Quick Hits

• The U.S. Department of Homeland Security published new security requirements for restricted transactions to prevent access to covered data and systems by countries of concern and certain persons affiliated with such countries.
• The security requirements, which include stricter cybersecurity policies, multifactor authentication (MFA), incident response plans, and robust encryption to prevent unauthorized access to sensitive data, were published in conjunction with a Justice Department rule implementing a Biden administration-era executive order on cybersecurity.
• Companies with employees in high-risk countries may face significant challenges in ensuring compliance with the new requirements, particularly regarding access to essential networks needed for business operations.

On January 3, 2025, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) released finalized security requirements for restricted transactions pursuant to Executive Order (EO) 14117, “Preventing Access to American’s Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern,” issued in February 2024 by then-President Joe Biden. The requirements were developed in conjunction with a DOJ final rule, which was published in the Federal Register on January 8, 2025, implementing EO 14117.

The CISA security requirements apply to certain restricted transactions identified by the DOJ that involve “bulk sensitive personal data or United States Government-related data” as defined by the DOJ and EO 14117 or that are of a class of transaction determined by the DOJ to pose an unacceptable risk to national security because it may enable certain “countries of concern or covered persons to access bulk sensitive personal data or United States Government-related data.”

The DOJ has identified six “countries of concern”: (1) China, including the special administrative regions of Hong Kong and Macau, (2) Cuba, (3) Iran, (4) North Korea, (5) Russia, and (6) Venezuela. A “covered person” is an individual or entity associated with a country of concern, and the term includes: (1) entities that are controlled or owned by one or more countries of concern, (2) entities that are controlled by “one or more persons” affiliated with a country of concern, (3) individuals who are “employee[s] or contractor[s] of a country of concern,” or (4) an entity controlled by a country of concern, and individuals the attorney general determines may be controlled by or act on behalf of a country of concern or other “covered person.”

Existing laws and regulations surrounding international data transfers, which are often transaction- or sector-specific, did not comprehensively address bulk data transfers to countries of concern. And, with respect to the personal data of U.S. citizens, certain common data processing principles are unequally applied given the existing patchwork of state and sectoral privacy laws. Accordingly, in an effort to fill the gap, the security requirements articulated by the DHS cover (1) organizational and system-level requirements for covered systems and (2) data-level requirements for data that is the subject of a restricted transaction.

Organizational- and System-Level Requirements

The security requirements state that entities must require that “basic organizational cybersecurity policies, practices, and requirements” are implemented with respect to any covered system (i.e., information systems used to interact with covered data in connection with restricted transactions). These steps include:

1. maintaining an inventory of covered system assets and ensuring the “inventory is updated on a recurring basis”;
2. designating an organizational level individual, such as a Chief Information Security Officer, who will be “responsible and accountable” for cybersecurity and governance, risk, and compliance (GRC) functions;
3. remediating any known exploited vulnerabilities (KEVs);
4. documenting vendor/supplier agreements for covered systems;
5. developing an “accurate network topology of the covered system”;
6. adopting policies that require approval of new hardware or software before it is deployed in a covered system; and
7. developing and maintaining incident response plans.

The requirements further call for entities to implement “logical and physical access controls” to protect access to data by covered persons or countries of concern, including the use of multifactor authentication (MFA) to prevent inappropriate access to data or, in the limited circumstances where MFA is not possible, stringent password requirements. Entities will wish to consider paying close attention to their processes for evaluating the sufficiency of the their security protocols on an ongoing basis, including through the issuance and management of identities and credentials associated with authorized users, services, and hardware, and the prompt revocation of credentials of individuals who leave or change roles.

The requirements likewise mandate the ongoing collection and storage of logs that relate to access to covered systems and the security of the same. Additional technical specifications include the default denial of connections. Finally, the requirements direct entities to conduct internal data risk assessments and evaluate, on an ongoing basis, whether an entity’s approach to security is sufficient to prevent access to covered data.

Data-Level Requirements

The CISA security requirements direct entities to implement data-level measures to “fully and effectively prevent access to covered data that is linkable, identifiable, unencrypted, or decryptable using commonly available technology” by the covered person, employee, or vendor, or the governments of countries of concern. The requirements call for:

1. applying data minimization and masking strategies, which must include the preparation of and adherence to written data retention and deletion policies, and processing restrictions geared toward transforming the data such that it is no longer considered to be covered data or such that it is unlikely to be linked to an American person;
2. utilizing compulsory encryption techniques to protect data;
3. applying “privacy enhancing technologies” or “differential privacy techniques” during the course of any processing activities associated with covered data; and
4. configuring identity and access management techniques to deny access to covered systems by covered persons or countries of concern.

Next Steps

The CISA security requirements may have major implications for global companies with employees in countries of concern, such as China, and are likely to raise concerns about whether such employees will be able to access networks and information that are critical for them to do their jobs.

However, employers with substantial operations in potentially impacted countries may want to take note that while the security requirements discussed above are being implemented pursuant to a Biden administration EO, it remains to be seen whether the Trump administration will roll back the security measures as part of the administration’s ongoing deregulation focus, particularly to the extent the requirements may have the practical impact of restricting work in China. Moreover, President Trump has issued a “Regulatory Freeze Pending Review,” which could delay the April 8, 2025, effective date of the DOJ’s final rule.

In the meantime, employers may want to take steps to prepare for the CISA security requirements and DOJ regulations regarding countries of concern and covered persons. To do so, companies may want to assess the extent to which they employ covered persons in countries of concern or have entered into contracts with vendors who rely upon personnel based in such countries. If they determine this to be the case, they may wish to assess whether they have necessary privacy and security safeguards, both technical and contractual, to prevent improper access to protected personal and U.S. government data.