United States of America: Implemented CISA Security Requirements for Restricted Transactions under Executive Order 14117

Description

Implemented CISA Security Requirements for Restricted Transactions under Executive Order 14117

On 8 January 2025, the Cybersecurity and Infrastructure Security Agency’s (CISA) security requirements under Executive Order 14117 enter into force. These requirements were designed to mitigate national security risks arising from restricted transactions involving sensitive US data and covered persons or countries of concern. The security requirements delineate the organisational and system-level requirements, as well as the data-level requirements, that US persons engaging in restricted transactions are obliged to meet. These requirements mandate the implementation of access controls, encryption, and vulnerability management. In particular, organisations are obligated to enforce multi-factor authentication, maintain updated asset inventories, and implement data minimisation techniques. The requirements security requirements are in addition to any compliance-related conditions imposed in applicable Department of Justice regulations.

Original source

Scope

Policy Area
Data governance
Policy Instrument
Cybersecurity regulation
Regulated Economic Activity
cross-cutting
Implementation Level
national
Government Branch
executive
Government Body
other regulatory body

Complete timeline of this policy change

Hide details
2024-10-21
under deliberation

On 21 October 2024, the Cybersecurity and Infrastructure Security Agency (CISA) published the draft…

2024-10-29
in consultation

On 29 October 2024, the US Cybersecurity and Infrastructure Security Agency (CISA) opened a consult…

2024-11-30
processing consultation

On 30 November 2024, the US Cybersecurity and Infrastructure Security Agency (CISA) closed the cons…

2025-01-03
adopted

On 3 January 2025, the Cybersecurity and Infrastructure Security Agency (CISA) adopted the security…

2025-01-08
in force

On 8 January 2025, the Cybersecurity and Infrastructure Security Agency’s (CISA) security requireme…