DOJ Releases New Key Guidance on Its Data Security Program (DSP)

At a Glance

• The Department of Justice (DOJ) published new key guidance on its recent final rule issued to restrict and prohibit the transfer of “bulk U.S. sensitive personal data” and U.S. government-related data to certain countries of concern.
• The DOJ now refers to the final rule as the “Data Security Program,” or “DSP.” 
• The Data Security Program, which includes both civil and criminal enforcement mechanisms, imposes substantial compliance obligations related to exports, cybersecurity and sensitive data handling. The DOJ issued guidance documents to assist with implementation.
• The Data Security Program is largely effective now, with a 90-day “safe harbor” period to allow time to come into compliance. The DOJ has identified examples of what constitute good-faith efforts at compliance that would provide protection during this window.

On April 11, 2025, the National Security Division (NSD) of the Department of Justice issued a press release (Press Release) that outlines its approach to implementing and enforcing the DOJ’s recent final rule on “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons” (28 C.F.R. Part 202). The final rule, which NSD now calls the “Data Security Program” or “DSP,” took effect in substantial part on April 8, 2025, and prohibits or restricts transactions that would allow access to government-related data or bulk U.S. sensitive personal data by any “covered person” or “country of concern.”¹,²

To assist companies in complying with the DSP, NSD also released three new guidance documents — an Implementation and Enforcement Policy, Compliance Guide and FAQs (collectively, the Guidance Documents). The Press Release and Guidance Documents are the first detailed public statements from the Trump administration regarding the DSP. And if there was any doubt about the DSP’s alignment with Trump administration priorities or likely enforcement, these quash that: signaling robust enforcement, noting bipartisan support, and positioning the DSP as consistent with Trump administration objectives. The DOJ explains in its Press Release that the covered data can be used to “to commit espionage and economic espionage, conduct surveillance and counterintelligence activities, develop AI and military capabilities, and otherwise undermine our national security.” As a result, the DOJ insists that “U.S. persons should ‘know their data,’ including the kinds and volumes of data collected about or maintained on U.S. persons or U.S. devices; how their company uses the data; whether their company engages in covered data transactions; and how such data is marketed, particularly with respect to current or recent former employees or contractors, or former senior officials, of the United States government, including the military and Intelligence Community.”³ Presumably due to the critical national security interests involved, the DSP represents a departure from the Trump administration’s broader deregulatory efforts.

So — what’s new here? We address key aspects of the three new Guidance Documents below.

I. Implementation and Enforcement Policy Through July 8, 2025

Most notably, the Implementation and Enforcement Policy provides that NSD “will not prioritize civil enforcement actions against any person for violations of the DSP that occur from April 8 through July 8, 2025, so long as the person is engaging in good faith efforts to comply with or come into compliance with the DSP during that time.”⁴ The Policy lists several examples of evidence of “good faith” efforts to comply, including: 

• Conducting internal reviews of access to sensitive personal data, including whether transactions involving access to such data flows constitute data brokerage
• Reviewing internal datasets and datatypes to determine if they are potentially subject to DSP
• Renegotiating vendor agreements or negotiating contracts with new vendors
• Transferring products and services to new vendors
• Conducting due diligence on potential new vendors
• Negotiating contractual onward-transfer provisions with foreign persons who are the counterparties to data brokerage transactions
• Adjusting employee work locations, roles or responsibilities
• Evaluating investments from countries of concern or covered persons
• Renegotiating investment agreements with countries of concern or covered persons
• Implementing the Cybersecurity and Infrastructure Agency (CISA) Security Requirements, including the combination of data-level requirements necessary to preclude covered-person access to regulated data for restricted transactions. 

