Hi All,
SECURITY REQUIREMENTS FOR RESTRICTED TRANSACTIONS JANUARY 2025 Pursuant To Exec. Order 14117, Preventing Access To Americans' Bulk Sensitive Personal Data And United States Government-Related Data By Countries Of Concern On February 28, 2024, President Biden signed Executive Order (E.O.) 14117, Preventing Access to Americans' Bulk Sensitive Personal Data and U.S. Government-Related Data by Countries of Concern, to address national-security and foreign-policy threats that arise when countries of concern and covered persons can access bulk U.S. sensitive personal data or government-related data that may be implicated by the categories of restricted transactions. As directed by E.O. 14117, CISA has developed the following security requirements to apply to classes of restricted transactions identified in regulations issued by the Department of Justice (DOJ). See generally 28 C.F.R. part 202 (identifying classes of restricted transactions at 28 C.F.R. § 202.401).
The security requirements provide the organizational- and covered system-level requirements (Section I) and covered data-level requirements (Section II) which U.S. persons engaging in restricted transactions must meet. These security requirements are in addition to any compliance-related conditions imposed in applicable DOJ regulations. See 28 C.F.R. § 202.1001-202.1201. References below to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), NIST Privacy Framework (PF), and CISA's Cross-Sector Cybersecurity Performance Goals (CPGs)4 are intended to help the reader understand which aspects of existing frameworks, guidance, or other resources these security requirements are based upon, consistent with the requirements of the E.O. Understanding and applying these security requirements does not require a reader to also understand and apply the referenced resources.
------------------------------
Michael Roza CPA, CISA, CIA, CC, CCSKv5, CCZTv1, MBA, EMBA, CSA
------------------------------