Government Finally Notices Foreign Countries Want Our Data
Published Date: 1/8/2025
Notice
Summary
CISA just released the final security rules to protect Americans' sensitive data from risky foreign countries, following President Biden’s Executive Order 14117. These rules affect businesses handling certain restricted transactions and kick in starting January 8, 2025. If you’re involved, get ready to follow new security steps to keep data safe—no extra costs were mentioned, but staying compliant is a must!
Analyzed Economic Effects
11 provisions identified: 5 benefits, 4 costs, 2 mixed.
Must follow CISA security requirements
If you are a U.S. person engaging in a DOJ-identified restricted transaction, you must implement the CISA organizational-, system-, and data-level security requirements to mitigate access by covered persons or countries of concern. The requirements are intended to allow restricted transactions to proceed only if those security measures are implemented.
Data must be denied or strongly mitigated before sharing
When covered data could be accessed by covered persons or countries of concern, you must either deny access to linkable, identifiable, unencrypted, or decryptable covered data or apply mitigations (for example, pseudonymization, de-identification, aggregation, or encryption) sufficient to prevent such access. Implementing these data-level techniques is required for restricted transactions to proceed.
Final rules take effect January 8, 2025
If your organization engages in restricted transactions, CISA's finalized security requirements take effect on January 8, 2025. That means the rules described in this notice apply starting on that date.
Patch known exploited vulnerabilities within 45 days
If you operate internet-facing covered systems, you must remediate known exploited vulnerabilities (KEVs) in a risk-informed order with all such KEVs remediated within 45 calendar days. You must also establish a process to evaluate whether internet-facing covered systems with KEVs were compromised prior to the patch being applied.
Require multi-factor authentication or 15‑char passwords
For covered systems, you must implement multi-factor authentication (MFA) that meets NIST AAL2/AAL3 (including passkeys) where technically feasible; if MFA is not technically feasible or enforced, passwords must be at least 15 characters. This requirement applies to systems that host covered data.
Covered system definition narrowed to bulk-interacting systems
CISA revised the definition of 'covered system' so it applies to systems that interact with covered data in bulk form, not ordinary user endpoints that only read or view data, except that any system interacting with government-related data remains a covered system. This changes which systems must meet the requirements.
Data risk assessment is for internal use only
You must perform a data risk assessment to inform protections, but CISA clarified the assessment is intended for internal use only and that documenting the assessment is not required. The plan should be reviewed internally by the organization.
Asset inventory requirement relaxed
CISA revised asset inventory rules to require documented inventories only 'to the maximum extent practicable,' removed the requirement to inventory MAC addresses, and allowed inventories to be dynamically curated. This relaxes some earlier inventory demands.
Access revocation timing changed to 'promptly'
CISA changed the requirement to revoke access for terminated or role-changed employees from 'immediately' to 'promptly' and provided clarifying examples of what 'promptly' means. This clarifies expected timing for access removal.
Change-management burden reduced
CISA reduced burden around change management by removing the reference to 'firmware' from certain installation rules and removing requirements for allowlists or approvals for specific software versions. This gives organizations more flexibility when installing new hardware or software.
Removed requirement on unauthorized media/hardware
CISA removed the earlier requirement that organizations maintain policies and processes to ensure unauthorized media and hardware are not connected to covered assets. CISA concluded other requirements coupled with the revised 'covered system' definition are sufficient.
Your PRIA Score
Personalized for You
How does this regulation affect your finances?
Sign up for a PRIA Policy Scan to see your personalized alignment score for this federal register document and every other regulation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.
Key Dates
Related Federal Register Documents
2026-11967 — Actions Taken at the June 4, 2026 Meeting
On June 4, 2026, the Susquehanna River Basin Commission gave the green light to several water projects in Pennsylvania, including new and renewed water withdrawals. They also updated their budget and water program, extended an emergency certificate, and secured important grants. These moves affect local communities and businesses by managing water use carefully, with some projects allowing up to 5 million gallons per day, starting immediately.
2026-11929 — Fiberglass Door Panels From the People's Republic of China: Final Affirmative Countervailing Duty Determination
The U.S. Department of Commerce found that Chinese fiberglass door panel makers got unfair government help, so they’re adding extra taxes to these imports starting June 15, 2026. This affects companies importing these door panels from China, making them cost more and leveling the playing field for U.S. businesses. The decision covers the whole year of 2024 and aims to keep trade fair and square.
2026-11980 — Administrative Declaration of an Economic Injury Disaster for the State of Rhode Island
Rhode Island businesses hit by the historic snowstorm from February 22-24, 2026, can now apply for special low-interest disaster loans to help recover. This includes companies in nearby counties of Rhode Island, Connecticut, and Massachusetts. Applications are open until March 10, 2027, so don’t miss your chance to get financial help and bounce back stronger!
2026-11972 — National Vaccine Injury Compensation Program; List of Petitions Received
The National Vaccine Injury Compensation Program helps people who believe they were hurt by certain vaccines get money without a long court fight. HRSA just shared a list of new petitions filed, which means folks are asking for compensation now. If you or someone you know is affected, keep an eye on deadlines and possible payouts coming from these claims.
2026-11930 — Fiberglass Door Panels From People's Republic of China: Final Affirmative Determination of Sales at Less Than Fair Value
The U.S. Department of Commerce found that fiberglass door panels from China are being sold in the U.S. for less than their fair price. This means importers of these panels will face new duties starting June 15, 2026, to protect American businesses. If you buy or sell these door panels, get ready for some changes that could affect prices and timing.
2026-11922 — Self-Regulatory Organizations; Green Impact Exchange, LLC; Notice of Filing and Immediate Effectiveness of a Proposed Rule Change To Amend Rule 11.240 (Trade Reporting and Dissemination of Quotations) To Conform With Amendments to Rules 600 and 603 of Regulation NMS Approved by the Commission That Concern the Reporting and Dissemination of Odd-Lot Information, and an Additional Ministerial Change to Rule 11.220 To Correct a Typographical Error
Green Impact Exchange is updating its trade reporting rules to match new federal rules about sharing odd-lot trade info (small stock orders). They’re also fixing a tiny typo in another rule. These changes take effect right away and help keep trading info clear and accurate for everyone involved.
Previous / Next Documents
Previous: 2024-30920 — Applications for New Awards; Fulbright-Hays Faculty Research Abroad (FRA) Fellowship Program
The Department of Education is inviting colleges and universities to apply for the 2025 Fulbright-Hays Faculty Research Abroad Fellowship. This program helps college teachers travel overseas to study languages and cultures, boosting their skills and improving U.S. education. Applications open January 8, 2024, and must be submitted by March 10, 2025, with grants supporting exciting research adventures abroad.
Next: 2024-31621 — Common Application, Waivers, and Alternative Requirements for Community Development Block Grant Disaster Recovery Grantees: The Universal Notice
Starting January 13, 2025, HUD is rolling out a new Universal Notice to make disaster recovery grants faster and clearer for communities hit by disasters. This update affects local governments and organizations getting Community Development Block Grant Disaster Recovery (CDBG-DR) funds by simplifying rules, speeding up approvals, and cutting red tape. The goal? Help disaster-hit areas get money and start rebuilding sooner!