This 90-day period is intended to provide companies with time to evaluate their activities and operationalize compliance with the DSP. Depending on the size, scope, activities and geographic reach of a company’s operations, that effort may be substantial. Accordingly, NSD has adopted its delayed enforcement policy in recognition of the fact that companies may need time to fully comply with the DSP, including by “revising or creating new internal policies and processes, identifying data flows, changing vendors or suppliers, adjusting employee roles or responsibilities, deploying new security requirements, and revising existing contracts.”⁵

NSD notes that it will nonetheless “pursue penalties and other enforcement actions as appropriate for egregious, willful violations” of the DSP during the 90-day delayed enforcement period.⁶ Similarly, the delayed enforcement period “does not limit NSD’s authority and discretion to pursue civil enforcement if such persons did not engage in good-faith efforts to comply with, or come into compliance with, the DSP.”⁷

Finally, NSD notes that companies “should be in full compliance” with the DSP as of July 8, 2025, “and should expect NSD to pursue appropriate enforcement with respect to any violations” thereof after that date.⁸ During the delayed enforcement period, NSD is encouraging submission of informal inquiries to NSD via email at nsd.firs.datasecurity@usdoj.gov. NSD may either respond to such inquiries or take them into consideration for future guidance. Relatedly, NSD notes that it is discouraging submission of — and will not review requests for — specific licenses or advisory opinions during the delayed enforcement period.

II. Compliance Guide

NSD’s new Compliance Guide is a comprehensive explanatory document for regulated parties seeking to comply with the DSP. Some portions of the Compliance Guide are relatively straightforward recitations of the text of the DSP and the DOJ’s associated commentary,⁹ but other portions provide new insights.

Contract Terms

The Compliance Guide delves into the requirement that U.S. persons may not knowingly engage in a data brokerage transaction with a foreign person who is not a covered person unless the U.S. person (1) has proper contractual requirements in place and (2) reports any known or suspected contractual violations to the DOJ. To this end, the Compliance Guide provides example contract language that entities may incorporate into their contracts with noncovered foreign persons. Notably, U.S. persons are not required to use this specific contract language, and the DOJ notes that the appropriate contract terms for any given agreement are likely to depend on “the relevant business activity, risk appetite, the contract counterparties, the products and services involved, and the bulk U.S. personal sensitive or government-related data at issue.”¹⁰

Vendor Due Diligence

Like the DSP, the Compliance Guide emphasizes the need for vendor due diligence when contracting, noting that U.S. persons engaging in data brokerage transactions with noncovered persons “should not simply shift responsibility to or entirely rely on the contractual provisions or on their foreign counterparties to comply with these contractual provisions.”¹¹ Relatedly, the Compliance Guide suggests an implied safe harbor for entities that conduct “adequate due diligence as part of a risk-based compliance program” but nonetheless fail to detect a vendor’s noncompliance with its contractual representations.¹² Unsurprisingly, the DOJ says that this (limited) safe harbor would not apply in the event of indications of evasion, conspiracy, knowing direction of prohibited transactions, or failure to conduct adequate due diligence.¹³

Highlight on Tracking Pixels and Software Development Kits

In its otherwise straightforward overview of “prohibited transactions,” the Compliance Guide specifically calls out disclosures of government-related or bulk U.S. sensitive personal data via tracking pixels and software development kits, noting: 

Some activities that may not be thought of in ordinary parlance as data brokerage may nonetheless constitute data brokerage under the DSP, such as a U.S. company maintaining a website or mobile application that contains ads with tracking pixels or software development kits that were knowingly installed or approved for incorporation into the app or website by the U.S. company.¹⁴

This isn’t entirely new — the DSP calls out the same in its examples on the definition of “data brokerage”¹⁵ — but the mention of it in the Compliance Guide signals that NSD expects companies to pay attention to their disclosures of covered data via such technologies when scoping and conducting their compliance efforts.

