Main Menu
SPARCS - Topic Of The Week

CISA Security Controls and the Sensitive Data Rule

Last week, we discussed the Sensitive Data Rule and what this rule means, who it affects, and what your organization should be doing right now to prepare. One important thing to note from that discussion is the relevance of the CISA Security Controls to the Sensitive Data Rule. In the Sensitive Data Rule there are two types of data transactions that are defined, prohibited transactions and restricted transactions. CISA becomes relevant when your organization is engaging in restricted transactions, since you cannot engage in restricted transactions without being exempt or authorized by a general or specific license, or by complying with all applicable Data Security Program requirements. Organizations are expected to implement CISA’s security controls to meet the DOJ’s requirement for restricted transactions.

Definitions

Let's take a quick moment to define some things that were mentioned above:

  • Prohibited Transactions: A transaction involving U.S. sensitive personal data or government-related data that is categorically banned due to its high risk of exploitation by a “country of concern,” and for which no license, mitigation, or exemption is permitted.
  • Restricted Transactions: A specific type of data transaction involving bulk U.S. sensitive personal data or U.S. government-related data that poses an unacceptable risk of access by a “country of concern.” This may be permitted if there are exemptions, licenses, or appropriate security measures in place (Data Security Program requirements).

Additional definitions:

  • Countries of Concern: China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, Venezuela.
  • CISA: The Cybersecurity and Infrastructure Agency

Reminders/Background

As a reminder, you are conducting restricted transactions IF you meet the following:

  1. Data transactions that involve bulk U.S. sensitive personal data or government-related data, including:
    • Genomic data
    • Biometric identifiers (face, voice, retina, etc.)
    • Precise geolocation
    • Personal health information
    • Financial account details
    • Government-employee or national-security data
    • Covered data of children or other vulnerable populations
  2. Occurs with or involves a “covered person” (e.g., a company, broker, or service provider) that is:
    • Owned, controlled by, or subject to the jurisdiction of a "country of concern"
    • Acting on behalf of a “country of concern”
    • Likely to provide access to a “country of concern” (intentionally or through insufficient safeguards)
  3. Has not been licensed, exempted, or approved under the DOJ’s processes.

Some examples of restricted transactions are:

  • Data sales to brokers or foreign buyers
  • Outsourcing of data processing to foreign service providers
  • Cloud storage or access involving servers located in or accessible from countries of concern
  • Software integrations or APIs that transfer bulk data across borders

What are the Data Security Program Requirements?

The Data Security Program requirements are defined within 28 CFR 202 and are pertinent to follow if your organization currently does or plans to conduct restricted transactions. The following elements must be implemented as a part of your Data Security Program:

  1. Governance and Oversight
    1. Designate a senior official responsible for the Data Security Program.
    2. Maintain written policies and procedures for compliance with the rule.
    3. Establish oversight processes to review and update the DSP at least annually.
    4. Conduct due diligence to identify and mitigate risks associated with covered persons or countries of concern.
  2. Personnel and Access Management
    1. Implement role-based access controls (RBAC) that limit access to covered data only to those who need it.
    2. Require background screening for employees or contractors with access to covered systems or data.
    3. Use multi-factor authentication (MFA) for any access to covered systems or data.
  3. Covered System Controls
    1. Maintain a secure and segmented system architecture to isolate covered data.
    2. Ensure audit logging and continuous monitoring of all access and activity on covered systems.
    3. Implement intrusion detection and anomaly detection mechanisms.
  4. Covered Data Protection
    1. Use encryption (FIPS 140-2 validated or equivalent) for data at rest and in transit.
    2. Apply data minimization, tokenization, or pseudonymization where feasible.
    3. Implement cross-domain solutions (CDS) when transferring data between secure and non-secure environments.
    4. Prevent unauthorized remote access to covered data.
  5. Third-Party Risk Management
    1. Conduct vendor and partner risk assessments, particularly if they may access covered systems or data.
    2. Maintain contracts with third parties that impose security obligations consistent with the DSP.
    3. Monitor and review third-party compliance regularly.
  6. Training and Awareness
    1. Provide security and privacy training to employees with access to covered data or systems.
    2. Conduct annual refreshers and role-specific training as necessary.
  7. Incident Response and Reporting
    1. Maintain a written incident response plan (IRP) that includes procedures for detecting, responding to, and recoering from data breaches or intrusions.
    2. Define escalation paths for incidents involving access by covered persons or countries of concern.
    3. Report relevant incidents to DOJ or CISA as required.
  8. Recordkeeping and Documentation
    1. Retain documentation of:
      1. The DSP and all supporting procedures
      2. Logs of access to covered systems/data
      3. Risk assessments and due diligence efforts
      4. Training records
      5. Incident reports
    2. Maintain these records for at least five years.
  9. Periodic Testing and Evaluation
    1. Conduct regular assessments of DSP effectiveness (e.g., penetration testing, security audits).
    2. Update the program based on emerging threats, regulatory changes, or incidents.
  10. Certification and Attestation
    1. Submit a certification to the DOJ that the DSP meets all required elements.
    2. Be prepared to submit supporting documentation upon request.
    3. False certifications may lead to civil or criminal penalties.

This rule officially goes into effect July 8, 2025 and requirements related to due diligence, auditing and reporting will become effective on October 6, 2025. If you have not already, now is the time to conduct a comprehensive review of your organization's data practices, systems, partnerships, and governance structures to ensure compliance. This rule requires a deep familiarity with organizational data transactions, alongside a well-kept Data Security Program. By understanding the scope of restricted transactions and implementing the required Data Security Program controls, your organization can reduce legal and national security risks while positioning itself for compliance. As enforcement begins, proactive preparation is not just recommended, it is essential.

On
Back to Top