United States of America: Announced CISA security requirements for restricted transactions pursuant to Executive Order 14117

Description

Announced CISA security requirements for restricted transactions pursuant to Executive Order 14117

On 21 October 2024, the Cybersecurity and Infrastructure Security Agency (CISA) published the draft security requirements for restricted transactions pursuant to Executive Order 14117. The security requirements are aimed at protecting US sensitive personal data and government-related information from access by countries of concern and covered individuals through restricted transactions. The draft measures address national security and foreign policy risks associated with such access, and these security requirements are part of broader regulations issued by the Department of Justice. The proposed requirements focus on both organisational and system-level measures, as well as data-specific protections. At the organisational level, entities must maintain updated asset inventories, designate a cybersecurity officer responsible for overseeing security measures, and ensure timely remediation of any vulnerabilities. Network management and incident response plans must be developed and maintained, and strong access control measures, such as multifactor authentication, must be implemented to prevent unauthorised access. At the data level, security strategies include data minimisation and encryption to safeguard sensitive information. Techniques such as pseudonymisation and anonymisation are recommended to prevent sensitive data from being exposed. In addition, all data in transit and at rest must be encrypted using industry-standard methods, and cryptographic keys should be securely managed. These protections ensure that sensitive data remains inaccessible to foreign adversaries or covered persons involved in restricted transactions.

Original source

Scope

Policy Area
Data governance
Policy Instrument
Cybersecurity regulation
Regulated Economic Activity
cross-cutting
Implementation Level
national
Government Branch
executive
Government Body
other regulatory body

Complete timeline of this policy change

Hide details
2024-10-21
under deliberation

On 21 October 2024, the Cybersecurity and Infrastructure Security Agency (CISA) published the draft…

2024-10-29
in consultation

On 29 October 2024, the US Cybersecurity and Infrastructure Security Agency (CISA) opened a consult…

2024-11-30
processing consultation

On 30 November 2024, the US Cybersecurity and Infrastructure Security Agency (CISA) closed the cons…