(a) Upon receipt of any information identified in §7.100(a), upon written request of an appropriate agency head, or at the Secretary's discretion, the Secretary may consider any referral for review of a transaction (referral).

(b) In considering a referral pursuant to paragraph (a), the Secretary shall assess whether the referral falls within the scope of §7.3(a) of this part and involves ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary, and determine whether to:

(1) Accept the referral and commence an initial review of the transaction;

(2) Request additional information, as identified in §7.100(a), from the referring entity regarding the referral; or

(3) Reject the referral.

(c) Upon accepting a referral pursuant to paragraph (b) of this section, the Secretary shall conduct an initial review of the ICTS Transaction and assess whether the ICTS Transaction poses an undue or unacceptable risk, which may be determined by evaluating the following criteria:

(1) The nature and characteristics of the information and communications technology or services at issue in the ICTS Transaction, including technical capabilities, applications, and market share considerations;

(2) The nature and degree of the ownership, control, direction, or jurisdiction exercised by the foreign adversary over the design, development, manufacture, or supply at issue in the ICTS Transaction;

(3) The statements and actions of the foreign adversary at issue in the ICTS Transaction;

(4) The statements and actions of the persons involved in the design, development, manufacture, or supply at issue in the ICTS Transaction;

(5) The statements and actions of the parties to the ICTS Transaction;

(6) Whether the ICTS Transaction poses a discrete or persistent threat;

(7) The nature of the vulnerability implicated by the ICTS Transaction;

(8) Whether there is an ability to otherwise mitigate the risks posed by the ICTS Transaction;

(9) The severity of the harm posed by the ICTS Transaction on at least one of the following:

(i) Health, safety, and security;

(ii) Critical infrastructure;

(iii) Sensitive data;

(iv) The economy;

(v) Foreign policy;

(vi) The natural environment; and

(vii) National Essential Functions (as defined by Federal Continuity Directive-2 (FCD-2)); and

(10) The likelihood that the ICTS Transaction will in fact cause threatened harm.

(d) If the Secretary finds that an ICTS Transaction does not meet the criteria of paragraph (b) of this section:

(1) The transaction shall no longer be under review; and

(2) Future review of the transaction shall not be precluded, where additional information becomes available to the Secretary.