Data Security

OVERVIEW

The Data Security Program addresses the national-security risks posed by the continued efforts of foreign adversaries to use commercial activities to access and exploit U.S. Government-related data and Americans’ bulk sensitive personal data. This data can be used to commit espionage and economic espionage, conduct surveillance and counterintelligence activities, develop AI and military capabilities, and otherwise undermine U.S. national security. To address this threat, the Data Security Program establishes what are effectively export controls that prohibit or restrict countries of concern (and covered persons subject to their jurisdiction, ownership, control, or direction) from engaging in certain categories of transactions with U.S. persons that can give them access to U.S. Government-related data or Americans’ bulk genomic, geolocation, biometric, health, financial, or other sensitive personal data. 

The Data Security Program went into effect on April 8, 2025. It was issued under the International Emergency Economic Powers Act and Executive Order 14117 of February 28, 2024 (Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government Data by Countries of Concern). The program addresses a national emergency declared by the President in Executive Order 13873 of May 15, 2019 to deal with the “unusual and extraordinary threat … to the national security and foreign policy of the United States” posed by foreign adversaries’ access to Americans’ “vast amounts of sensitive information.” The national-security risks posed by foreign-adversary access to Americans’ sensitive personal data have been repeatedly recognized by all three branches of Government, including by the Executive Branch in the 2025 Annual Threat Assessment of the U.S. Intelligence Community, America First Investment Policy, NSPM-2 on Imposing Maximum Pressure on Iran, 2024 National Counterintelligence Strategy, 2022 National Security Strategy, and 2017 National Security Strategy; in a 2023 report by the House Select Committee on the Chinese Communist Party and a 2024 report by the House Committee on Energy and Commerce; and in the Supreme Court’s 2025 decision and D.C. Circuit’s 2024 decision in TikTok Inc. v. Garland. 

CURRENT RESOURCES

• 28 C.F.R. Part 202
• Correcting Amendment (published April 18, 2025)
• Frequently Asked Questions (issued April 11, 2025)
• Compliance Guide (issued April 11, 2025)
• Implementation and Enforcement Policy Through July 8, 2025 (issued April 11, 2025)
• Press release, Justice Department Implements Critical National Security Program to Protect Americans’ Sensitive Data from Foreign Adversaries (April 11, 2025)
• CISA Security Requirements (issued January 3, 2025)

CONTACT INFORMATION

For non-press inquiries, please contact NSD.FIRS.datasecurity@usdoj.gov. 
For press inquiries, please contact DOJ’s Office of Public Affairs here.

HISTORICAL DOCUMENTS

Final Rule and Final Security Requirements. On December 26, 2024, the Department’s National Security Division issued a final rule to implement Executive Order 14117. The final rule became effective on April 8, 2025, with certain affirmative requirements regarding due diligence and audits for restricted transactions (subpart J), annual reports (§ 202.1103), and reports on rejected prohibited transactions (§ 202.1104) effective on October 5, 2025.

• Press release (final rule)
• Fact sheet (final rule)

Concurrently with the Department’s issuance of the Final Rule, the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) issued the final security requirements with which U.S. persons engaged in restricted transactions must comply.

Notice of Proposed Rulemaking and Proposed Security Requirements. On October 18, 2024, the Department’s National Security Division issued a notice of proposed rulemaking (NPRM) to offer full draft regulations for public notice and comment. The NPRM reflected the public another opportunity to submit comments on the new program. The public-comment period for the NPRM closed on November 29, 2024. 

• Press release (NPRM)
• Fact sheet (NPRM)

Concurrently with the Department’s issuance of the NPRM, CISA proposed security requirements with which U.S. persons engaged in restricted transactions under the proposed rule would have to comply.

Information Collections. Concurrently with the NPRM, the Department of Justice submitted to the Office of Information and Regulatory Affairs the forms and other information collections that would be established by the proposed rule for approval under the Paperwork Reduction Act.

Advance Notice of Proposed Rulemaking. Concurrent with the issuance of the Executive Order, the Department’s National Security Division published an Advance Notice of Proposed Rulemaking (ANPRM) in the Federal Register to provide transparency and clarity about the intended scope of the program, and to solicit comments on its development and implementation. The public-comment period for the ANPRM closed on April 19, 2024.

• Department’s press release (ANPRM)
• Department’s fact sheet (ANPRM)

Executive Order 14117. On February 28, 2024, the President issued Executive Order 14117 (Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern). This Executive Order directed the Department of Justice to develop and implement the Data Security Program and directed various agencies to take steps to use existing authorities to enhance the protection of Americans’ sensitive personal data in telecommunications (Team Telecom), the U.S. healthcare market (Departments of Defense, Health and Human Services, and Veterans Affairs, and National Science Foundation), and federal consumer protection law (Consumer Financial Protection Bureau).

• White House fact sheet (EO)