DoJ Data Security Program Highlights Data-Sharing Challenges (2025)

Source: Nico El Nino via Alamy Stock Photo

In a sign of how pervasive data sharing has become, businesses may face challenges complying with a new government rule restricting data use outside the US.

The US Department of Justice's (DoJ) Data Security Program (DSP), intended to block nation-state adversaries from accessing government data, went into effect on April 8. Enforcement will be limited for the first 90 days, though organizations can request additional time to become compliant through Oct. 6.

Described as "export controls," the program outlines restrictions, guidelines, and regulations to prevent foreign adversaries from using commercial activities to obtain US government-related data — including geolocation, biometric, health, and financial intelligence. Compliance in this case means organizations cannot engage in "covered data transactions," including data brokerage, vendor agreements, an employment agreement, or an investment agreement with "countries of concern." In essence, this means no sharing of government or sensitive personal data with prohibited countries.

National Security Threat

The DoJ launched the DSP in response to the "urgent threat" related to holding highly sensitive types of data that pose a threat to national security. Thanks to artificial intelligence (AI) and large language models (LLM), the amount of available data has ballooned. For example, adversaries could abuse bulk data to commit espionage, conduct surveillance, and develop AI and military capabilities, the DoJ warned.

Related:Could Ransomware Survive Without Cryptocurrency?

Covered countries include China, Russia, Iran, North Korea, Cuba, and Venezuela, but it's less clear who must comply.

"NSD expects US persons to know their transactions and data," according to a FAQ from the National Security Division (NSD), which implemented the DSP.

US organizations have their work cut out for them given the potential for compliance complications in the supply chain. Enterprises must evaluate their vendors and whether any third parties or downstream customers are sharing data with a covered entity. The DoJ stated that this could also entail amending or renegotiating existing contracts and conducting internal data reviews. Businesses will also endure increased costs to comply with the new rule.

Due to a lack of reporting transparency issues across the industry, additional compliance complications could occur with inadvertent data breaches or if organizations discover a third-party vendor violates the rule.

More AI, More Bulk Data

Executive Order 14117, signed by the Biden administration to prevent access to sensitive bulk data by countries of concern, precipitated this month's DSP. It was one of the few items that the current administration left in place and actually expanded on, says Artie McConnell, partner at law firm BakerHostetler.

Related:Industry Asks for Clarity on Proposed HIPAA Cybersecurity Rules

"It's recognition that the confluence of new technologies — particularly things like LLMs and AI that allow for the rapid ingestion, processing, and analysis of large data sets — really is a national security threat when you apply it to the bulk data of American citizens," McConnell says.

It's difficult for the DoJ and NSD to pinpoint which organizations must comply because bulk data sharing has become the norm. Any company US citizens shop with, for example, collect and analyze data to curate user experience and provide targeted advertisements.

"It's very hard to draw a line to who would not be implicated when you're talking about a company of any real size," McConnell says.

While it's not a total prohibition on data sharing, the order does place several restrictions, as well as auditing and licensing requirements. Typically, these types of rules are more common in the sanction and export control context, adds McConnell. Therefore, it is unsurprising that the DoJ set the rule and the NSD implemented it.

Related:New PCI DSS Rules Say Merchants on Hook for Compliance, Not Providers

"It's definitely an area that blurs the line between traditional practice areas, but the NSD is probably the only body capable of handling all the different facets of a rule that's this complex and comprehensive," he says.

What To Do Now

As the compliance date approaches, organizations should examine their holdings, how they can monitor and track data transfers, and understand who their third parties are, McConnell recommends.

"The rule is basically putting requirements that are traditionally seen in defense and industrial base onto everyone," he says.

McConnell tells Dark Reading that the issued guidance is very helpful and advises businesses to use the available draft contract language since it is government-approved. If an organization can make revisions, the language should be built into vendor agreements and contracts.

"The best guidance I can give is reasonable due diligence, and good faith efforts should be touchstones of complying with this rule," he says. "That's what the DoJ wants to see."

Security and compliance teams will need to work together now more than ever, says Amer Deeba, GVP of Proofpoint's DSMP Group. Noncompliance consequences will go beyond fines and put reputational and operational risks on the line, he warns.

"The DoJ's new Data Security Program underscores a growing shift: Organizations are now expected to have deep visibility and control over their sensitive data, especially in cloud environments," Deeba says. "This raises the bar for how enterprises discover, classify, and secure data across complex, hybrid infrastructures."