Introduction
The US Department of Justice (DOJ) has launched a comprehensive Data Security Program through its National Security Division (NSD) to safeguard sensitive US government-related data and personal information from foreign adversaries. This initiative [2] [4] [5] [6], driven by Executive Order 14117, primarily targets threats from nations such as China, Russia [2] [3] [4] [5] [6], and Iran [2] [3] [4] [5] [6], aiming to prevent unauthorized access to American data and mitigate national security risks.
Description
The US Department of Justice (DOJ) has implemented a Data Security Program through its National Security Division (NSD) to protect US government-related data and sensitive personal information from foreign adversaries, particularly China, Russia [2] [3] [4] [5] [6], Iran [2] [3] [4] [5] [6], and others. This initiative [2] [4] [5] [6], established under Executive Order 14117 signed by President Joe Biden, addresses significant national security threats by preventing these nations from accessing American data through commercial means [3]. This effort aims to thwart surveillance, counterintelligence [5], and espionage activities that pose substantial risks to US national security, a concern recognized across political lines [2]. The program introduces export controls and prohibitions on certain “covered data transactions,” restricting foreign entities from acquiring bulk genomic, geolocation [2] [3] [4], biometric [2] [3] [4], health [2] [3] [4], financial [2] [3] [4], and other sensitive personal data [2] [3].
To facilitate compliance with the new regulations, the NSD has released a comprehensive Compliance Guide, detailing best practices for establishing data compliance programs [5], including key definitions, requirements [2] [3] [5], prohibited transactions [2] [3] [5], and model contractual language [5]. An initial list of over 100 Frequently Asked Questions (FAQs) has also been published to clarify the program’s scope and compliance processes [2] [3]. These resources are designed to assist US individuals, companies [4] [6], and foreign firms operating in the US in understanding their data and the associated risks [6].
The Data Security Program went into effect on April 8, 2025 [2] [3], with a 90-day enforcement grace period allowing individuals and entities to adjust to the new requirements without facing immediate penalties [2] [3], provided they demonstrate good faith efforts to comply [2] [3]. During this initial period [2] [6], which lasts until July 8, 2025, the NSD will focus on helping the public understand and adhere to the program while encouraging informal inquiries [2]. Full compliance is expected by the end of the grace period [5], with certain due-diligence obligations delayed until October 6 to allow additional time for compliance [5].
US Deputy Attorney General Todd Blanche emphasized the ease with which foreign adversaries can obtain Americans’ data through market purchases or coercion [4], rather than through traditional cyber intrusions [6]. The DOJ has identified six nations as “countries of concern” for their involvement in the malicious acquisition of US data: China [4], Cuba [4], Iran [2] [3] [4] [5] [6], North Korea [4], Russia [2] [3] [4] [5] [6], and Venezuela [4]. These countries are viewed as threats to US national security [4], engaging in activities such as espionage [4], surveillance [4] [5], coercion [4], and influence operations [4], as well as targeting journalists and marginalized communities [4]. The Compliance Guide underscores the importance of US persons understanding their data and the risks associated with foreign access [3], with NSD committed to updating the FAQs and providing ongoing guidance to ensure effective compliance with the program’s mandates. Additionally, the program establishes criteria for evaluating the risk of applications associated with foreign adversaries [1], further enhancing the protection of personal data.
Conclusion
The Data Security Program represents a significant step in fortifying US national security by addressing the vulnerabilities associated with foreign access to sensitive data. By implementing stringent controls and providing comprehensive guidance, the DOJ aims to mitigate the risks posed by foreign adversaries. The program’s success will depend on the effective collaboration between the government, private sector, and individuals to ensure compliance and adapt to evolving threats. As the program progresses, ongoing updates and guidance will be crucial in maintaining robust data protection and safeguarding national interests.
References
[1] https://global.chinadaily.com.cn/a/202107/13/WS60ecce99a310efa1bd661556.html
[2] https://www.justice.gov/opa/pr/justice-department-implements-critical-national-security-program-protect-americans-sensitive
[3] https://www.hstoday.us/subject-matter-areas/cybersecurity/justice-department-implements-critical-national-security-program-to-protect-americans-sensitive-data-from-foreign-adversaries/
[4] https://www.infosecurity-magazine.com/news/us-foreign-governments-acquiring/
[5] https://executivegov.com/2025/04/doj-data-security-program-implementation/
[6] https://securityonline.info/doj-launches-data-security-program-to-counter-foreign-data-exploitation/
