Executive Order 14117 Explained: What It Means for Sensitive Data, AI Risk, and National Security

Preventing Access to Personal Data and United States Government-Related Data by Countries of Concern may sound like the plot of the next Mission: Impossible movie, but it’s the very real subject of Executive Order (EO) 14117. And it’s now your mission to comply.

A new chapter in U.S. data protection

Signed by President Biden on February 28, 2024, Executive Order 14117 kicks off a sweeping set of national security protections designed to prevent sensitive U.S. personal and government-related data from landing in the hands of foreign adversaries. Specifically, the EO and its associated rulemaking aim to restrict data transactions with entities connected to countries of concern: China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.

Why? Because large-scale data transactions, including biometric data, genomic info, and precise geolocation, can fuel AI-driven surveillance, espionage, and other malicious activities. With blackmail and manipulation on the line, privacy professionals are now on the national security frontlines.

What the EO and DOJ Rules are designed to do

At its core, EO 14117 and the Department of Justice’s (DoJ) implementing rules are about national security resilience through data restriction. The focus is on preventing bulk data transfers to foreign adversaries and enforcing robust cybersecurity and compliance frameworks among U.S. organizations.

The DoJ’s final rule, effective April 8, 2025, begins with a 90-day grace period and then transitions into full enforcement by October 6, 2025. If your organization handles high-volume data tied to U.S. persons, especially in healthcare, finance, or tech, this affects you.

These enforcement measures are formalized through the Data Security Program (DSP), launched by the DOJ’s National Security Division. The DSP is the operational backbone of EO 14117, setting expectations for audits, due diligence, risk assessments, and recordkeeping. It’s also the lens through which enforcement actions will be evaluated, so organizations should build their compliance programs with DSP criteria in mind.

Covered data and thresholds: What’s regulated?

Under the rule, two types of data are regulated:

• U.S. sensitive personal data
• U.S. government-related data

The bulk thresholds that trigger regulatory requirements are:

Data Type	Threshold
Human genomic data	100+ U.S. persons
Biometric identifiers	1,000+ U.S. persons
Precise geolocation	1,000+ devices
Personal health data	10,000+ U.S. persons
Financial data	100,000+ U.S. persons
Covered personal identifiers	100,000+ U.S. persons

Even if your organization doesn’t traffic in massive datasets, it’s shockingly easy to meet these thresholds over 12 months, especially when working with vendors, cloud platforms, or marketing tools.

Countries of concern and “covered persons”

The EO targets data transfers to the six named countries, but it also applies to any “covered person”, including:

• Individuals or entities 50%+ owned by a country of concern.
• Residents of a country of concern.
• Employees or contractors of a country of concern entity.
• Anyone the DoJ designates based on national security concerns.

While the DOJ may publish a Covered Persons List, it’s important to understand that this list is not exhaustive. Organizations must perform ongoing, risk-based screening and remain alert to new designations or indirect ownership ties that could trigger compliance obligations. Relying solely on a static list or point-in-time check could leave your program and your organization exposed.

So, if you’ve got cloud vendors or ad tech partners with overseas ties, it’s time to recheck your contracts.

It’s also important to note that EO 14117 does not impose strict liability. Instead, the DOJ applies a “knowledge standard,” meaning violations hinge on whether you knew or should have known a transaction involved a covered person or country of concern. Strong due diligence procedures—not just boilerplate contract clauses—are your best defense. That includes verifying counterparties, training staff, and documenting decisions in a way that can stand up to regulatory scrutiny.

What’s prohibited or restricted?

Not all data transactions are created equal. The rules separate them into prohibited and restricted categories:

• Prohibited: Data brokerage and access to bulk human genomic data by a CoC or covered person.
• Restricted: Employment, vendor, or investment agreements involving sensitive data must meet detailed security requirements to be lawful.

Enforcement, penalties, and oversight

The Department of Justice leads the charge with civil fines of up to $368,136 per violation or double the transaction value, whichever is greater.

Willful violations? Think $1 million and up to 20 years in prison. Yeah, this isn’t a slap-on-the-wrist situation.

The role of CISA: What security controls are required?

Under EO 14117, the Cybersecurity and Infrastructure Security Agency (CISA) has defined the core technical requirements organizations must follow. In brief, these include:

Organizational-level security

• Maintain monthly asset inventories (including IP and MAC addresses).
• Assign a CISO or security lead.
• Patch known vulnerabilities in 14 days.
• Maintain vendor agreements and network topologies.
• Enforce multi-factor authentication (MFA).
• Centralize and secure logs for 12+ months.
• Prohibit unauthorized USBs, auto-runs, or shadow IT.

Data-level security

• Minimize and mask data wherever possible.
• Encrypt in transit and at rest (TLS 1.2+).
• Isolate and manage encryption keys off-site.
• Leverage privacy-enhancing technologies like:
  • Homomorphic encryption
  • Differential privacy
• Prohibit countries of concern access through default-deny access policies.

Exemptions: You might be in the clear if…

Not every transaction is subject to EO 14117. Exemptions include:

• Personal communications and expressive materials.
• Travel-related info.
• Official U.S. Government business.
• Financial transactions (banking, e-commerce, etc.).
• Telecommunications services.
• Clinical trials and FDA post-marketing surveillance (if de-identified).
• Corporate group transactions for internal ops (e.g., payroll, HR).
• Transactions authorized by U.S. law or international treaties.

Still, if your data crosses borders or lands in complex vendor ecosystems, assume you’re in scope until proven otherwise. When in doubt, consult legal counsel to confirm whether your specific data use or transaction qualifies for an exemption.

Your EO 14117 compliance action plan

Take a deep breath. This is manageable. Think of EO 14117 as your organization’s new data defense playbook. Here’s how to get started:

1. Know your data

Create a comprehensive data inventory and mapping system. Track:

• Data types and volumes
• Origins and destinations
• Third-party access points

2. Vet your vendors

Review existing contracts and enforce:

• Prohibitions on data resale to countries of concern
• Written commitments to comply with DSP rules
• Annual screening for ownership links to countries of concern

3. Stand up a compliance program

This includes:

• A written and annually certified compliance policy
• Role-based training, especially for executives and data handlers
• Annual independent audits to assess effectiveness and surface gaps
• Long-term documentation of your program, policies, and transactions

For organizations engaging in restricted transactions, these aren’t just best practices. They’re legal requirements. Records must be retained for at least 10 years, audits must be conducted annually, and certifications must be formally signed by senior leadership. These steps form the evidentiary backbone of your compliance posture.

4. Monitor, report, and remediate

If you suspect or reject a prohibited transaction:

• Report it to the DOJ’s National Security Division within 14 days
• Maintain records and cooperate with any inquiries
• Submit your audit findings annually, and fix weaknesses fast

Turning privacy into a national security advantage

Executive Order 14117 marks a defining moment in how organizations must approach data governance. This isn’t about routine compliance or ticking boxes. It’s about building resilience against real geopolitical threats. For privacy and compliance professionals, it demands a shift from reactive policies to proactive, risk-based programs that safeguard national interests.

The good news? You don’t need to solve it all overnight. But now is the time to take stock of your data flows, vendor relationships, and security posture. Privacy has always mattered. Now, it’s mission-critical.