User’s Guide to DOJ & CISA Rules Implementing Executive Order 14117

Executive Order (EO) 14117 is a national security rule intended to mitigate national security risks posed by threat countries’ access to sensitive personal data and government-related data. 

The EO directed the U.S. Department of Justice (DOJ) to issue implementing regulations and directed the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) to develop related security measures for classes of transactions.

DOJ and CISA each issued their final rules, which were published in the Federal Register on January 8, 2025 (see DOJ and CISA notices). The EO was not rescinded by President Trump’s January 20, 2025, EO rescinding EOs issued by President Biden. Because the rules were published before the Presidential transition, President Trump’s January 20, 2025 EO freezing pending regulations did not withdraw the DOJ or CISA rules, but they are subject to postponement for 60 days if DOJ or CISA identify a need to review a question of fact, law, or policy that the rules implicate.

This summary gives an overview of the substantive rule DOJ announced. Separate pieces will describe DOJ’s anticipated compliance and enforcement regimes and the CISA security standards the rule cross-references. The effective date of the rule is April 8, 2025. If the Trump administration postpones implementation to conduct a review, the effective date will be extended to June 9, 2025.