Privacy & Information Security Law Blog

On January 8, 2025, the U.S. Department of Homeland Security’s (“DHS”) Cybersecurity and Infrastructure Security Agency (“CISA”) published finalized Security Requirements for Restricted Transactions (the “Requirements”) as designated by the Department of Justice (“DOJ”) in the DOJ’s final rulemaking, each pursuant to Executive Order 14117 (Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern) (“EO 14117”). EO 14117 tasked CISA with developing security requirements for transactions designated as “restricted” by the DOJ. CISA issued the Requirements in conjunction with the DOJ’s final rule on EO 14117 (“DOJ Rule”), also published on January 8, 2025. The Requirements and DOJ Rule will go into effect on April 8, 2025. See selections of our related coverage of the DOJ Rule and EO 14117, with links to additional materials.

As discussed in those posts, the DOJ Rule and EO 14117 establish a new regulatory regime that either prohibits or restricts “covered data transactions,” which are data brokerage, employment agreements, investment agreements and vendor agreements that could result in access to bulk U.S. sensitive personal data or government-related data (1) by a “country of concern” (i.e., China, Cuba, Iran, North Korea, Russia and Venezuela) or (2) a “covered person” affiliated with a country of concern. While certain transactions are prohibited outright, U.S. persons must adhere to certain compliance requirements before engaging in “restricted transactions,” including security regulations established by CISA to “adequately mitigate the risks of access by countries of concern or covered persons to bulk sensitive personal data or United States Government-related data.” Restricted transactions include any sharing or access with a covered vendor, employee or investor.

The Requirements are divided in two sections: (1) organizational- and covered system-level requirements and (2) data-level requirements. CISA’s intent is to provide entities with direct means of mitigating the risk of access to covered data, establish effective governance, and establish an auditable basis for compliance purposes. The Requirements are based on several similar, widely used cybersecurity standards or frameworks (i.e., the NIST Cybersecurity Framework (“CSF”), NIST Privacy Framework (“PF”) and CISA Cybersecurity Performance Goals (“CPGs”)), and include:

(1) Organizational- and covered system-level requirements for “covered systems” that “interact with” the “covered data as part of a restricted transaction, regardless of whether the data is encrypted, anonymized, pseudonymized, or de-identified:”

• Maintain an updated asset inventory (including at least monthly updates).
• Designate a person responsible and accountable for (1) cybersecurity and (2) governance, risk and compliance (one for both or one for each).
• Remediate known exploited vulnerabilities within at most 45 days.
• Document and maintain all vendor/supplier agreements for covered systems.
• Develop and maintain an accurate network topology and any network interfacing with a covered system.
• Implement a policy for requiring approval for new hardware or software.
• Maintain incident response plans and review at least annually.
• Implement logical and physical access controls, including: enforcing MFA, promptly revoking credentials upon termination/role change, logging (and logging storage and access practices), implementing deny-by-default configurations (with limited exceptions), and managing credentials that adequately prevent access to covered data, transactions and functions by covered persons and/or countries of concern.
• Conduct an internal data risk assessment.

Covered systems do not include systems that have the ability to view or read sensitive personal data (other than government-related data) but do not ordinarily interact with such data in bulk form.

(2) Data-level requirements for restricted transactions, to be implemented in a combination that is “sufficient to fully and effectively prevent access to covered data that is linkable, identifiable, unencrypted, or decryptable using commonly available technology by covered persons and/or countries of concern, consistent with the data risk assessment:”

• Apply data minimization and masking strategies, including: maintaining a written data retention and deletion policy, processing data in a way that it is no longer covered data or minimizes the linkability to a U.S. person (g., via techniques like anonymization, making sure identities can’t be extrapolated from data sets).
• Apply encryption techniques, including comprehensive encryption and specific key management practices.
• Apply privacy enhancing technologies, g., privacy preserving computation or differential privacy techniques.
• Configure the identity and access management techniques to deny authorized access to covered data.

Entities must also treat systems that do processing for data minimization, making and apply privacy enhancing technologies as covered systems subject to the organizational and system level requirements above.

CISA mapped each of the requirements to the corresponding NIST CSF controls, NIST PF controls and/or CISA CPGs. CISA declined to grant reciprocity for entities that already participate in existing data or cybersecurity regimes as they do not adequately “address the national security risks associated with restricted transactions,” but took various steps to introduce flexibility into many of the requirements and noted that it “remains open” to mapping the Requirements to existing frameworks such as ISO/IEC 27001 or NIST Special Publication 800-17. CISA also provided various examples to illustrate concepts like “access” to covered data. Companies should assess their readiness for the rapidly approaching enforcement date in April.