For the first time in the Distilling Cyber Policy podcast, Alex Botting and Jen Ellis from the Center for Cybersecurity Policy & Law are re-joined by guests from earlier this season: Lee Licata, Deputy Section Chief for National Security Data Risk at the Department of Justice (DOJ), and Grant Dasher, the Acting Technical Deputy Director for Cybersecurity at the Cybersecurity and Infrastructure Agency (CISA).
Both came on to discuss the then-recently released Executive Order 14117 on "Preventing Access to Americans' Bulk Sensitive Data and United States Government-Related Data by Countries of Concern" and the associated Advanced Notice of Proposed Rulemaking (ANPRM). EO 14117 directed the DOJ to establish and implement new regulations to address the threat from certain countries of concern attempting to access and exploit Americans’ sensitive personal data. The ANPRM proposed prohibiting and restricting certain transactions involving Americans' bulk personal data, as well as sensitive government data, to specific countries of concern such as China, Russia, Iran, North Korea, Cuba, and Venezuela - as well as territories controlled by these nations, such as Hong Kong and Macau.
Since then, the DOJ issued a Notice of Proposed Rulemaking (NPRM), with written comments from the public due by Nov. 29. Additionally, as directed by the EO, CISA has developed proposed security requirements to apply to classes of restricted transactions identified in the NPRM. The public can read CISA’s notice and request for comment in the Federal Register here. The proposed security requirements include cybersecurity measures such as basic organizational cybersecurity policies and practices, physical and logical access controls, data masking and minimization, encryption, and the use of privacy-enhancing techniques.
In the episode, Lee and Grant dig into the proposed rule and the proposed security requirements, which just like the ANPRM, cover six categories of sensitive personal data, including human genomic data. They also share details on the next steps of the rulemaking process.
This week’s news segment covers:
- Bipartisan Congressional efforts around cybersecurity regulatory harmonization (you can find details on the Senate bill here, and the House bill here)
- Jen’s insights from the most recent Pall Mall Process meeting
- The 2nd Annual Cyber Policy Awards, organized by our wonderful colleagues at the Institute of Security and and Technology, are now open for submissions through December 6th
For our Community Corner segment, we are joined by the fabulous Rebekah Brown and John Scott Railton, both Senior Researchers at the Citizen Lab at the University of Toronto. Rebekah and JSR share details from Rivers of Phish, their recent report on Russian-origin phishing operations, and the evolving nature of social engineering online.
You can find the latest Distilling Cyber Policy episode on Spotify and Apple. As always, if you would like to submit something for the Community Corner segment, or have topic ideas for upcoming episodes, please email iaj01@venable.com.
Read Next
Cybersecurity Coalition Announces CyberNext Brussels 2025
The Cybersecurity Coalition and Cyber Threat Alliance announced CyberNext Brussels 2025, 5 March 2025, which will discuss key European Union, Member State, and transatlantic cybersecurity policy issues.
NCD Coker Reflects on ONCD’s Successes, Lessons Learned, and Future
In a fireside chat hosted by the Foundation for Defense of Democracies, National Cyber Director Harry Coker reflected the success, experiences, and lessons learned at the Office the National Cyber Director.
Biden’s Latest Cyber EO Bolsters Work Underway, Faces Uncertain Future in Trump Administration
The EO on Strengthening and Promoting Innovation in the Nation’s Cybersecurity attempts to cement many of the cybersecurity priorities started in the Biden Administration and move forward other initiatives to stop new and emerging threats.