Request for Comment on Security Requirements for Restricted Transactions Under Executive Order 14117

SUPPLEMENTARY INFORMATION:

I. Public Participation

All interested stakeholders are invited to comment on this notice and the security requirements described herein by submitting written data, comments, views, or arguments using the method identified in the ADDRESSES section. Interested stakeholders may view a copy of the proposed security requirements on CISA's website by visiting https://www.cisa.gov and searching for “Proposed Security Requirements for Restricted Transactions.” A copy of the proposed security requirements is also included in the docket for this notice and request for comment, docket number CISA-2024-0029. All members of the public are invited to comment including, but not limited to, specialists in the field, academic experts, industry stakeholders, and public interest groups.

Instructions: All submissions must include the agency name and Docket ID for this notice. Comments may be submitted electronically via the Federal e-Rulemaking Portal.

To submit comments electronically:

1. Go to www.regulations.gov and enter CISA-2024-0029 in the search field,

2. Click the “Comment Now!” icon, complete the required fields, and

3. Enter or attach your comments.

All submissions, including attachments and other supporting materials, will become part of the public record and may be subject to public disclosure. CISA reserves the right to publish relevant comments publicly, unedited and in their entirety. Personal information, such as account numbers or Social Security numbers, or names of other individuals, should not be included. Do not submit confidential business information or otherwise sensitive or protected information. All comments received will be posted to http://www.regulations.gov. Commenters are encouraged to identify the number of the specific topic or topics that they are addressing.

Docket: For access to the docket to read background documents or comments received, go to http://www.regulations.gov and search for the Docket ID.

II. Background

A. History and Legal Authority

On February 28, 2024, the President issued E.O. 14117 entitled “Preventing Access to Americans' Bulk Sensitive Personal Data and U.S. Government-Related Data by Countries of Concern” (the “Order”), pursuant to his authority under the Constitution and laws of the United States, including the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.), the National Emergencies Act (50 U.S.C. 1601 et seq.), and section 301 of Title 3, United States Code. In the Order, the President expanded the scope of the national emergency declared in E.O. 13873 of May 15, 2019 “Securing the Information and Communications Technology and Services Supply Chain,” and further addressed the national emergency with additional measures in E.O. 14034 of June 9, 2021, “Protecting Americans' Sensitive Data from Foreign Adversaries.” Specifically, Section 2(a) of E.O. 14117 directs the Attorney General, in coordination with the Secretary of Homeland Security and in consultation with the heads of relevant agencies, to issue, subject to public notice and comment, regulations that prohibit or otherwise restrict United States persons from engaging in any acquisition, holding, use, transfer, transportation, or exportation of, or dealing in, any property in which a foreign country or national thereof has any interest (“transaction”), where the transaction: (i) involves bulk sensitive personal data or United States Government-related data, as defined by final rules implementing the Order; (ii) is a member of a class of transactions that has been determined by the Attorney General to pose an unacceptable risk to the national security of the United States because the transactions may enable countries of concern or covered persons to access bulk sensitive personal data or United States Government-related data in a manner that contributes to the national emergency described in the Order; and (iii) meets other criteria specified by the Order.

Among other things, the E.O., at Section 2(c) instructs the Attorney General, in coordination with the Secretary of Homeland Security and in consultation with the relevant agencies, to issue regulations identifying specific categories of transactions (“restricted transactions”) that meet the criteria described in (ii) above for which the Attorney General determines that security requirements, to be established by the Secretary of Homeland Security through the Director of CISA in accordance with Section 2(d) of the Order, adequately mitigate the risks of access by countries of concern or covered persons to bulk sensitive personal data or United States Government-related data. In turn, Section 2(d) directs the Secretary of Homeland Security, acting through the Director of CISA, to propose, seek public comment on, and publish those security requirements, and Section 2(e) delegates to the Secretary of Homeland Security the President's powers under IEPPA as necessary to carry out Section 2(d).

