Operating in 2025, especially as a global business, feels more compliance-constrained than ever, and regulators remain busy. A final CISA rule on January 8th, aimed at regulating bulk data sharing across borders, adds yet another compliance framework to the mix.
The guidance is pursuant to a 2024 Executive Order with a fairly self-explanatory title: “Preventing Access to Americans' Bulk Sensitive Personal Data and U.S. Government-Related Data by Countries of Concern”. The rule defines covered countries and parties, explicitly lists the prohibited data-sharing transactions.
Why the updates?
The updated rules are in response to continued concerns around the unauthorized access and use of sensitive data by hostile nation-states and their agents. This includes traditional economic espionage but also always includes national security implications. As AI and other data-focused technologies mature, these risks also evolve and multiply.
What changes on April 8th?
Most of the new rules go into effect on April 8th, with all guidance implemented by October 2025. Once this happens:
data-sharing gets more complicated for companies doing business with either organizations or some individuals from countries of concern (“CoC”)
new data security controls are now mandatory
strict penalties are in place for non-compliance
Companies need to work now to understand the potential impact of these rules on their operations and how they impact third-party relationships. Evaluating current data protection controls can help you avoid potential non-compliance risks.
The list of impacted countries is pretty straightforward
The new rules govern data sharing with the following countries of concern (“CoC”): China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela.
Defining “covered persons” is a slightly more convoluted
According to the rules, a “covered person” (“CP) covers both individuals and organizations. By statute, CPs include:
Organizations that are >50% owned by a CoC
Organizations chartered under the laws of a CoC, or with a CoC as a primary place of business
Organizations that are >50% owned by another CP
Individuals with a CoC location as a primary residence
Individuals serving as a contractor of a CoC or another CP
The DOJ also retains the power to designate additional covered persons at any time.
The list of covered transactions is fairly clear
The final rule defines the kinds of data-sharing covered by the Executive Order:
Commercial agreements around selling or transferring bulk US personal data (BUSPD)
Vendor agreements that might grant CoCs or CPs access to restricted data
Employment contracts that may lead to hiring CPS and granting them access to covered data
Investment agreements that might give CPs access to restricted data
As with designated CoCs and CPs, the DOJ may expand this list at any point.
What will businesses have to do differently?
The Executive Order and final rule don’t prohibit these transactions but require businesses to implement significant controls. Many are already operating with these defenses in place; their challenge is to document and demonstrate compliance.
Organizational best practices
The guidance ranges from general best practices to very prescriptive technical controls. The new rules demand organizations be able to demonstrate:
Regular asset maintenance and inventory processes, including a system-wide asset list and network map that gets updated at least every 30 days
Designated, accountable compliance and risk stakeholders responsible for enforcing rules and compliance across the organization
Robust vendor and supplier documentation covering all IT engagements, with a special focus on cybersecurity and compliance
Continuous monitoring of software vulnerabilities with a 45-day, “risk-informed” timeline for mitigation upon discovery
Formal controlled deployment policies that explain how updates and changes are managed across the system
Complete incident response policies and procedures that guide remediation and notification after an event, to be reviewed at least annually
Modernized system-level technical defenses
Beyond those big fundamental best practices, the new rules also dictate organizations must demonstrate specific technical controls.
Asset and application access restrictions, both logical and physical, or secure data against unauthorized use
Standardized user access management
Multifactor Authentication (MFA) controls must now be in place on all covered systems
Least privilege/denial by default must be implemented for affected systems
The ability to promptly revoke credentials and access for specific users and/or services
Comprehensive log management where system documentation is held for up to 12 months
Defenses against access by unauthorized media or hardware
Tough data-level controls
Given Executive Order 14117’s emphasis on data protection, the outlined security requirements combine industry best practices with specific control mandates to prevent unauthorized access. Organizations must implement the following measures to ensure compliance and safeguard sensitive data.
Regular risk assessments are now mandatory (on an annual basis), where teams can work to look across the entire data ecosystem and assess threats, prioritize responses, and prepare an action plan.
Additional strong data protection measures must also be implemented to enable the granular level of access control required to allow for secure sharing:
Data minimization and masking policies that help reduce the total amount of data collected and its linkability.
Robust encryption, including protection of data at rest, must be implemented to CISA standards, with encryption keys being securely stored separately.
Additional privacy-enhancing technologies, including homomorphic encryption and differential privacy techniques, are required to ensure organizations are taking every available step to secure impacted data.
Stronger access controls that maximize the ability to granularly control which users have access to data, as well as the ability to quickly remove those privileges.
How can Confidencial Help?
No matter where organizations are on their data security journey, Executive Order 14117 provides an opportunity to evaluate their existing data protection controls, especially encryption at rest. Confidencial can help deliver potent and portable data protection.
Confidencial’s unique selective encryption granularly protects sensitive data inside a file both in
transit and at rest. This protection is also persistent: no matter where the file goes, sensitive data stays encrypted to unauthorized users. This balance of security and shareability must be part of any future data strategy, no matter what the next Executive Order brings.
To learn more about how Confidencial can help, get in touch with us here.