Data Compliance Program

The Compliance Guide also discusses best practices for holistically designing and implementing a Data Compliance Program for restricted transactions, which includes proper due diligence, training of personnel, audit requirements and any other additional requirements imposed by the attorney general. More specifically, the Compliance Guide recommends the following:

• Risk-based procedures for verifying data flows, such procedures to “verify and log, in an auditable manner, the following: (1) the types and volumes of bulk U.S. sensitive personal data or government-related data involved in any restricted transactions; (2) the identity of the transaction parties, including any ownership of entities or citizenship or primary residence of individuals; and (3) the end-use of the data and the method of data transfer.”¹⁶
• Risk assessments (ideally, at least annually) for evaluating risks and compliance with the DSP. This may include: (1) assessing “coverage of the regulations against the company’s current data holdings and vendor, employee, or investment agreements”; (2) examining current security measures, vendors, investors, employees, offered products and services, coverage under existing licenses or exemptions, and the entity’s geographic locations; and (3) addressing mergers, acquisitions and other corporate transactions, including as needed to “bring[ ] newly acquired entities into compliance with the U.S. company’s Data Compliance Program.”¹⁷
• Periodic screening of vendors to verify whether current or prospective vendors are covered persons, including use of vendor-screening software that “(1) incorporates updates to [NSD’s to-be-published] Covered Persons List; (2) accounts for all identifiers, including alternative spellings or AKAs of identified or designated covered persons; (3) accounts for organizational hierarchy; (4) considers vendors’ geographical information (including headquarters, subsidiary, and branch locations); and (5) screens against both current, newly added, and prospective vendors.”¹⁸
• Written policies and procedures that document the company’s approach to compliance with the DSP. These should “reflect the organization’s day-to-day operations, should be easy to comply with, should make verification of compliance straightforward, and should be designed to prevent employees from engaging in misconduct.”¹⁹ They should also include internal reporting procedures and “a formal escalation process to review high-risk transactions,” and they should be reviewed on an annual basis.²⁰
• Periodic training on the Data Compliance Program and the CISA Security Requirements to all relevant employees and personnel (at least annually).
• Annual comprehensive, independent and objective audits that examine the U.S. person’s data transactions, compliance with CISA Security Requirements and Data Compliance Program, and any relevant records.
• Any other additional information required by the attorney general (after being published in the Federal Register).

Internal Support for DSP Compliance

The Compliance Guide also comments on company management of DSP compliance and the need for internal, high-level support for the same, noting that “[a] robust Data Compliance Program should have senior management support and buy-in.”²¹ The Compliance Guide also specifically recommends appointing a compliance person responsible for implementation who has senior-level authority, sufficient technical expertise, and support from personnel, technical and other resources to ensure proper implementation. 

Licensing

The Compliance Guide notes that requests for specific licenses will be met with a “presumption of denial” standard, indicating that NSD will not be inclined to grant specific license requests absent extenuating circumstances. An entity seeking a license will need to “affirmatively identify compelling countervailing considerations to support the issuance of a specific license (such as an emergency or imminent threat to public safety or national security).”²² While a person cannot apply for a general license,²³ the DOJ may issue such licenses “in particular circumstances, such as where multiple companies in the same industry submit requests for specific licenses on the same topic, or in circumstances where NSD otherwise learns of a need to issue a general license, such as via industry engagement.”²⁴

In Addition

In addition to these recommendations, the Compliance Guide provides information on recordkeeping, reporting and advisory opinions. Overall, the Compliance Guide serves as in-depth overview that companies should use when determining best practices for compliance.

III. Frequently Asked Questions

Finally, NSD released over 100 “Frequently Asked Questions” to address high-level clarifications about the DSP. The FAQs cover a range of topics, including (1) basic program information, (2) program elements, (3) covered persons list, (4) prohibited transactions, (5) restricted transactions, (6) exempt transactions, (7) compliance requirements, (8) licensing, (9) advisory opinions and (10) enforcement guidance. We note a few key points from the FAQs below.

