U.S. Tightens Data Security with New Rules to Counter Foreign Threats

The Cybersecurity and Infrastructure Security Agency (CISA) has released proposed security requirements to safeguard Americans' sensitive personal and government-related data from countries of concern, as outlined in Executive Order 14117, signed by President Biden in February 2024.

The goal is to mitigate national security risks posed by these countries accessing bulk U.S. data through restricted transactions. These proposed rules aim to address foreign threats, especially from nations like China, Russia, and Iran, by enforcing stringent protections on the data involved in specific types of transactions.

Proposed data security measures

CISA's security framework introduces comprehensive organizational- and data-level measures to protect U.S. sensitive personal data, which include:

Organizational-Level Security:

• Organizations must maintain an updated inventory of system assets, including hardware and software.
• Organizations must appoint designated security officers, such as a Chief Information Security Officer (CISO), to oversee cybersecurity and governance.
• Known exploited vulnerabilities must be patched within 14 days, with longer timeframes for other critical and high-severity issues.
• Document all third-party agreements for covered systems, ensuring robust cybersecurity clauses are embedded.
• Maintain and regularly review incident response plans to ensure rapid recovery from cybersecurity breaches.

Data-Level Protections:

• Implement strategies like pseudonymization and aggregation to minimize exposure of sensitive information during transactions.
• Encrypt sensitive data during transit and storage using methods like TLS (Transport Layer Security) and secure key management, with encryption keys kept separate from sensitive data.
• Leverage privacy-preserving techniques, such as homomorphic encryption and differential privacy, to process data without exposing it to countries of concern.

Regulatory scope and impact

The proposed security requirements will apply to transactions flagged as posing a significant national security risk, identified through DOJ regulations. They set high bars for compliance, including enhanced cybersecurity governance, stricter vendor agreements, and incident management protocols. The proposed rules are designed to prevent data misuse for espionage, foreign influence operations, or military advancements by nations of concern.

The initiative reflects a broader U.S. strategy to control access to sensitive data that foreign actors may exploit. These new standards complement existing security measures, such as the reviews conducted by the Committee on Foreign Investment in the United States (CFIUS).

CISA encourages public feedback on the proposed requirements. Stakeholders, including industry experts, organizations, and civil society groups, can submit comments via the federal regulations portal until the proposed deadline. The input gathered will shape the final security protocols to ensure they are effective, practical, and enforceable across sectors engaged in restricted transactions involving sensitive U.S. data.