On April 11, 2025, the U.S. Department of Justice, National Security Division (“DOJ”) issued a compliance guide (“Compliance Guide”), a set of frequently asked questions (“FAQs”), and a 90-day limited enforcement policy (“Enforcement Policy”) relating to implementation of the Data Security Program, codified at 28 C.F.R. Part 202 (“DSP”).  The DSP is a regulatory program designed to prevent certain countries of concern—China, Cuba, Iran, North Korea, Russia, and Venezuela—and covered persons from having access to Americans’ bulk sensitive personal data and U.S. government-related data.  The DSP largely went into effect on April 8, 2025. 

We previously discussed the final rule implementing the DSP here.

Enforcement Policy

The Foreign Investment Review Section of DOJ’s National Security Division will be responsible for enforcing civil and criminal violations of the DSP.  The Enforcement Policy published on April 11, 2025 outlines DOJ’s temporary approach to enforcement during the initial 90-day period from April 8 to July 8, 2025.  During this period, to give companies time to bring their activities into compliance with the DSP, DOJ will not prioritize civil enforcement actions against any person for violations of the DSP that occur during this initial period so long as the person is engaging in good-faith efforts to comply with or come into compliance with the DSP during that time.  However, DOJ will pursue penalties and other enforcement actions as appropriate for egregious, willful violations.

Some examples of good-faith compliance efforts include the following:

  • Conducting internal reviews of access to sensitive personal data and determining whether transactions qualify as data brokerage;
  • Reviewing internal datasets to determine those potentially subject to the DSP;
  • Renegotiating agreements with existing vendors or negotiating agreements with new vendors;
  • Transferring products and services to new vendors;
  • Performing due diligence on potential new vendors;
  • Negotiating onward-transfer provisions in contracts with foreign counterparties to data brokerage transactions;
  • Modifying employee work locations, roles, or responsibilities;
  • Assessing investments from countries of concern or covered persons;
  • Renegotiating investment agreements with countries of concern or covered persons; and
  • Implementing the CISA Security Requirements.

These efforts are intended to demonstrate a commitment to compliance with the DSP, ensuring that companies take the necessary steps to protect sensitive data and adhere to regulatory standards.

Compliance Guide

The non-binding Compliance Guide encourages U.S. persons to comply with the DSP by adopting a “know-your-data strategy.”  This strategy includes several key components for effective compliance.  First, it requires understanding the types and amounts of data relating to U.S. persons or devices that a company collects or stores.  Second, it involves knowing how the company uses this data.  Third, it includes determining whether the company participates in covered data transactions.  Lastly, the strategy should address how the data is marketed, especially concerning current or recently former employees or contractors, as well as former senior officials of the U.S. government, including those from the military and intelligence community.

In addition to summarizing the DSP’s requirements, the Compliance Guide offers specific compliance tips, such as:

  • Identifying activities that may not be ordinarily thought of as “data brokerage” but that may nonetheless constitute data brokerage under the DSP.
  • Providing a model clause to comply with the onward-transfer requirements outlined in 28 C.F.R. § 202.302.
  • Listing situations in which the DSP’s recordkeeping and reporting requirements apply.
  • Establishing a vendor management and validation policy to verify whether current or prospective vendors are covered persons.
  • Recommending periodic (ideally, at least annual) training on the U.S. person’s data compliance program and the CISA Security Requirements to all relevant employees and personnel.
  • Offering an email address for parties to submit informal inquiries or requests for guidance: nsd.firs.datasecurity@usdoj.gov.

Frequently Asked Questions

The FAQs include DOJ’s responses to over one hundred questions related to compliance with the DSP.

Although the FAQs generally restate or summarize the DSP and its provisions, the FAQs also describe the interplay between the DSP and other national-security-related regulatory programs, including sanctions, export controls, the Commerce Department’s Information and Communication Technology and Services (“ICTS”) program, and the Committee on Foreign Investment in the United States (“CFIUS”) review process.  For example, when CFIUS imposes a mitigation agreement that includes data security-related mitigation, the obligations under the CFIUS agreement generally take priority, and the DSP may no longer apply to the transaction under CFIUS review.[1] 

The FAQs clarify certain blurry distinctions between “U.S. persons” and “covered persons” under the DSP.  For example, while located in the United States, a non-designated covered person is a U.S. person and correspondingly loses its covered person status.  However, upon leaving the United States, the non-designated covered person will automatically revert to being a foreign person and a covered person.[2] 

The FAQs also clarify that, when determining whether an entity is a covered person based on its ownership structure, indirect ownership should be calculated using the same method as OFAC’s 50 percent rule: when a covered person directly owns 50 percent or more of an entity, the covered person also indirectly owns what that entity directly owns.[3] 

Finally, the FAQs explain that the corporate-group transactions exemption generally does not authorize covered data transactions between U.S. persons and their subsidiaries or affiliates in countries of concern for routine research and development purposes, confirming that “administrative and ancillary business activities” should be construed narrowly.[4]

[1] See DSP FAQ 8.

[2] See DSP FAQ 53.

[3] See DSP FAQ 60.

[4] See DSP FAQ 76.