DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities

On April 11, 2025, the DOJ’s National Security Division (NSD) issued a Compliance Guide, Implementation and Enforcement Policy, and FAQs for its Data Security Program (DSP), finalized pursuant to Executive Order 14117 and the 28 C.F.R. Part 202. The DSP is primarily designed to prevent certain cross-border data flows and transactions. Individuals and companies subject to the DSP are required to comply with new security requirements, reporting and recordkeeping duties, and due diligence rules.

The recently issued guidance makes evident NSD’s intent to make the DSP an enforcement priority for this administration. Access to Americans’ bulk sensitive or personal data or U.S. government-related data increases the ability of countries of concern to engage in a wide range of malicious activities. The DSP is currently subject to a 90-day initial enforcement period, which is a limited enforcement window to give individuals and companies additional time to bring their transactions and processes into compliance with the DSP. After July 8, 2025, NSD will implement full enforcement of the DSP.

Who Is Affected?

Entities or individuals involved in a “covered data transaction” (as described below) are subject to the DSP’s rules and requirements. These likely include:

• Companies organized under the laws of the United States that handle, transfer, or provide access to U.S. government-related data or bulk U.S. sensitive personal data, including U.S. government contractors and grantees;
• Individuals or companies that engage in data brokerage transactions, including the use of certain cookies, pixels, and software development kits, which many companies use for tracking and advertising purposes;
• Non-U.S. persons involved in prohibited transactions or other transactions that may evade or violate the DSP rules.

What Data Transactions Are Covered?

The DSP is designed to prohibit or restrict access to sensitive U.S. data by a designated country of concern. Generally, the DSP does not govern purely domestic data transactions between U.S. persons or cross-border transactions involving non-designated foreign countries.

Instead, the DSP is focused on “covered data transactions”: Any transaction that allows a country of concern or covered person access to government-related data or bulk U.S. sensitive personal data and involves data brokerage, a vendor agreement, an employment agreement, or an investment agreement.

• Country of Concern: Any foreign government determined by the Attorney General with the concurrence of the Secretary of State and the Secretary of Commerce as being engaged in a long-term pattern or serious instances of conduct significantly adverse to U.S. national security and posing a significant risk of exploiting government-related data or bulk U.S. sensitive personal data.

– Currently designated countries of concern: China (+ Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.

• Covered Person: Broadly defined based on sanctions terminology under the Treasury’s Office of Foreign Assets Control’s 50% Rule:

– Foreign entity headquartered in, has its principal place of business in, chartered in, or organized under the laws of a country of concern; or 50% or more owned (individually or in the aggregate) by countries of concern or persons described in one or more of the bullets below;

– Foreign individual who is an employee or contractor of a country of concern or covered person; or

– Foreign individual who is primarily a resident in a country of concern; or

In the event the individuals above visit the United States, they lose their covered person status while they are in the country. Upon leaving the United States, they will automatically revert to being a covered person.

– NSD may also designate both foreign and U.S. persons as covered persons based on certain criteria (e.g., was, is, or is likely to become subject to ownership or control of a country of concern or other covered person, or knowingly caused or directed a violation of the DSP). These designated covered persons retain their covered person status even when located in the United States. NSD will publicly announce these covered persons on their website.

• Government-Related Data: Includes any precise geolocation data for over 700 specified sites (relating to worksites, duty stations, military installations, and other facilities that support U.S. national security) and sensitive personal data linked to current or recent U.S. government employees, contractors, or senior officials.
• Bulk U.S. Sensitive Personal Data: Data collections relating to U.S. persons in the categories and volume thresholds listed below in the preceding 12 months. Unlike many privacy laws that contractors may be used to, under the DSP, bulk U.S. sensitive personal data does not exclude data that has been anonymized, de-identified, pseudonymized, or aggregated.

