The Department of Justice (DOJ’s) good faith grace period with respect to the Bulk Data Rule has now expired. This blog post addresses one discrete aspect of compliance: the security requirements for restricted transactions, which we discussed here previously. This blog post examines these requirements in more detail and explains their interaction with existing cybersecurity and risk management frameworks and regulations.  

A Brief Overview

As described previously, the Department of Justice (DOJ) bulk data rule prohibits certain transactions involving the sale or transfer of U.S. sensitive data or government data to "countries of concern" – China, Cuba, Iran, North Korea, Russia, and Venezuela – or "covered persons." The definition of “covered person” is also complex, and we are here to help!

The rule also restricts other transactions that involve business agreements which enables access to bulk U.S. sensitive data or government data to a country of concern or covered person. Restricted transactions are permitted if they comply with Cybersecurity Infrastructure Security Agency (CISA) security requirements under President Biden’s Executive Order. 

These include both organizational and system-level requirements that are strict and prescriptive, while data-level requirements are more flexible, allowing companies to implement a combination of mitigations based on their internal risk assessments. These restrictions draw from the following cybersecurity frameworks and regulations: 

1. NIST Cybersecurity Framework (C.S.F.) 2.0 
   
   • The National Institutes of Science and Technology (NIST) CSF is a voluntary guidance tool to help reduce cybersecurity risk by providing standards and practices around core functions to prevent, detect, and respond to cyberattacks.
2. NIST Privacy Framework
   
   • NIST’s Privacy Framework is a voluntary guidance tool that provides organizations with privacy principles and best practices to manage privacy risk and protect personal information.
3. ISO/IEC 27001
   
   • The International Organization for Standardization (ISO) 27001 is an international security standard that specifies requirements for implementing an Information Security Management System to help organizations manage and protect their information assets.
4. 23 NYCRR 500
   
   • New York State’s Department of Financial Services Cybersecurity Requirements section 23, part 500 (23 NYCRR 500) is New York’s DFS cybersecurity regulation that requires comprehensive cybersecurity programs protecting information systems for financial services companies except those under 10 employees, $5M revenue, or $10M assets. 

The good news: organizations already incorporating the NIST Frameworks, ISO 27001, or NY Department of Financial Services are on their way to compliance of the Security Requirements under the Bulk Data rule. There are, however, some important differences that companies will need to consider which we touch on below.

Analysis

Our approach involved identifying equivalent or synonymous requirements across frameworks, documenting the level of granularity and alignment, and highlighting critical distinctions that organizations must address. 

The key differences are specificity and focus. General frameworks, like NIST CSF 2.0 and ISO/IEC 27001, are adaptable and risk-based. In contrast, the Security Requirements for Restricted Transactions sets precise requirements with exact timelines, technical controls, and geographic restrictions. 

For example, organizations compliant with NIST and NYCRR should focus on elements such as network topology documentation and incorporating a monthly inventory update frequency when integrating the Bulk Data Rule. They must also implement privacy enhancing technologies like differential privacy, which adds noise to prevent data reconstruction, in accordance with DOJ requirements. Those compliant with ISO or NYCRR should prioritize data minimization methods, such as aggregation and de-identification, as it may need additional strengthening to meet the rule's standards. Fortunately, organizational and system level requirements of the Bulk Data Rule, including incident response plans, documenting third-party service cybersecurity procedures, and collecting audit logs all align with NIST, NYCRR, and ISO standards.

Another distinction appears in how established frameworks reflect broad security principles for voluntary adoption, while CISA's requirements, according to the DOJ Rule, represent a geopolitically focused mandate addressing the threats from "countries of concern." For instance, Data Level Requirements section B prohibits the storage of encryption keys in “countries of concern” and “covered persons” from having access to encryption keys. Other frameworks', like NIST, ISO, and NYCRR, recommend more general cryptographic policies that prevent "unauthorized access” and protect data in transit and storage. 

Organizations should identify which requirements apply to their specific situation, particularly whether they engage in "restricted transactions" with countries of concern as defined in the Code of Federal Regulations (28 C.F.R. § 202.401). There are no exemption principles for such restricted transactions and the written compliance provisions Oct. 8 deadline is approaching.

As all organizations, regardless of compliance, begin coordinating efforts to be compliant with the rule, they should pay special attention to certain requirements. This includes but is not limited to, patching KEVs— obtained from CISA's Known Exploited Vulnerabilities catalog—within 45 calendar days, deny-by-default configurations for connections with covered systems, and specific password length requirements. 

Conclusion

Organizations should implement these security requirements not merely for compliance purposes, but to protect their users and strengthen overall U.S. national security. Fortunately, Venable's Privacy and Data Security attorneys have completed framework mapping exercises and are here to help organizations with compliance methods. 

‍