The term TID U.S. business means any U.S. business that:
(a) Produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies;
(b) Performs the functions as set forth in column 2 of appendix A to this part with respect to covered investment critical infrastructure; or
(c) Maintains or collects, directly or indirectly, sensitive personal data of U.S. citizens.
(d) Examples:
(1) Example 1. Corporation A, a U.S. business, operates a munitions plant in the United States that produces a variety of military grade explosives. Some of the explosives manufactured by Corporation A are listed on the USML. Corporation A manufactures critical technologies and is therefore a TID U.S. business.
(2) Example 2. Corporation A, a U.S. business, produces an item (Item A) by purchasing various components from third-party suppliers and integrating them into Item A. One of these components (Component X) is a critical technology, but Item A is not a critical technology. Before integrating Component X into Item A, Corporation A merely verifies the fit and form of Component X solely as part of Item A. Assuming no other relevant facts, Corporation A does not test critical technologies and is therefore not a TID U.S. business.
(3) Example 3. Corporation A is a U.S. business that owns intellectual property rights and equipment for manufacturing a critical technology and maintains the know-how to manufacture that critical technology. It has been six months since Corporation A manufactured the critical technology. Because Corporation A retains the ability to manufacture the critical technology, Corporation A is a TID U.S. business.
(4) Example 4. Facility A is a crude oil storage facility with the capacity to hold 50 million barrels of crude oil. Corporation A is a U.S. business that operates Facility A. Corporation B is a U.S. business that provides third-party physical security to Facility A by guarding the gate to Facility A and patrolling the fence surrounding Facility A. Corporation C produces the fencing used by Facility A. Corporation D produces the commercially available off-the-shelf cyber security software utilized in Facility A. Corporation E provides third-party cyber security to Facility A by running Facility A's cyber security defenses. Facility A is covered investment critical infrastructure as set forth in column 1 of appendix A to this part. Corporation A, Corporation B, and Corporation E each perform one of the functions as set forth in column 2 of appendix A to this part with respect to Facility A, and each is therefore a TID U.S. business. Assuming no other relevant facts, neither Corporation C nor Corporation D performs one of the functions as set forth in column 2 of appendix A to this part with respect to Facility A, and neither is therefore a TID U.S. business.
(5) Example 5. Pipeline A is an interstate natural gas pipeline with an outside diameter of 36 inches. Corporation A is a U.S. business that owns Pipeline A. Corporation B is a U.S. business that manufactures the pipe segments with an outside diameter of 36 inches that are used in Pipeline A. Pipeline A is covered investment critical infrastructure as set forth in column 1 of appendix A to this part. Corporation A performs one of the functions as set forth in column 2 of appendix A to this part with respect to Pipeline A and is therefore a TID U.S. business. Assuming no other relevant facts, Corporation B does not perform one of the functions as set forth in column 2 of appendix A to this part with respect to Pipeline A and is therefore not a TID U.S. business.
(6) Example 6. IXP A is an internet exchange point that supports public peering. Corporation A is a U.S. business that operates IXP A. Corporation B is a U.S. business that maintains the physical premises of IXP A. IXP A is covered investment critical infrastructure as set forth in column 1 of appendix A to this part. Corporation A performs one of the functions as set forth in column 2 of appendix A to this part with respect to IXP A and is therefore a TID U.S. business. Assuming no other relevant facts, Corporation B does not perform one of the functions as set forth in column 2 of appendix A to this part with respect to IXP A and is therefore not a TID U.S. business.
(7) Example 7. SCADA System A is a supervisory control and data acquisition system utilized by a public water system, as defined in section 1401(4) of the Safe Drinking Water Act, as amended (42 U.S.C. 300f(4)(A)), that regularly serves 15,000 individuals. Corporation A is a U.S. business that produces SCADA System A by building the hardware and integrating all the software. Corporation B is a U.S. business that produces commercially available off-the-shelf software that is sold to Corporation A and used as a component in SCADA System A. SCADA System A is covered investment critical infrastructure as set forth in column 1 of appendix A to this part. Corporation A, as the manufacturer of SCADA System A, performs one of the functions as set forth in column 2 of appendix A to this part with respect to SCADA System A and is therefore a TID U.S. business. Assuming no other relevant facts, Corporation B does not perform one of the functions as set forth in column 2 of appendix A to this part with respect to SCADA System A and is therefore not a TID U.S. business.
(8) Example 8. Same facts as the example in paragraph (d)(7) of this section. Corporation B later releases a patch that updates the commercially available off-the-shelf software that is a component of SCADA System A. As the software is only a component of SCADA System A, the software itself is not covered investment critical infrastructure as set forth in column 1 of appendix A to this part. Assuming no other relevant facts, Corporation B does not perform one of the functions as set forth in column 2 of appendix A to this part with respect to SCADA System A and is therefore not a TID U.S. business.
(9) Example 9. Alloy A is a steel alloy containing two percent manganese. Corporation A is a U.S. business that manufactures Alloy A in Facility A by melting the constituent metals. Facility A is in the United States. Corporation B is a U.S. business that purchases Alloy A from Corporation A and resells it to a prime contractor of the Department of Defense. Facility A is covered investment critical infrastructure as set forth in column 1 of appendix A to this part. Corporation A performs one of the functions as set forth in column 2 of appendix A to this part with respect to Alloy A and is therefore a TID U.S. business. Assuming no other relevant facts, Corporation B does not perform one of the functions as set forth in column 2 of appendix A to this part with respect to Alloy A and is therefore not a TID U.S. business.
(10) Example 10. Corporation A, a U.S. business, is a credit reporting agency and maintains consumer reports meeting the description under § 800.241(a)(1)(ii)(B) on greater than one million individuals, including U.S. citizens. Corporation A maintains sensitive personal data and is therefore a TID U.S. business.
(11) Example 11. Same facts as the example in paragraph (d)(10) of this section, except that Corporation A maintains the sensitive personal data through its wholly-owned subsidiary, Corporation X. Corporation A is a TID U.S. business because it indirectly maintains sensitive personal data. Corporation X is also a TID U.S. business because it directly maintains sensitive personal data.
(12) Example 12. Corporation A, a U.S. business, manufactures and sells specialty medical devices to patients with various health conditions. Corporation A solicits certain patient medical information on its five million customers, including U.S. citizens, which is sensitive personal data under § 800.241(a)(1)(ii)(D), for R&D, marketing, and quality assurance purposes. However, Corporation A does not directly maintain or collect this information, but instead outsources this function to a third party, Corporation X, which collects the data according to Corporation A's instructions and maintains the data on Corporation X's corporate servers for Corporation A to access. Corporation A is a TID U.S. business because it indirectly maintains and collects sensitive personal data, and Corporation X is a TID U.S. business because it directly maintains and collects sensitive personal data.