The U.S. Department of Justice has launched a landmark initiative to block foreign adversaries—including China, Russia, and Iran—from exploiting commercial channels to access sensitive American data.
The Data Security Program (DSP), enacted under Executive Order 14117, establishes stringent controls over transactions involving U.S. government-related data and bulk personal information such as genomic, financial, and geolocation records.
Deputy Attorney General Todd Blanche emphasized the urgency of the program, stating, “Why would foreign adversaries resort to cyber intrusions when they can legally purchase or coerce access to data? The DSP closes this loophole”.
.png
)
The regulations, effective since April 8, 2025, aim to mitigate espionage, surveillance, and AI-driven military threats by treating sensitive data as a controlled export.
Compliance Guidance and FAQs
To streamline adherence, the Justice Department’s National Security Division (NSD) released a Compliance Guide and over 100 Frequently Asked Questions (FAQs).
These resources clarify prohibitions on transactions with entities linked to foreign adversaries and provide model contractual language for data agreements.
The guidance urges U.S. businesses to “know their data” by auditing flows of sensitive information and implementing robust security protocols aligned with CISA standards.
Notably, the FAQs address ambiguities raised during the rulemaking process, such as scope definitions and procedures for reporting violations.
NSD plans to update these documents as new questions emerge, prioritizing dialogue with stakeholders through a dedicated email portal.
However, officials stress that the guidance does not alter legal requirements, urging companies to align operations with the DSP’s full text.
90-Day Grace Period For Compliance
In a bid to minimize disruption, NSD announced a 90-day enforcement leniency period lasting through July 8, 2025.
During this window, the agency will defer civil penalties for violations if entities demonstrate “good faith efforts” to comply, such as renegotiating contracts or deploying updated security measures.
Affirmative due-diligence obligations are postponed until October 6, 2025, granting additional time to establish monitoring systems.
According to the Report, NSD encourages businesses to submit informal compliance inquiries but will delay formal license requests until after the grace period.
Deputy AG Blanche warned that post-July enforcement will be stringent, stating, “The DSP’s success hinges on universal adherence—no exceptions”.
The policy reflects a balancing act: safeguarding national security while accommodating corporate operational timelines.
The DSP marks a paradigm shift in treating data as a strategic asset, with implications for global tech firms, healthcare providers, and financial institutions.
As the July deadline approaches, businesses face mounting pressure to overhaul data practices or risk severe penalties in an increasingly volatile geopolitical landscape.
