Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherJoin the NetworkGet StartedSubscribeSupport
Contact Us
Search
Close

DOJ Issues Additional Guidance as Data Security Program Enters into Effect; Limits Enforcement for First 90 Days

By Chase D. Kaniecki, Christopher Kavanaugh, Samuel H. Chang, B.J. Altvater & Ryan Brown on April 23, 2025
Email this postTweet this postLike this postShare this post on LinkedIn
1745428203-3181980-8199-lxb_photoFnA5pAzqhMMlxb_photo-
Towfiqu barbhuiya, Unsplash

Table of Contents

  • Enforcement Policy
  • Compliance Guide
  • Frequently Asked Questions

On April 11, 2025, the U.S. Department of Justice, National Security Division (“DOJ”) issued a compliance guide (“Compliance Guide”), a set of frequently asked questions (“FAQs”), and a 90-day limited enforcement policy (“Enforcement Policy”) relating to implementation of the Data Security Program, codified at 28 C.F.R. Part 202 (“DSP”).  The DSP is a regulatory program designed to prevent certain countries of concern—China, Cuba, Iran, North Korea, Russia, and Venezuela—and covered persons from having access to Americans’ bulk sensitive personal data and U.S. government-related data.  The DSP largely went into effect on April 8, 2025. 

We previously discussed the final rule implementing the DSP here.

Link to Enforcement Policy Enforcement Policy

The Foreign Investment Review Section of DOJ’s National Security Division will be responsible for enforcing civil and criminal violations of the DSP.  The Enforcement Policy published on April 11, 2025 outlines DOJ’s temporary approach to enforcement during the initial 90-day period from April 8 to July 8, 2025.  During this period, to give companies time to bring their activities into compliance with the DSP, DOJ will not prioritize civil enforcement actions against any person for violations of the DSP that occur during this initial period so long as the person is engaging in good-faith efforts to comply with or come into compliance with the DSP during that time.  However, DOJ will pursue penalties and other enforcement actions as appropriate for egregious, willful violations.

Some examples of good-faith compliance efforts include the following:

  • Conducting internal reviews of access to sensitive personal data and determining whether transactions qualify as data brokerage;
  • Reviewing internal datasets to determine those potentially subject to the DSP;
  • Renegotiating agreements with existing vendors or negotiating agreements with new vendors;
  • Transferring products and services to new vendors;
  • Performing due diligence on potential new vendors;
  • Negotiating onward-transfer provisions in contracts with foreign counterparties to data brokerage transactions;
  • Modifying employee work locations, roles, or responsibilities;
  • Assessing investments from countries of concern or covered persons;
  • Renegotiating investment agreements with countries of concern or covered persons; and
  • Implementing the CISA Security Requirements.

These efforts are intended to demonstrate a commitment to compliance with the DSP, ensuring that companies take the necessary steps to protect sensitive data and adhere to regulatory standards.

Link to Compliance Guide Compliance Guide

The non-binding Compliance Guide encourages U.S. persons to comply with the DSP by adopting a “know-your-data strategy.”  This strategy includes several key components for effective compliance.  First, it requires understanding the types and amounts of data relating to U.S. persons or devices that a company collects or stores.  Second, it involves knowing how the company uses this data.  Third, it includes determining whether the company participates in covered data transactions.  Lastly, the strategy should address how the data is marketed, especially concerning current or recently former employees or contractors, as well as former senior officials of the U.S. government, including those from the military and intelligence community.

In addition to summarizing the DSP’s requirements, the Compliance Guide offers specific compliance tips, such as:

  • Identifying activities that may not be ordinarily thought of as “data brokerage” but that may nonetheless constitute data brokerage under the DSP.
  • Providing a model clause to comply with the onward-transfer requirements outlined in 28 C.F.R. § 202.302.
  • Listing situations in which the DSP’s recordkeeping and reporting requirements apply.
  • Establishing a vendor management and validation policy to verify whether current or prospective vendors are covered persons.
  • Recommending periodic (ideally, at least annual) training on the U.S. person’s data compliance program and the CISA Security Requirements to all relevant employees and personnel.
  • Offering an email address for parties to submit informal inquiries or requests for guidance: nsd.firs.datasecurity@usdoj.gov.

Link to Frequently Asked Questions Frequently Asked Questions

The FAQs include DOJ’s responses to over one hundred questions related to compliance with the DSP.

Although the FAQs generally restate or summarize the DSP and its provisions, the FAQs also describe the interplay between the DSP and other national-security-related regulatory programs, including sanctions, export controls, the Commerce Department’s Information and Communication Technology and Services (“ICTS”) program, and the Committee on Foreign Investment in the United States (“CFIUS”) review process.  For example, when CFIUS imposes a mitigation agreement that includes data security-related mitigation, the obligations under the CFIUS agreement generally take priority, and the DSP may no longer apply to the transaction under CFIUS review.[1] 

The FAQs clarify certain blurry distinctions between “U.S. persons” and “covered persons” under the DSP.  For example, while located in the United States, a non-designated covered person is a U.S. person and correspondingly loses its covered person status.  However, upon leaving the United States, the non-designated covered person will automatically revert to being a foreign person and a covered person.[2] 

The FAQs also clarify that, when determining whether an entity is a covered person based on its ownership structure, indirect ownership should be calculated using the same method as OFAC’s 50 percent rule: when a covered person directly owns 50 percent or more of an entity, the covered person also indirectly owns what that entity directly owns.[3] 

Finally, the FAQs explain that the corporate-group transactions exemption generally does not authorize covered data transactions between U.S. persons and their subsidiaries or affiliates in countries of concern for routine research and development purposes, confirming that “administrative and ancillary business activities” should be construed narrowly.[4]

[1] See DSP FAQ 8.

[2] See DSP FAQ 53.

[3] See DSP FAQ 60.

[4] See DSP FAQ 76.

Photo of Chase D. Kaniecki Chase D. Kaniecki

Chase Kaniecki’s practice focuses on international trade and national security matters, including CFIUS and global foreign direct investment, economic sanctions, export controls, customs, and trade remedies.

Read more about Chase D. KanieckiEmail
Photo of Christopher Kavanaugh Christopher Kavanaugh

Chris Kavanaugh’s practice focuses on enforcement and litigation, including high-stakes trials, government and internal investigations, white-collar criminal defense, False Claims Act, and crisis management.

Read more about Christopher KavanaughEmail
  • Posted in:
    Administrative and Regulatory
  • Blog:
    Cleary Enforcement Watch
  • Organization:
    Cleary Gottlieb Steen & Hamilton LLP
  • Article: View Original Source

Call us at 1-800-913-0988 or email sales@lexblog.com.

Facebook LinkedIn Twitter RSS
  • About LexBlog
  • The Field We Built
  • Our Beliefs
  • Our Team
  • Contact LexBlog
  • Disclaimer
  • Editorial Policy
  • Terms of Service
  • Get Started
  • Publishing Solutions
  • Compass
  • Submit a Request
  • Support Center
  • System Status
Copyright © 2026, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo