The DOJ’s Executive Order 14117 establishes a national security framework for regulating cross-border transfers of sensitive U.S. data. It’s about controlling who can access sensitive U.S. data, where it can go, and how organizations manage risk across borders.
The rule aims to prevent foreign adversaries from gaining access to bulk personal or government-related data that could pose a threat to national security – especially data tied to U.S. citizens and critical infrastructure sectors.
Who’s Impacted
Organizations across industries are in scope, particularly:
-
Privacy, legal, and security teams in U.S.-based and foreign-owned entities operating in the United States
-
Enterprises handling bulk volumes of health, financial, biometric, genomic, geolocation, or personal identifier data tied to U.S. persons
-
Companies engaging in transactions or data sharing with vendors, contractors, brokers, or investors linked to China, Russia, Iran, North Korea, Cuba, Venezuela, or Hong Kong
Why It Matters Now
The DOJ’s final rule outlines two categories of transactions:
-
Prohibited Transactions: Sales, licensing, or brokerage of bulk sensitive data to entities linked to countries of concern
-
Restricted Transactions: Data transfers in the context of vendor, employment, or investment relationships that require additional due diligence and technical safeguards
Key dates to know:
-
July 8, 2025: The DOJ’s 90-day “good faith” enforcement grace period ends
-
October 6, 2025: Full compliance is required, including due diligence documentation, independent audits, recordkeeping, and adherence to CISA security guidance for restricted transactions
Noncompliance could trigger DOJ investigations, enforcement actions, and significant penalties. The burden is on organizations to prove they understand their data flows and have taken appropriate action to mitigate risk.
How BigID Helps: Enforce Sovereignty at Scale
BigID enables organizations to detect, control, and demonstrate compliance with EO 14117. Privacy, legal, and security teams can take swift action to stay ahead of regulation and risk.
1. Identity-Aware Discovery and Classification
Automatically discover and classify sensitive data that meets DOJ-defined thresholds. Map where it lives, who it belongs to, and how it moves – across cloud, SaaS, on-prem, and unstructured environments.
2. Continuous Monitoring of Cross-Border Transfers
Track data movement in real time. Flag transfers to restricted countries or covered persons. Assign risk scores and configure alerts for suspicious flows or policy violations.
3. Policy Enforcement and Remediation
Set and enforce rules to block, tokenize, quarantine, or delete data based on geography, residency, or ownership. Automate remediation and reduce manual oversight.
4. Audit-Ready Reporting and Documentation
Generate detailed logs, dashboards, and compliance artifacts to support DOJ and internal reviews. Document data inventories, transaction types, control enforcement, and remediation with full traceability.
Quick Compliance Checklist
✔ Discover and classify bulk-sensitive U.S. personal data across all environments
✔ Map cross-border flows and flag transfers to countries of concern
✔ Assess third-party risk from vendors, investors, and employment agreements
✔ Apply and enforce localization and residency policies
✔ Document controls, activity logs, and mitigation steps for DOJ reviews
✔ Prepare for October 6 with complete reporting and independent audit readiness
Why This Rule Is Different
EO 14117 is not about transparency or consent. It is a national security mandate. The rule applies even to encrypted or anonymized data, because aggregation and access alone present risk. There are no carve-outs and no shortcuts – just clear thresholds, defined enforcement, and growing scrutiny.
Looking Ahead
EO 14117 marks a turning point in how cross-border data governance is managed. This is about controlling exposure, ensuring accountability, and protecting sensitive data from adversarial access.
With BigID, organizations can shift from reactive compliance to proactive sovereignty enforcement. You get real-time discovery, continuous monitoring, and policy-based control—all in one platform.
Get audit-ready before October 6. Let BigID help you meet the moment with confidence and see how today.
Author
