In implementing this part, the Secretary of Commerce may:
(a) Consider any and all relevant information held by, or otherwise made available to, the Federal Government that is not otherwise restricted by law for use for this purpose, including:
(1) Publicly available information;
(2) Confidential business information, as defined in 19 CFR 201.6, or proprietary information;
(3) Classified National Security Information, as defined in Executive Order 13526 (December 29, 2009) and its predecessor executive orders, and Controlled Unclassified Information, as defined in Executive Order 13556 (November 4, 2010);
(4) Information obtained from state, local, tribal, or foreign governments or authorities;
(5) Information obtained from parties to a transaction, including records related to such transaction that any party uses, processes, or retains, or would be expected to use, process, or retain, in their ordinary course of business for such a transaction;
(6) Information obtained through the authority granted under sections 2(a) and (c) of the Executive Order and IEEPA, as set forth in U.S.C. 7.101;
(7) Information provided by any other U.S. Government national security body, in each case only to the extent necessary for national security purposes, and subject to applicable confidentiality and classification requirements, including the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector and the Federal Acquisitions Security Council and its designated information-sharing bodies; and
(8) Information provided by any other U.S. Government agency, department, or other regulatory body, including the Federal Communications Commission, Department of Homeland Security, and Department of Justice;
(b) Consolidate the review of any ICTS Transactions with other transactions already under review where the Secretary determines that the transactions raise the same or similar issues, or that are otherwise properly consolidated;
(c) In consultation with the appropriate agency heads, in determining whether an ICTS Transaction involves ICTS designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary, consider the following:
(1) Whether the person or its suppliers have headquarters, research, development, manufacturing, test, distribution, or service facilities, or other operations in a foreign country, including one controlled by, or subject to the jurisdiction of, a foreign adversary;
(2) Ties between the person—including its officers, directors or similar officials, employees, consultants, or contractors—and a foreign adversary;
(3) Laws and regulations of any foreign adversary in which the person is headquartered or conducts operations, including research and development, manufacturing, packaging, and distribution; and
(4) Any other criteria that the Secretary deems appropriate;
(d) In consultation with the appropriate agency heads, in determining whether an ICTS Transaction poses an undue or unacceptable risk, consider the following:
(1) Threat assessments and reports prepared by the Director of National Intelligence pursuant to section 5(a) of the Executive Order;
(2) Removal or exclusion orders issued by the Secretary of Homeland Security, the Secretary of Defense, or the Director of National Intelligence (or their designee) pursuant to recommendations of the Federal Acquisition Security Council, under 41 U.S.C. 1323;
(3) Relevant provisions of the Defense Federal Acquisition Regulation (48 CFR ch. 2) and the Federal Acquisition Regulation (48 CFR ch. 1), and their respective supplements;
(4) The written assessment produced pursuant to section 5(b) of the Executive Order, as well as the entities, hardware, software, and services that present vulnerabilities in the United States as determined by the Secretary of Homeland Security pursuant to that section;
(5) Actual and potential threats to execution of a “National Critical Function” identified by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency;
(6) The nature, degree, and likelihood of consequence to the United States public and private sectors that could occur if ICTS vulnerabilities were to be exploited; and
(7) Any other source or information that the Secretary deems appropriate; and
(e) In the event the Secretary finds that unusual and extraordinary harm to the national security of the United States is likely to occur if all of the procedures specified herein are followed, the Secretary may deviate from these procedures in a manner tailored to protect against that harm.