On March 5, 2024, DOJ published an advance notice of proposed rulemaking (ANPRM) explaining a proposed framework that DOJ is considering for its forthcoming rules that would regulate certain data transactions involving bulk U.S. sensitive personal data and government-related data, as DOJ proposed to define these terms in the ANPRM. 89 FR 15780. The ANPRM states that DOJ is considering identifying three classes of restricted data transactions to address critical risk areas to the extent they involve countries of concern or covered persons and bulk U.S. sensitive personal data: vendor agreements; employment agreements; and investment agreements. 89 FR 15783. If implemented as described, such categories of transactions would be restricted, and otherwise prohibited unless they meet the security requirements developed by DHS in coordination with DOJ. See89 FR 15788. The ANPRM includes an outline of what the security requirements might entail. 89 FR 15795. Through the ANPRM, DOJ also proposes a framework for enforcement of its regulations. See89 FR 15797-15798.

DOJ is issuing a notice of proposed rulemaking (NPRM), Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons, [DOJ Docket No. NSD-104, RIN 1124-AA01], in the proposed rule section of this issue of the Federal Register for public comment. Through this notice, CISA announces the proposed security requirements applicable to the classes of restricted transactions defined in DOJ's NPRM and requests public comment on the content of the security requirements.

B. Purpose and Structure of Proposed Security Requirements

The primary goal of the proposed security requirements is to address national-security and foreign-policy threats that arise when countries of concern and covered persons access bulk U.S. sensitive personal data or U.S. government-related data that may be implicated by the categories of restricted transactions. As explained in E.O. 14117, unrestricted transfers of Americans' bulk sensitive personal data and U.S. government-related data to countries of concern present a range of threats to national security and foreign policy. See89 FR 15421. Access to bulk sensitive personal data and government-related data can allow countries of concern to engage in malicious cyber-enabled activities and malign foreign influence. See89 FR 15422. With access to such data, countries of concern can track and build profiles on U.S. individuals, including members of the military and Federal employees and contractors, for illicit purposes such as blackmail and espionage. Id. Countries of concern can also use access to this data to collect information on activists, academics, journalists, dissidents, political figures, or members of non-governmental organizations or marginalized communities to intimidate them; curb political opposition; limit freedoms of expression, peaceful assembly, or association; or enable other forms of suppression of civil liberties. Id. In making this assessment, DOJ noted that the Office of the Director of National Intelligence (ODNI) has assessed that adversaries view data, including personally identifiable information on U.S. citizens, “as a strategic resource” to increase the effectiveness of their espionage, influence, kinetic, and cyber-attack operations and provide a strategic advantage over the United States. See id. (citing Office of the Director of National Intelligence, Annual Threat Assessment of the U.S. Intelligence Community at 26 (Feb. 6, 2023), https://perma.cc/4B2Y-7NVD ). DOJ assessed that advanced technologies, including big-data analytics, artificial intelligence, and high-performance computing, increase the ability of countries of concern to analyze and manipulate large tranches of data to more effectively target, influence, and coerce people in the United States. See89 FR 15781 and E.O. 14117.

The proposed security requirements are designed to mitigate the risk of sharing bulk U.S. sensitive personal data or U.S. government-related data with countries of concern or covered persons through restricted transactions. They do this by imposing conditions specifically on the covered data that may be shared as part of a restricted transaction, on the covered systems more broadly (both terms CISA is proposing to define within the security requirements), and on the organization as a whole. While the proposed requirements on covered systems and on an organization's governance of those systems apply more broadly than to the data at issue and the restricted transaction itself, CISA assesses that implementation of these requirements is necessary to validate that the organization has the technical capability and sufficient governance structure to appropriately select, successfully implement, and continue to apply the proposed covered data-level security requirements in a way that addresses the risks identified by DOJ for the restricted transactions. For example, to ensure and validate that a covered system denies covered persons access to covered data, it is necessary to maintain audit logs of accesses as well as organizational processes to utilize those logs. Similarly, it is necessary for an organization to develop identity management processes and systems to establish an understanding of which persons may have access to different data sets.