• Data Brokerage: The sale, licensing of access, or similar commercial transaction of data (excluding vendor, employment, and investment agreements) where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data. This includes both first-party and third-party data brokerage transactions.
• Vender Agreement: Any agreement or arrangement that is not an employment agreement, in which any person provides goods or services to another person in exchange for payment or other consideration. Vendor agreements include transactions for cloud-computing services.
• Employment Agreement: Any agreement or arrangement in which an individual works directly for a person in exchange for payment or other consideration, other than as an independent contractor.
• Investment Agreement: An agreement or arrangement in which any person, in exchange for payment or other consideration, obtains direct or indirect ownership interests in or rights in relation to (1) real estate in the U.S., or (2) a U.S. legal entity.

Key Prohibitions and Restrictions

Under the DSP, covered data transactions may be prohibited or restricted depending on the nature of the activity.

• Prohibited transactions: Data brokerage with countries of concern or covered persons, including certain uses of cookies/pixels/SDKs, or with other foreign persons that are not contractually restricted from onward data brokerage. Covered data transactions involving bulk human genomic data are also prohibited. It also covers transactions designed to evade or avoid; cause a violation of; or attempt to violate (including conspiracies) any of the prohibitions under the DSP. U.S. persons are prohibited from knowingly directing any transaction that would either be prohibited or restricted without compliance with the applicable requirements.
• Restricted transactions: Vendor, employment, or investment agreements with covered persons/countries require compliance with CISA’s Requirements for Restricted Transactions. These requirements are based on the NIST CSF 2.0 Framework and data-level requirements based on the NIST Privacy Framework. Restricted transactions that fail to comply with these requirements are “unauthorized transactions” and constitute a violation of the DSP.
• Exemptions: There are 11 categories of transactions that are exempt from the prohibitions and restrictions of the DSP – including transactions that are directed or authorized in the performance of a government contract or grant. In its discretion, NSD may issue general or specific licenses to authorize certain transactions that would otherwise by prohibited.

Time-Sensitive Requirements

• Due Diligence: NSD expects U.S. persons subject to the DSP to “know their data.” Companies should review data flows, vendor/partner/customer relationships, and cross-border transactions for DSP coverage.
• Data Compliance Program: For restricted transactions, implement a written, annually certified Data Compliance Program by Oct. 6, 2025. For restricted transactions that involve vendors, the compliance program must also account for risk-based procedures to verify the identity of vendors.
• Auditing: Conduct regular audits of your compliance program and related software and systems. Audits must be performed once for each calendar year that a restricted transaction is made and must cover the 12 preceding months.
• Recordkeeping: Maintain detailed records of restricted transactions for 10 years. Required records must be maintained in an auditable manner and meet certain minimum requirements, including annual certification.
• Reporting: Starting Oct. 6, 2025, any U.S. person that receives and rejects a prohibited transaction involving data brokerage must report it within 14 days of the rejection, even if the U.S. person uses software or other technology to automatically reject such transaction. Restricted transactions involving cloud-computing services must also be reported annually where 25% or more of the U.S. person’s equity interests is owned by a country of concern or covered person. NSD may also require, from time to time, certain reports and information that must be furnished under oath.

Penalties

Violations of the DSP can be prosecuted criminally and civilly under a knowledge standard. NSD will review the totality of circumstances to assess DSP violations.

• Civil penalties: Greater of $368,136 or twice the value of the transaction.
• Criminal penalties: Willful violations may result in up to 20 years in prison and $1,000,000 fine.

Additionally, financial awards may be available to individuals (in the U.S. or abroad) who report DSP violations through FinCEN’s whistleblower incentive program. Eligibility will depend on whether the reported information results in a successful enforcement action that yields monetary penalties exceeding $1,000,000.

Enforcement Timeline

• Initial 90-Day Period: Through July 8, 2025, individuals and companies subject to the DSP will not be targeted for enforcement if they engage in good faith efforts to come into full compliance with the DSP. Examples of relevant good faith efforts are provided in NSD’s Implementation and Enforcement Policy.
• After July 8, 2025: Full enforcement begins; penalties for non-compliance apply.

Next Steps for U.S. Persons Engaged in Covered Data Transactions

• Map and review your data flows, cross-border transactions, and vendor/customer/partner relationships.
• Determine contracts that need to be updated with clauses that prohibit covered data transactions and/or require compliance with CISA’s security requirements.
• Implement CISA security measures for restricted transactions.
• Prepare for annual audits, reporting, and certification requirements.