Definition of “Personal Health Data”

The FAQs note that the DSP’s definition of “personal health data” is broader than the definition of “protected health information” under the Health Insurance Portability and Accountability Act of 1996, with the latter being defined by the type of entity that receives or creates it.²⁵ Instead, “the term personal health data” under the DSP “applies to any data that meets the definition regardless of the entity that collects or holds it, and regardless of the type of transaction in which that data is involved. For example, it includes logs of exercise habits, which could be collected by fitness apps.”²⁶ This broader interpretation of the scope of “personal health data” is consistent with state consumer health data laws, the FTC’s Health Breach Notification Rule, and recent enforcement by the FTC.

Bulk Threshold Calculation

The FAQs clarify that bulk threshold calculations may be calculated by counting “covered data transactions ‘in the preceding twelve months’ that occur on or after the effective date of the DSP.’”²⁷ That should provide some clarity for companies when determining whether current covered data transactions meet or exceed the DSP’s bulk thresholds.

Designated Covered Persons List

The FAQs note that the DOJ expects to publish a Covered Persons List, which will be available on NSD’s website, will be regularly updated and will provide an email subscription for updates to the same.²⁸ Once published, companies will want to ensure that their vendor-screening approach incorporates routine screening against the Covered Persons List, in addition to otherwise assessing vendors’ covered person status.

CISA Security Requirements and Restricted Transactions

The FAQs confirm that the restricted transaction provisions of the DSP and corresponding CISA security requirements are intended to “prevent access to all government-related or bulk U.S. sensitive personal data by covered persons or countries of concern.” Specifically, NSD provides that the security requirements are designed to “prevent access to sensitive personal data that is linkable, identifiable, unencrypted, or decryptable by covered persons or countries of concern using commonly available technology, consistent with the required data risk assessment,” which can be done “by denying access outright or by only allowing covered persons access to sensitive personal data for which persons subject to the DSP have instituted other data-level requirements that mitigate the risks” of access to “the underlying government-related data or bulk U.S. sensitive personal data….”²⁹

Audits

The FAQs explain that use of third-party auditors is not required to satisfy the DSP’s audit requirements, but notes that, if used, internal auditors must be “sufficiently independent.”³⁰ The FAQs also express reservations about use of internal auditors, noting that “[i]n NSD’s experience with corporate compliance in national security, criminal, and other contexts, internal audits often lack the independence, expertise, and resources to conduct objective and thorough evaluations of their own company’s compliance efforts, while external audits often provide more effective and comprehensive assessments.”³¹ NSD notes that it “intends to provide additional guidance on the requirements for a sufficiently independent audit.”³²

Liability for Inadvertent Violations

The FAQs address liability for inadvertent violations and expressly state that there is no strict liability — only liability for knowing or willful violations. NSD explains the “knowledge standard” as “the U.S. person had actual knowledge of, or reasonably should have known about, the conduct, circumstance, or result” and advises that NSD “will take into account the relevant facts and circumstances, including the relative sophistication of the individual or entity at issue, the scale and sensitivity of the data involved, and the extent to which the parties to the transaction at issue appear to have been aware of and sought to evade the application of the DSP.”³³

More Guidance Is Coming

The FAQs note that further guidance from NSD is likely forthcoming, including on internal audit requirements, voluntary self-disclosure of violations, and general enforcement of the DSP. 

For answers to all 108 questions and any other answers provided in the future, please review the posted FAQs, as the NSD Foreign Investment Review Section (FIRS) will periodically update the document with additional questions and answers. Individuals may request that NSD provide an answer to new questions by emailing nsd.firs.datasecurity@usdoj.gov with the subject line “FAQ request.” Submitters should note that any information given may not be treated as confidential or proprietary by the Justice Department.

In Conclusion

In sum, the collective guidance published by NSD in conjunction with its Press Release provides important clarifications and additional context on NSD’s general enforcement approach to the DSP. Companies should take note of these additional materials and take advantage of the delayed enforcement period in preparing for compliance with the DSP.