In addition to proposed requirements on covered systems, applying security requirements on the covered data itself that may be accessed in a restricted transaction is also necessary to address the risks. The specific requirements that are most technologically and logistically appropriate for different types of restricted transactions may vary. For example, some transactions may be amenable to approaches that minimize data or process it in such a way that does not reveal covered data to covered persons. In other cases, techniques such as access control and encryption may be more appropriate to deny any access by covered persons to covered data. The proposed security requirements contemplate multiple options to minimize the risk to covered data, though all the options build upon the foundation of the proposed requirements imposed on covered systems and the organization as a whole. While CISA is proposing that U.S. persons engaging in restricted transactions must implement all the organizational and covered-system level requirements, CISA proposes that such persons will have some flexibility to determine which combination of data-level requirements are sufficient to fully and effectively prevent access to covered data by covered persons and/or countries of concern, based on the nature of the transaction and the data at issue.

The proposed security requirements are divided into two sections: organizational and covered system-level requirements (Section I) and covered data-level requirements (Section II). The listed requirements were selected with the intent of directly mitigating the risk of access to covered data, with additional requirements included to ensure effective governance of that access, as well as approaches for establishing an auditable basis for compliance purposes. Requirements that directly mitigate the risk of access include I.B.1-2, I.B.4-6, and all data-level requirements (II.A.1-3, II.B.1-3, II.C, and II.D). Requirements included as a mechanism for ensuring proper implementation and governance of those access controls include I.A.1-7. Additional requirements incorporated as a mechanism for ensuring auditable compliance of the aforementioned access controls include I.B.3 and I.C. These proposed requirements reflect a minimum set of practices that CISA believes are required for effective data protection, as informed by CISA's operational experience. Through this notice, CISA seeks additional input based on the experience industry stakeholders. These requirements have been designed to be representative of broadly accepted industry best practices and are intended to address the needs of national security without imposing an unachievable burden on industry.

As directed by E.O. 14117, the proposed security requirements are based on National Institute of Standards & Technology (NIST) Cybersecurity Framework (CSF), and the NIST Privacy Framework (PF). 89 FR 15424. See NIST, Cybersecurity Framework ver. 2.0, available at https://www.nist.gov/cyberframework, and NIST, Privacy Framework ver. 1.0, available at https://www.nist.gov/privacy-framework. CISA has also leveraged existing performance goals, guidance, practices, and controls, including the CISA Cross-Sector Cybersecurity Performance Goals (CPGs), which are themselves based on the NIST CSF and PF. CISA, Cross-Sector Cybersecurity Performance Goals, available at https://www.cisa.gov/cross-sector-cybersecurity-performance-goals. By leveraging existing performance goals, guidance, practices, and controls, CISA hopes to mitigate the burden of understanding and implementing the security requirements where necessary. In the proposed security requirements, CISA included parentheticals noting the specific NIST CSF and PF provisions upon which the proposed security requirements are based. CISA is seeking additional public comment on these references.

The DOJ NPRM proposes to require, consistent with E.O. 14117, that United States persons engaging in restricted transactions must comply with the final security requirements by incorporating the standards by reference.

Finally, the proposed security requirements include a definitions section. To the extent the proposed requirements use a term already proposed to be defined in the DOJ rulemaking, CISA's use of that term in the proposed security requirement would carry the same meaning. For the purpose of these proposed security requirements, CISA proposes to include definitions for six terms used exclusively in the proposed security requirements:

• Asset. CISA proposes to define the term to mean data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes. This proposed definition is derived from the CSF NIST CSF version 1.1, which defined asset as “[t]he data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes.”
• Covered data. CISA proposes to define the term to mean the two categories of data identified by the E.O. and that DOJ is proposing to regulate—bulk U.S. sensitive personal data or government-related data.
• Information system. CISA proposes to define this term consistent with the definition in the Paperwork Reduction Act (PRA), 44 U.S.C. 3502. The term would mean a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

• Covered system. CISA proposes to define this term as a specific type of information system that is used to conduct a number of activities related to covered data as part of a restricted transaction. These activities are drawn from a combination of the activities in the proposed definition of information system in the proposed security requirements and the activities in the DOJ ANPRM's proposed definition of access. See89 FR 15788; proposed 28 CFR 202.201. The term would mean an information system used to obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of, view, receive, collect, process, maintain, use, share, disseminate, or dispose of covered data as part of a restricted transaction, regardless of whether the data is encrypted, anonymized, pseudonymized, or de-identified.
• Network. CISA proposes to define this term, which CISA developed consistent with the definition of the term in NIST Special Publication 800-171 rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The term would mean a system of interconnected components, which may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices.

