What is Executive Order 14117?

Executive Order 14117 focuses on preventing access to Americans' bulk sensitive personal data by countries of concern. It mandates new security requirements for data-sharing transactions involving commercial, vendor, and employment agreements.

How does EO 14117 affect unstructured data protection?

The order requires robust data-level controls, including encryption at rest to CISA standards and privacy-enhancing technologies. Organizations must implement granular access controls to ensure sensitive unstructured data is protected during cross-border transfers.

Executive Order 14117 Brings New Rules on Data Sharing

Patrick Bryden
Feb 28, 2025
2 min read

Updated: Jan 16

Operating a global business in 2025 feels more compliance-constrained than ever. A final rule from CISA, aimed at regulating cross-border bulk data sharing, adds a critical new framework to the mix.

Pursuant to Executive Order 14117, titled “Preventing Access to Americans' Bulk Sensitive Personal Data and U.S. Government-Related Data by Countries of Concern,” the rule explicitly lists prohibited data-sharing transactions and defines "covered persons" who must meet stringent security mandates.

New EO rules put new restrictions on sharing sensitive data across some borders.

Why Compliance Fails at the Perimeter

The most significant challenge posed by EO 14117 is that traditional network security is no longer sufficient. Compliance fails without enforcement at the data layer itself. If sensitive info is only protected by a firewall or a login, it becomes vulnerable the moment it is shared with a third party or vendor. To meet the EO’s mandates, organizations must transition to sensitive unstructured data protection that stays with the file, regardless of where it travels.

What Changes on April 8th?

Most new rules go into effect on April 8th, 2025, with full implementation by October. Key impacts include:

Complex Data Sharing: Stricter rules for business with Countries of Concern (CoC), including China, Russia, Iran, and others.
Mandatory Security Controls: Standardized MFA, least-privilege access, and continuous vulnerability monitoring.
Strict Penalties: High stakes for non-compliance in commercial, vendor, and investment agreements.

Defining the "Covered" Landscape

The DOJ and CISA have cast a wide net to ensure national security:

Impacted Countries: China (incl. Hong Kong/Macau), Russia, Iran, North Korea, Cuba, and Venezuela.
Covered Persons (CP): Includes organizations >50% owned by a CoC or individuals residing in a CoC.
Covered Transactions: Commercial sales of bulk US personal data (BUSPD), vendor agreements, and even specific employment contracts.

Tough Data-Level Controls

Given Executive Order 14117’s emphasis on national security resilience, the outlined security requirements combine industry best practices with specific control mandates.

Organizations must implement the following to meet DOJ 28 CFR Part 202 standards:

Regular Risk Assessments: Mandatory annual reviews of the entire data ecosystem.
Persistent Data Protection: Implementation of CISA-standard encryption for data at rest and in transit.
Privacy-Enhancing Technologies (PETs): Usage of selective encryption and masking to reduce data linkability and ensure granular access control.
Bulk Threshold Monitoring: Vigilant tracking of data volumes—such as genomic data for 100+ persons or health data for 10,000+ persons—that trigger these regulatory restrictions.

How Confidencial Ensures EO 14117 Compliance

Executive Order 14117 provides a critical opportunity to evaluate your existing sensitive unstructured data protection. Confidencial delivers the persistent protection required by modern regulators.

Our unique selective encryption granularly protects sensitive data inside a file both in transit and at rest. This protection is persistent: no matter where the file goes, sensitive data remains encrypted to unauthorized users. This balance of security and shareability is the only way to meet the rigorous demands of the new CISA guidance.