(a) After considering materials described in § 791.100(a), the Secretary may, at the Secretary's discretion, initiate a review of an ICTS Transaction.

(b) As part of the review, the Secretary will assess whether the transaction:

(1) Constitutes a Covered ICTS Transaction, as described in § 791.3;

(2) Involves ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary, as described in § 791.100(c); and

(3) Poses an undue or unacceptable risk as described in §§ 791.100(d) and 791.103(c).

(c) In assessing whether the Covered ICTS Transaction poses an undue or unacceptable risk, the Secretary may evaluate, among other relevant factors, the following criteria:

(1) The nature and characteristics of the ICTS at issue in the Covered ICTS Transaction, including technical capabilities, applications, and market share considerations;

(2) The nature and degree of the ownership, control, direction, or jurisdiction exercised by the foreign adversary or foreign adversary persons over the design, development, manufacture, or supply at issue in the Covered ICTS Transaction, to include:

(i) The ownership, control, or management by persons that support a foreign adversary's military, intelligence, or proliferation activities; and

(ii) The ownership, control, or management by persons involved in malicious cyber-enabled activities;

(3) The statements and actions of the foreign adversary at issue in the Covered ICTS Transaction;

(4) The statements and actions of the persons involved in the design, development, manufacture, or supply of the ICTS at issue in the Covered ICTS Transaction;

(5) The statements and actions of the parties to the Covered ICTS Transaction;

(6) Whether the Covered ICTS Transaction poses a discrete or persistent threat;

(7) The nature and characteristics of the customer base, business relationships, and operating locations of the parties to the Covered ICTS Transaction;

(8) Whether there is an ability to otherwise mitigate the risks posed by the Covered ICTS Transaction;

(9) The severity of the harm posed by the Covered ICTS Transaction on at least one of the following:

(i) Health, safety, and security;

(ii) Critical infrastructure;

(iii) Sensitive data;

(iv) The economy;

(v) Foreign policy;

(vi) The natural environment; and

(vii) National Essential Functions (as defined by Federal Continuity Directive-2 (FCD-2));

(10) The likelihood that the Covered ICTS Transaction will result in the threatened harm; and

(11) For ICTS Transactions involving connected software applications:

(i) the number and sensitivity of the users with access to the connected software application;

(ii) the scope and sensitivity of any data collected by the connected software application;

(iii) any use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary's access to sensitive or confidential government or business information, or sensitive personal data;

(iv) whether there is regular, thorough, and reliable third-party auditing of the connected software application; and

(v) the extent to which identified risks have been or can be mitigated using measures that can be verified by independent third parties.

(d) If the Secretary finds that an ICTS Transaction does not meet the criteria of paragraph (b) of this section:

(1) The transaction shall no longer be under review; and

(2) Future review of the transaction shall not be precluded, where additional information becomes available to the Secretary.