Security Requirements for Restricted Transactions

On February 28, 2024, President Biden signed Executive Order (E.O.) 14117, Preventing Access to Americans’ Bulk Sensitive Personal Data and U.S. Government-Related Data by Countries of Concern, to address national-security and foreign-policy threats that arise when countries of concern and covered persons can access bulk U.S. sensitive personal data or government-related data that may be implicated by the categories of restricted transactions.  As directed by E.O. 14117, CISA developed security requirements to apply to classes of restricted transactions identified in regulations issued by the Department of Justice (DOJ).

In October 2024, CISA published and solicited comment on proposed security requirements for restricted transactions. CISA considered that public feedback when developing the final security requirements, which will be published in the Federal Register in January 2025.  As finalized and incorporated into the DOJ regulations, the security requirements require that U.S. persons engaging in restricted transactions comply with organizational-, system-, and data-level requirements to prevent covered persons and countries of concern from accessing covered data that is linkable, identifiable, unencrypted, or decryptable using commonly available technology.

For additional information, please visit Security Requirements for Restricted Transactions under Executive Order 14117.