ARTICLE
17 June 2025

DOJ's Bulk Data Transaction Rule: Implementing The CISA Security Requirements For Restricted Transactions

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group LLC logo
Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
Explore Firm Details
In our prior article titled "Navigating the DOJ's Final Rule: Data Security Program Insights and Compliance," we introduced Executive Order 14117, titled "Preventing Access to Americans' Bulk...
United States Technology
David Manek,Akshay Dhawan, and Ankur Sheth

In our prior article titled "Navigating the DOJ's Final Rule: Data Security Program Insights and Compliance," we introduced Executive Order 14117, titled "Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern," and highlighted components of the Department of Justice's (DOJ) Final Implementing Rule. The DOJ's Final Implementing Rule sets forth specific requirements for Restricted Transactions.

Generally, transactions involving bulk sensitive personal data or government-related data, particularly those involving cross-border transactions to countries of concern such as China, are classified as "Restricted Transactions." Pursuant to the DOJ's Final Rule, organizations with Restricted Transactions must implement specific security measures to prevent or limit access by countries of concern or covered persons. These security measures are detailed in the DOJ's required Data Security Program and Cybersecurity and Infrastructure Security Agency's (CISA) security requirements.

Specifically, the DOJ's Final Implementing Rule mandates the establishment of a Data Security Program (DSP), requiring organizations to: 1) implement the CISA security requirements, 2) develop and implement a Data Compliance Program, 3) conduct regular audits, and 4) meet certain recordkeeping requirements.

Soon after the DOJ issued the Final Rule, in January 2025, the U.S. CISA published Security Requirements for Restricted Transactions. These requirements aim to mitigate the risk of sharing U.S. government-related data or large volumes of sensitive U.S. data with countries of concern or covered individuals through restricted transactions.

This article focuses on strategies for implementing the CISA security requirements in the context of restricted transactions. Outlined below are key components of the CISA security requirements.

  • Organizational Cybersecurity Requirements:
    • Asset Management: Identify, prioritize, and document all system assets, maintaining an updated inventory with IP addresses updated monthly for information technology (IT) assets.
    • Leadership Designation: Appoint a responsible individual for cybersecurity and governance, risk, and compliance functions.
    • Vulnerability Remediation: Address known exploited vulnerabilities in internet-facing systems within 45 days, with alternative measures if necessary.
    • Vendor Agreements: Document all vendor agreements, including IT and cybersecurity requirements.
    • Network Topology: Develop and maintain accurate network maps to facilitate incident response.
    • Approval Policies: Implement policies requiring approval before deploying new hardware or software, maintaining an approved list.
    • Incident Response Plans: Develop and annually update incident response plans for covered systems.
  • Access Controls:
    • Multifactor Authentication (MFA): Enforce MFA on all systems or require strong passwords if MFA is not feasible.
    • Credential Revocation: Promptly revoke access upon role changes or departures.
    • Log Management: Collect and securely store logs of access and security events for at least 12 months, accessible only by authorized users.
    • Default Denial Configurations: Deny all connections by default unless explicitly allowed.
    • Identity Management: Issue and manage identities and credentials to prevent unauthorized access, limiting system access to authorized users.
  • Risk Assessment: Conduct annual internal data risk assessments to evaluate and mitigate risks of unauthorized access to sensitive data, ensuring protection against misuse and associated consequences.
  • Data-level controls: The data-level requirements for restricted transactions aim to prevent access to covered data by covered persons or countries of concern using commonly available technology. The strategies include:

    • Data Minimization and Masking: Implement strategies to reduce the need for collecting data or sufficiently obfuscate it, ensuring operations can continue without revealing sensitive data. This includes maintaining a data retention and deletion policy, processing data to minimize the ability to link, and treating systems that handle such data as covered systems.
    • Encryption Techniques: Encrypt data during transit and storage in restricted transactions, with comprehensive encryption practices and secure key management, ensuring encryption keys are not accessible to covered persons or stored in countries of concern.
    • Privacy Enhancing Technologies: Use privacy-preserving computation and differential privacy techniques to process data without revealing or reconstructing it, ensuring systems using these technologies are considered covered systems.
    • Identity and Access Management: Configure systems to deny unauthorized access to covered data by covered persons and countries of concern, maintaining robust identity and access controls.

Ankura is actively engaging with organizations on the evaluation and implementation of the required Data Security Program. We have developed a phased approach where we focus on executing a structured methodology across four key workstreams for a comprehensive assessment and improvement of data security practices.

  1. Plan & Discovery: This initial phase involves onboarding the team, confirming the scope and types of sensitive data, identifying security gaps, prioritizing areas for assessment, and solidifying the work plan and timeline with stakeholders and counsel. It also includes establishing project management and privileged communication standards.
  2. Gap Assessment: Conduct assessments with relevant stakeholders to understand current infrastructure, review existing documentation, perform onsite visits, identify control gaps, and develop remediation actions. An executive report is produced to outline strengths, findings, and recommendations.
  3. Reporting & Documentation: Develop readiness reports and documentation for counsel, clients, and public-facing websites. Then, develop executive summary reporting for the U.S. government.
  4. Re-Validation: Reassess failed controls, evaluate if they satisfy CISA data security requirements, and update reports with recommendations in accordance with the DOJ's Final Rule.

Throughout this process, the approach emphasizes ongoing quality assurance, reporting, and leadership oversight to ensure thorough execution and compliance with security standards.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of David Manek
David Manek
Photo of Akshay Dhawan
Akshay Dhawan
Photo of Ankur Sheth
Ankur Sheth
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More