United States of America: Announced CISA security requirements for restricted transactions pursuant to Executive Order 14117

On 21 October 2024, the Cybersecurity and Infrastructure Security Agency (CISA) published the draft security requirements for restricted transactions pursuant to Executive Order 14117. The security requirements are aimed at protecting US sensitive personal data and government-related information from access by countries of concern and covered individuals through restricted transactions. The draft measures address national security and foreign policy risks associated with such access, and these security requirements are part of broader regulations issued by the Department of Justice. The proposed requirements focus on both organisational and system-level measures, as well as data-specific protections. At the organisational level, entities must maintain updated asset inventories, designate a cybersecurity officer responsible for overseeing security measures, and ensure timely remediation of any vulnerabilities. Network management and incident response plans must be developed and maintained, and strong access control measures, such as multifactor authentication, must be implemented to prevent unauthorised access. At the data level, security strategies include data minimisation and encryption to safeguard sensitive information. Techniques such as pseudonymisation and anonymisation are recommended to prevent sensitive data from being exposed. In addition, all data in transit and at rest must be encrypted using industry-standard methods, and cryptographic keys should be securely managed. These protections ensure that sensitive data remains inaccessible to foreign adversaries or covered persons involved in restricted transactions.