Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · CFR · Title 31 — Money and Finance: Treasury · Part 800 · § 800.248

§ 800.248. TID U.S. business.

1,401 words·~6 min read·/us/cfr/t31/s§ 800.248·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

The term TID U.S. business means any U.S. business that:
(a)Produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies;
(b)Performs the functions as set forth in column 2 of appendix A to this part with respect to covered investment critical infrastructure; or
(c)Maintains or collects, directly or indirectly, sensitive personal data of U.S. citizens.
(d)Examples:
(1)Example 1. Corporation A, a U.S. business, operates a munitions plant in the United States that produces a variety of military grade explosives. Some of the explosives manufactured by Corporation A are listed on the USML. Corporation A manufactures critical technologies and is therefore a TID U.S. business.
(2)Example 2. Corporation A, a U.S. business, produces an item (Item A) by purchasing various components from third-party suppliers and integrating them into Item A. One of these components (Component X) is a critical technology, but Item A is not a critical technology. Before integrating Component X into Item A, Corporation A merely verifies the fit and form of Component X solely as part of Item A. Assuming no other relevant facts, Corporation A does not test critical technologies and is therefore not a TID U.S. business.
(3)Example 3. Corporation A is a U.S. business that owns intellectual property rights and equipment for manufacturing a critical technology and maintains the know-how to manufacture that critical technology. It has been six months since Corporation A manufactured the critical technology. Because Corporation A retains the ability to manufacture the critical technology, Corporation A is a TID U.S. business.
(4)Example 4. Facility A is a crude oil storage facility with the capacity to hold 50 million barrels of crude oil. Corporation A is a U.S. business that operates Facility A. Corporation B is a U.S. business that provides third-party physical security to Facility A by guarding the gate to Facility A and patrolling the fence surrounding Facility A. Corporation C produces the fencing used by Facility A. Corporation D produces the commercially available off-the-shelf cyber security software utilized in Facility A. Corporation E provides third-party cyber security to Facility A by running Facility A's cyber security defenses. Facility A is covered investment critical infrastructure as set forth in column 1 of appendix A to this part. Corporation A, Corporation B, and Corporation E each perform one of the functions as set forth in column 2 of appendix A to this part with respect to Facility A, and each is therefore a TID U.S. business. Assuming no other relevant facts, neither Corporation C nor Corporation D performs one of the functions as set forth in column 2 of appendix A to this part with respect to Facility A, and neither is therefore a TID U.S. business.
(5)Example 5. Pipeline A is an interstate natural gas pipeline with an outside diameter of 36 inches. Corporation A is a U.S. business that owns Pipeline A. Corporation B is a U.S. business that manufactures the pipe segments with an outside diameter of 36 inches that are used in Pipeline A. Pipeline A is covered investment critical infrastructure as set forth in column 1 of appendix A to this part. Corporation A performs one of the functions as set forth in column 2 of appendix A to this part with respect to Pipeline A and is therefore a TID U.S. business. Assuming no other relevant facts, Corporation B does not perform one of the functions as set forth in column 2 of appendix A to this part with respect to Pipeline A and is therefore not a TID U.S. business.
(6)Example 6. IXP A is an internet exchange point that supports public peering. Corporation A is a U.S. business that operates IXP A. Corporation B is a U.S. business that maintains the physical premises of IXP A. IXP A is covered investment critical infrastructure as set forth in column 1 of appendix A to this part. Corporation A performs one of the functions as set forth in column 2 of appendix A to this part with respect to IXP A and is therefore a TID U.S. business. Assuming no other relevant facts, Corporation B does not perform one of the functions as set forth in column 2 of appendix A to this part with respect to IXP A and is therefore not a TID U.S. business.
(7)Example 7. SCADA System A is a supervisory control and data acquisition system utilized by a public water system, as defined in section 1401(4) of the Safe Drinking Water Act, as amended (42 U.S.C. 300f(4)(A)), that regularly serves 15,000 individuals. Corporation A is a U.S. business that produces SCADA System A by building the hardware and integrating all the software. Corporation B is a U.S. business that produces commercially available off-the-shelf software that is sold to Corporation A and used as a component in SCADA System A. SCADA System A is covered investment critical infrastructure as set forth in column 1 of appendix A to this part. Corporation A, as the manufacturer of SCADA System A, performs one of the functions as set forth in column 2 of appendix A to this part with respect to SCADA System A and is therefore a TID U.S. business. Assuming no other relevant facts, Corporation B does not perform one of the functions as set forth in column 2 of appendix A to this part with respect to SCADA System A and is therefore not a TID U.S. business.
(8)Example 8. Same facts as the example in paragraph (d)(7) of this section. Corporation B later releases a patch that updates the commercially available off-the-shelf software that is a component of SCADA System A. As the software is only a component of SCADA System A, the software itself is not covered investment critical infrastructure as set forth in column 1 of appendix A to this part. Assuming no other relevant facts, Corporation B does not perform one of the functions as set forth in column 2 of appendix A to this part with respect to SCADA System A and is therefore not a TID U.S. business.
(9)Example 9. Alloy A is a steel alloy containing two percent manganese. Corporation A is a U.S. business that manufactures Alloy A in Facility A by melting the constituent metals. Facility A is in the United States. Corporation B is a U.S. business that purchases Alloy A from Corporation A and resells it to a prime contractor of the Department of Defense. Facility A is covered investment critical infrastructure as set forth in column 1 of appendix A to this part. Corporation A performs one of the functions as set forth in column 2 of appendix A to this part with respect to Alloy A and is therefore a TID U.S. business. Assuming no other relevant facts, Corporation B does not perform one of the functions as set forth in column 2 of appendix A to this part with respect to Alloy A and is therefore not a TID U.S. business.
(10)Example 10. Corporation A, a U.S. business, is a credit reporting agency and maintains consumer reports meeting the description under § 800.241(a)(1)(ii)(B) on greater than one million individuals, including U.S. citizens. Corporation A maintains sensitive personal data and is therefore a TID U.S. business.
(11)Example 11. Same facts as the example in paragraph (d)(10) of this section, except that Corporation A maintains the sensitive personal data through its wholly-owned subsidiary, Corporation X. Corporation A is a TID U.S. business because it indirectly maintains sensitive personal data. Corporation X is also a TID U.S. business because it directly maintains sensitive personal data.
(12)Example 12. Corporation A, a U.S. business, manufactures and sells specialty medical devices to patients with various health conditions. Corporation A solicits certain patient medical information on its five million customers, including U.S. citizens, which is sensitive personal data under § 800.241(a)(1)(ii)(D), for R, marketing, and quality assurance purposes. However, Corporation A does not directly maintain or collect this information, but instead outsources this function to a third party, Corporation X, which collects the data according to Corporation A's instructions and maintains the data on Corporation X's corporate servers for Corporation A to access. Corporation A is a TID U.S. business because it indirectly maintains and collects sensitive personal data, and Corporation X is a TID U.S. business because it directly maintains and collects sensitive personal data.
Connectionstraces to 1
Traces to 1 document
Citation graph
cites case law
§ 800.248
TID U.S. business.
U.S.C.§ 300f
Cites 1Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.