1
April 11, 2025 National Security Division
www.justice.gov Foreign Investment Review Section
DATA SECURITY PROGRAM: COMPLIANCE GUIDE
I. Introduction
The Data Security Program (“DSP”) implemented by the National Security Division
(“NSD”) under Executive Order 14117
1
(“the Order”) comprehensively and proactively
addresses the continued efforts of foreign adversaries to use commercial activities to access,
exploit, and weaponize U.S. Government-related (“government-related”) data and Americans’
bulk sensitive personal data.
The Order, among other things, directed the U.S. Department of Justice (the
“Department”) to issue regulations that prohibit or otherwise restrict United States persons from
engaging in certain transactions. On January 8, 2025, the Department’s National Security
Division (“NSD”) published a final rule implementing the Order, codified at 28 CFR Part 202
(“Data Security Program” or “DSP”).
2
The DSP addresses this “unusual and extraordinary
threat… to the national security and foreign policy of the United States” that has been repeatedly
recognized across political parties and by all three branches of Government—including, notably,
in the 2025 Annual Threat Assessment of the U.S. Intelligence Community and the President’s
America First Investment Policy, NSPM-2 on Imposing Maximum Pressure on Iran, national
emergency declared in Executive Order 13873,
3
and 2017 National Security Strategy. To
address this urgent threat, the DSP establishes what are effectively export controls that prevent
foreign adversaries, and those subject to their control and direction, from accessing U.S.
Government-related data and bulk U.S. sensitive personal data.
NSD’s primary mission with respect to the implementation and enforcement of the Data
Security Program is to protect U.S. national security from countries of concern that may seek to
collect and weaponize Americans’ most sensitive personal data. U.S. persons must comply with
the Data Security Program. Any individual or entity who conspires or seeks to evade the DSP’s
restrictions or prohibitions can potentially be subject to criminal or civil penalties. U.S. persons
should “know their data,” including the kinds and volumes of data collected about or maintained
on U.S. persons or U.S. devices; how their company uses the data; whether their company
engages in covered data transactions; and how such data is marketed, particularly with respect to
1
Executive Order 14117 of February 28, 2024 (Preventing Access to Americans’ Bulk Sensitive Personal Data and
United States Government-Related Data by Countries of Concern).
2
Unless otherwise indicated, all citations are to the sections of the DSP regulations in 28 CFR part 202.
3
Executive Order 13873 of May 15, 2019 (Securing the Information and Communications Technology and Services
Supply Chain).
