends the Export Control Reform Act of 2018 to treat remote cloud access by foreign persons of concern the same as a physical export, requiring licenses and other controls.

Who Benefits and How

U.S. national security benefits by closing the cloud access loophole that allows adversary nations to remotely use controlled technologies, particularly for training dangerous AI models, conducting offensive cyber operations, or enabling surveillance. Domestic cloud service providers may gain a competitive advantage as compliant platforms. The bill includes a 10-year sunset and requires Congressional consultation before new regulations, along with a public report on economic impact within one year.

Who Bears the Burden and How

Cloud infrastructure providers face significant new compliance obligations, as they must now monitor and control remote access by foreign persons of concern to items on the Commerce Control List. U.S. technology companies with international customers in affected countries (China, Russia, and others specified in 10 USC 4872(f)(2)) face potential loss of business. The Secretary of Commerce bears additional regulatory, reporting, and consultation obligations.

Key Provisions

  • Defines remote access as cloud-based access to controlled items by foreign persons of concern
  • Covers AI training for WMD/offensive cyber/evasion of human control, offensive cyberspace capabilities, and human rights-undermining surveillance
  • Foreign persons of concern include governments and entities from countries listed in 10 USC 4872(f)(2), including China and Hong Kong/Macau SARs
  • Requires Congressional consultation before promulgating remote access regulations
  • Mandates public report with recommendations within 1 year, including public roundtable
  • 10-year sunset on remote access control authority

Evidence Chain:

This summary is generated from the full bill text using AI analysis. Expand "Detailed Analysis" below for identified beneficiaries/burden bearers.

At a Glance

What This Bill Does

Extends U.S. export controls to cover remote access to controlled items by foreign persons of concern through cloud infrastructure services, targeting AI training, offensive cyber operations, and surveillance technologies

Key Policy Areas

National Security, Technology, Trade and Export Controls, Cybersecurity

Primary Purpose

Extends U.S. export controls to cover remote access to controlled items by foreign persons of concern through cloud infrastructure services, targeting AI training, offensive cyber operations, and surveillance technologies

Policy Domains

National Security Technology Trade and Export Controls Cybersecurity

Control of Remote Access Under Export Control Reform Act

Identified Gains
Contextual inference, no direct clause citation
  • U.S. national security interests
  • Domestic cloud service providers (competitive advantage)
  • Critical infrastructure operators
Model: N/A | Version: bill_summary_v2 | Source: is

Contextual inference, no direct clause citation

Identified Costs
Contextual inference, no direct clause citation
  • Cloud infrastructure service providers (compliance obligations)
  • Foreign persons of concern (access restrictions)
  • U.S. technology companies with international customers
Model: N/A | Version: bill_summary_v2 | Source: is

Contextual inference, no direct clause citation

Congressional Consultations

Identified Gains
Contextual inference, no direct clause citation
  • Congress (oversight capacity)
Model: N/A | Version: bill_summary_v2 | Source: is

Contextual inference, no direct clause citation

Identified Costs
Contextual inference, no direct clause citation
  • Secretary of Commerce (reporting obligations)
Model: N/A | Version: bill_summary_v2 | Source: is

Contextual inference, no direct clause citation

Report and Recommendations

Identified Gains
Contextual inference, no direct clause citation
  • U.S. businesses seeking regulatory clarity
  • International partners
Model: N/A | Version: bill_summary_v2 | Source: is

Contextual inference, no direct clause citation

Identified Costs
Contextual inference, no direct clause citation
  • Secretary of Commerce (report and public roundtable obligations)
Model: N/A | Version: bill_summary_v2 | Source: is

Contextual inference, no direct clause citation

Legislative Progress

In Committee
Introduced Committee Passed
Dec 17, 2025

Mr. McCormick (for himself, Mr. Wyden, Mr. Cotton, and Mr. …

Dec 17, 2025

Read twice and referred to the Committee on Banking, Housing, …

Dec 17, 2025

Introduced in Senate

Impact analysis is available but no clear stakeholder effects identified. View clause-level analysis →

Bill Structure & Actor Mappings

Who is "The Secretary" in each section?

Domains
National Security Trade and Export Controls Technology
Actor Mappings
"the_secretary"
→ Secretary of Commerce
Domains
Government Oversight
Actor Mappings
"the_secretary"
→ Secretary of Commerce
Domains
Government Oversight Trade and Export Controls
Actor Mappings
"the_secretary"
→ Secretary of Commerce

Note: {'note': 'Refers to Secretary of Commerce throughout this bill, consistent with Export Control Reform Act authority', 'term': 'the_secretary'}

Key Definitions

Terms defined in this bill

3 terms
"cloud infrastructure service" §sec2_cloud_infra

Has the meaning given Infrastructure as a Service by NIST Special Publication 800-145

"remote access" §sec2_remote_access

Access to a controlled item by a foreign person of concern through cloud infrastructure service from outside the U.S. and other than where the item is physically located, where the Secretary determines serious national security or foreign policy risk, including: training AI dual-use models for WMD/offensive cyber/evasion of human control, accessing offensive cyberspace capabilities, or conducting surveillance undermining human rights

"foreign person of concern" §sec2_foreign_person_of_concern

Government of a country specified in 10 USC 4872(f)(2) or any region thereof (including Macau and Hong Kong SARs), entities located/headquartered there or whose ultimate parent is there, or persons subject to such government jurisdiction

We use a combination of our own taxonomy and classification in addition to large language models to assess meaning and potential beneficiaries. High confidence means strong textual evidence. Always verify with the original bill text.

Learn more about our methodology