In an age where data is the new oil, the Department of Justice (DOJ) has dropped a regulatory hammer with the release of the Data Security Program (DSP), which was released on April 8, 2025, and was implemented under Executive Order 14117. If you are a corporate compliance officer, this is not simply another acronym to file away; it is a full-blown mandate to build a risk-based compliance infrastructure that treats data the way we’ve historically treated cash: something precious, something dangerous, and something that foreign adversaries are actively trying to exploit. The DSP marks a critical shift in how compliance professionals think about national security, not as the purview of spooks and diplomats but as a living, breathing component of your organization’s third-party risk, data governance, and vendor oversight programs. Equally interestingly, the Trump Administration builds with zero fanfare on the building blocks put in place by the Biden Administration.
DSP Is More Than an IT Issue
The DOJ is not simply aiming at you, your Chief Information Officer (CIO), but rather looking squarely at you, the compliance professional. The new rules require U.S. persons (which includes individuals and corporations) to proactively monitor, restrict, and, when necessary, report data transactions that could expose U.S. Government-related or bulk sensitive personal data to adversarial foreign actors. These rules are about compliance and accountability. DSP enforcement brings with it the full force of the International Emergency Economic Powers Act (IEEPA), meaning penalties can include civil fines exceeding $368,000 per violation and criminal liability with up to 20 years in prison. That should sober up even the most compliance-fatigued executive.
Who’s in the DOJ’s Crosshairs?
The program identifies “Countries of Concern,” including China, Russia, Iran, North Korea, Venezuela, and Cuba. It further defines “covered persons” as not just foreign governments or entities but any individual or company operating under their influence, including contractors and subsidiaries that may be 50% or more owned by such parties. This is not simply a red flag but should be seen as a red carpet for compliance departments to step up and create data-focused due diligence protocols that mirror those already established under FCPA for anti-bribery or OFAC for sanctions screening.
The DSP targets four main types of transactions:
1. Data Brokerage Agreements
2. Vendor Agreements
3. Employment Agreements
4. Investment Agreements
Any of these, involving sensitive personal data or government-related data, could trigger a compliance obligation or, worse, a violation. Even anonymized or encrypted data isn’t exempt if it can be aggregated to reveal individual identities. Compliance teams must now incorporate data risk classification and flow mapping into their routine controls and audits.
Restricted and Prohibited Transactions: Not Just Semantics
The DSP distinguishes between “prohibited” and “restricted” transactions. Prohibited transactions, like selling bulk data to a covered person or foreign entity, are off-limits. Restricted transactions, such as engaging a foreign vendor for cloud services, are allowed only if specific due diligence, security protocols, and contractual safeguards are met.
Translation for compliance officers: This is your new playbook. You must tailor contract language to prohibit onward data transfers, track compliance, audit vendors, and report violations within 14 days. Inaction isn’t just a missed best practice; it could also be a statutory violation.
Your New Compliance Infrastructure: Four Pillars
Under Subpart J of the DSP, companies must develop and maintain a robust Data Compliance Program. Here’s what the DOJ expects from you:
1. Risk-Based Due Diligence Procedures: Know your data, vendors, employees, and business model. Map where sensitive data lives and flows. Identify exposure to covered persons or countries of concern.
2. Security Requirements: Implement the Cybersecurity and Infrastructure Security Agency’s (CISA) security standards and document them in a written policy reviewed annually.
3. Audit Program: Conduct an annual independent audit to assess DSP compliance, covering your vendors, data flows, contracts, and internal controls.
4. Training and Certification: Deliver targeted training to frontline staff and compliance officers. Certify the program annually with a sign-off from a senior officer not designated as a covered person.
The Compliance Response
Do not underestimate the power of line managers in operationalizing this program. From procurement officers vetting vendors to HR leads onboarding new hires, your middle managers are now your eyes and ears for potential data risks. Equip them with training, toolkits, and escalation protocols. Empower them to say, “No, we can’t do that,” and back them up when they do. This is where culture meets controls, and a compliance-minded organization distinguishes itself from a liability waiting to happen. DSP violations are serious business, but the program leaves room for good-faith actors. Reporting suspected breaches or rejected transactions within 14 days may mitigate enforcement risks.
What to Do Now: A Compliance Checklist
For those who want to get ahead of this before the hammer drops, here’s your compliance punch list:
- Review your current data governance and privacy policies—align them with DSP risk categories.
- Audit your third-party vendor agreements for exposure to covered persons or countries of concern.
- Draft contractual clauses that explicitly prohibit data resale or access by covered entities.
- Set up internal processes for training, audit, and reporting.
- Engage your board and C-suite on DSP requirements. This is national security compliance, not just privacy.
- Start building your Data Compliance Program today, as the date of October 6, 2025 (the full implementation date) is not as far off as it seems.
Conclusion: The Age of Data National Security is Here
The DSP marks a sea change for compliance professionals. It transforms data governance from an IT-driven policy concern into a top-tier compliance risk, with reporting deadlines, audit mandates, and hefty penalties. It requires us to think beyond cybersecurity and embrace data risk as a function of geopolitical conflict and corporate accountability. Compliance is not simply about following the rules; rather, it is about being the first line of defense in protecting American data, values, and institutions from adversarial exploitation. And in that mission, every compliance professional is now a stakeholder in national security.
So, as Bette Davis might say, buckle up, tune up your compliance programs, and get ready to evangelize the next great frontier in corporate compliance.
