On 8 January 2025, the Cybersecurity and Infrastructure Security Agency’s (CISA) security requirements under Executive Order 14117 enter into force. These requirements were designed to mitigate national security risks arising from restricted transactions involving sensitive US data and covered persons or countries of concern. The security requirements delineate the organisational and system-level requirements, as well as the data-level requirements, that US persons engaging in restricted transactions are obliged to meet. These requirements mandate the implementation of access controls, encryption, and vulnerability management. In particular, organisations are obligated to enforce multi-factor authentication, maintain updated asset inventories, and implement data minimisation techniques. The requirements security requirements are in addition to any compliance-related conditions imposed in applicable Department of Justice regulations.
Original source