The U.S. Department of Justice has moved to implement a critical data security program aimed at protecting sensitive U.S. data from misuse by foreign adversaries such as China, Russia, and Iran. The program, named the Data Security Program, is an initiative of the National Security Division (NSD) and is rooted in Executive Order 14117. This directive underscores the "unusual and extraordinary threat...to the national security and foreign policy of the United States," a concern acknowledged across multiple government branches.
According to Deputy Attorney General Todd Blanche, the Data Security Program is designed to complicate the easy acquisition of American data by foreign adversaries. “If you’re a foreign adversary, why would you go through the trouble of complicated cyber intrusions and theft to get Americans’ data when you can just buy it on the open market or force a company under your jurisdiction to give you access?” he said. “The Data Security Program makes getting that data a lot harder.”
The program introduces what functionally serves as export controls to prevent foreign entities from accessing sensitive U.S. data, including government-related data, geolocation, biometric, health, and financial information. The program officially took effect on April 8, 2025, and involves several compliance measures to assist entities in alignment with its mandates.
To help with the transition, NSD has published a Compliance Guide, a list of over 100 Frequently Asked Questions (FAQs), and an Implementation and Enforcement Policy effective for the first 90 days. These resources offer guidance on compliance best practices, data transaction prohibitions, and information required for developing data safety compliance programs.
The Data Security Compliance Guide categorizes best practices for reduced national security risks from foreign data exploitation. The FAQs provide clarity on Executive Order 14117, program scope, and procedures for reporting violations or seeking advisory opinions. NSD plans to continually update these FAQs based on public queries and ongoing issues relevant to the Data Security Program.
For the first 90 days, NSD’s enforcement of the Data Security Program will allow time for organizations and individuals to adjust their practices for compliance. Entities do not need to fulfill all due-diligence obligations until October 6, 2025, but are encouraged to engage in preparatory compliance activities. NSD has made it clear they will not prioritize civil enforcement actions against those making good faith efforts to comply during this period.
The public is encouraged to contact the NSD for informal inquiries or to provide information related to the Data Security Program. While formal requests for licenses will not be processed in this initial phase, the program’s guidelines will evolve as additional public feedback is considered. This 90-day period aims to ensure that by its conclusion, all entities are in full compliance with the Data Security Program, thus mitigating threats to national security.