III. Request for Public Input

A. Importance of Public Feedback

CISA is committed to seeking and incorporating public input into its approach to the development and content of the security requirements required by E.O. 14117. The proposed security requirements are available for review on CISA's website by visiting https://www.cisa.gov and searching for “Proposed Security Requirements for Restricted Transactions.” A copy of the proposed security requirements is also included in the docket for this notice and request for comment, docket number CISA-2024-0029. Below is a list of questions regarding the proposed security requirements for which CISA believes feedback could be particularly useful. CISA seeks a balanced approach to development of the security requirements, which would mitigate the risks of access to Americans' bulk sensitive personal data or government-related data by countries of concern while accounting for the impact that adopting these measures may have on those entities that would implement them. CISA encourages public comment on these topics and any other topics that commenters believe may be useful to CISA in the development of the forthcoming security requirements. The type of feedback that is most useful to the agency will identify specific approaches that CISA may want to consider and provide information supporting why the approach would foster a cost-effective and balanced approach. As discussed in more detail below, commenters may want to consider submitting views on organizational- and system-level requirements and/or data-level requirements. Feedback that contains specific information, data, or recommendations is more useful to CISA than generic feedback that omits these components. For comments that contain any numerical estimates, CISA encourages the commenter to provide any assumptions made in calculating the numerical estimates.

B. List of Questions for Commenters

Below is a non-exhaustive list of questions that are meant to assist members of the public in formulating their comments in response to this notice. The list of questions is not intended to restrict the issues that commenters may address. For more information on the proposed regulatory structure in which the security requirements will apply, please review DOJ's NPRM, Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons, [DOJ Docket No. NSD-104, RIN 1124-AA01], published in today's proposed rule section of the Federal Register for public comment.

1. Are the proposed security requirements sufficiently robust to mitigate the risks of access to Americans' bulk sensitive personal data or government-related data by countries of concern?

2. Are the proposed organizational- and system-level requirements sufficient to provide U.S. persons engaging in restricted transactions confidence that logical and physical access to covered data is sufficiently managed to deny access to covered persons or countries of concern?

3. Do the security requirements provide sufficient flexibility, clarity, and specificity for the types of restricted transactions typically engaged in by U.S. entities, including to avoid overly burdening commercial activity not involving covered data while providing sufficient level of detail to aid in compliance verification?

4. Are there other data-level requirements (beyond those listed in Section II of the proposed security requirements) that CISA should consider that would enable U.S. entities to engage in commercial transactions without revealing covered data to covered persons or countries of concern?

5. The current approach allows for flexibility to determine which data-level requirements are sufficient to fully and effectively prevent access to covered data by covered persons and/or countries of concern. Are there data-level requirements that CISA should consider requiring in all cases?

6. What additional interpretive guidance would be helpful to U.S. entities in determining which data-level requirements should be applied based on the nature of the transaction and the data at issue?

7. What substantive requirements should CISA consider in Section II.C. to further define appropriate privacy-enhancing technologies that may be used within restricted transactions?

8. Should the standards for data aggregation in Section II.A differ from the proposed definition of bulk in the DOJ regulations? If so, are there requirements CISA should impose for U.S. persons engaged in restricted transactions to ensure that covered data is not re-constructable through aggregation while permitting more granular thresholds?

9. Are there additional substantive standards that should be added to the data-level requirements in Section II to better ensure their implementation can achieve the policy goal of not permitting access to covered data by covered persons or countries of concern?

10. To what extent could the measures described currently be reversed, broken, or circumvented by a technologically sophisticated actor? Are there additional conditions that would better or more appropriately mitigate this risk? If so, please describe them in detail.

11. To what extent could the measures described be rendered reversible, breakable, or able to be circumvented by anticipated future technology advances? What type of future technology advances would pose the greatest risk to these types of protective measures?

12. Would it be useful to the entities likely to undertake restricted transactions if CISA mapped these requirements to ISO-27001 or example controls from NIST Special Publication 800-171 ( e.g., to facilitate compliance audits)?

[FR Doc. 2024-24709 Filed 10-22-24; 4:15 pm]

BILLING CODE 9111-1LF-P