On Feb. 28, 2024, President Biden issued Executive Order 14117, titled “Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” This executive order aims to protect sensitive data from foreign adversaries by restricting or prohibiting transactions involving bulk sensitive personal and government-related data, as well as entities from designated countries of concern.
- Bulk sensitive personal data includes information about individuals — such as financial, biometric, geolocative, and health data — collected or maintained beyond a specified threshold (e.g., 10,000 or 100,000 individuals).
- Government-related data refers to information held by the U.S. government or its agencies.
- Countries of concern include China, Cuba, Iran, North Korea, Russia, and Venezuela, along with certain individuals and entities associated with these nations.
In general, transactions involving bulk sensitive personal data or government-related data — which involve cross-border data transactions to countries of concern — are considered "restricted transactions." Pursuant to the Department of Justice's (DOJ) Final Rule, organizations with restricted transactions must implement specific security measures to prevent or limit access by countries of concern or covered persons. These security measures are outlined in the DOJ’s required Data Security Program (DSP) and Cybersecurity and Infrastructure Security Agency's (CISA) security requirements, which implement the executive order.
Specifically, the provisions regulating restricted transactions are intended to prevent access to government-related or bulk U.S. sensitive personal data by covered persons or countries of concern.[1] In most cases, the implementation of the CISA security requirements will lead to scenarios that involve denying access outright or implementing data-level mitigation requirements, which will have a similar outcome to denying access.
This article series aims to unpack the DOJ’s final rule and provide a compliance strategy for implementing the requirements of the DOJ’s DSP. To comply with the DSP requirements for restricted transactions, organizations must:
- Implement the CISA security requirements.
- Develop and implement a Data Compliance Program.
- Conduct regular audits.
- Meet certain recordkeeping requirements.
Given the tight timeframe for implementing the DSP, we want to highlight recent related regulatory guidance:
- Security Requirements for Restricted Transactions: Shortly after the DOJ issued the Final Rule, in January 2025, the U.S. CISA published “Security Requirements for Restricted Transactions.” These requirements aim to reduce the risk of sharing U.S. government-related data or large volumes of sensitive U.S. data with countries of concern or covered individuals through restricted transactions.
- DOJ Guidance: In April 2025, the DOJ issued three supporting documents to further guide the implementation of Executive Order 14117:
- Data Security Program Implementation and Enforcement Policy: This document, titled “Data Security Program: Implementation and Enforcement Policy Through July 8, 2025,” grants a 90-day extension to July 8, 2025, for organizations to continue implementing necessary changes to comply with the DOJ’s Final Rule, provided they are making good-faith efforts. On July 8, 2025, the limited enforcement rule expires, and by Oct. 6, 2025, organizations must comply with all sections of the law.
- Data Security Program Compliance Guide: This document, issued by the DOJ in April 2025 and titled “Data Security Program: Compliance Guide,” provides general information to assist organizations in complying with the Final Rule and to support a better understanding of the scope of the DSP.
- Data Security Program: FAQ: This document, issued by the DOJ in April 2025 and titled “Data Security Program: Frequently Asked Questions,” offers answers to over 100 questions, providing clarifying responses.
[1] Data Security Program: Frequently Asked Questions. DOJ. April 2025. FAQ 66.
