Complying with E.O. 14117: Strategic Considerations and Implementation Guidance

Introduction

On Feb. 28, 2024, Former President Joe Biden signed Executive Order (E.O.) 14117, titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.”

This E.O. was enacted in response to escalating national security concerns. Specifically, it targets unauthorized access by foreign adversaries, including China (inclusive of Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela, to sensitive U.S. personal and government-related information via digital supply chains and global data ecosystems.

To address these risks, E.O. 14117 imposes restrictions on specific data transactions involving such countries.

On Dec. 27, 2024, the U.S. Department of Justice (DOJ) issued a final rule implementing the E.O. This rule took effect on April 8, 2025, and established the Data Security Program (DSP), the first comprehensive framework restricting cross-border data flows based on national security considerations.

The DSP prohibits or restricts specific “covered data transactions” that could expose U.S. sensitive personal or government-related data to foreign adversaries.

To support organizations in understanding and complying with these new rules, the DOJ’s National Security Division (NSD) released three key documents on April 11, 2025:

1. Implementation and Enforcement Policy
   • Defines the DOJ’s enforcement approach, including a 90-day transition period (ending July 8, 2025), prioritizing guidance over penalties for good-faith compliance efforts.
2. Compliance Guide
   • Provides step-by-step guidance for risk assessments, governance frameworks, and technical controls in alignment with DSP requirements.
3. Frequently Asked Questions (FAQs)
   • Clarifies key terms, categories of covered transactions, and expectations for compliance efforts.

Key Compliance Challenges

Based on our experience supporting multinational clients, we observe recurring challenges in implementing E.O. 14117 compliance frameworks:

1. Ambiguity in Definitions and Scope
   • Many organizations face uncertainty over vague terms like “covered data transaction” and “bulk sensitive personal data.” Questions often arise about whether anonymized or aggregated datasets fall under the scope of the E.O.
2. Overlooked Data Categories
   • There is a tendency to overlook risks associated with de-identified or aggregated data. However, the E.O. covers indirect risks, such as re-identification potential, which still require controls.
3. Implementation Silos Across Functions
   • Without coordination across legal, information technology (IT), and business teams, security efforts remain fragmented. For instance, IT may deploy controls but fail to update vendor due diligence practices.
4. Vendor Oversight and Exemptions
   • Confusion persists around exemptions (e.g., passive investments) and how frequently vendors should be reassessed, particularly those with ties to countries of concern.

Recommended Four-Phase Compliance Approach

To help organizations implement E.O. 14117 in a structured and defensible way, Ankura recommends a cyclical, four-phase approach:

1. Phase 1: Data Mapping
   1. Identify all data collection, storage, transmission, and third-party sharing points, especially involving cross-border processing or foreign vendors.
   2. Create visual data maps and system inventories identifying EO-relevant data types (e.g., biometric, geolocation).
   3. Pay attention to shadow IT, outdated developer tools, or legacy systems that may inadvertently transmit data.
2. Phase 2: Risk & Security Assessment
   1. Conduct assessments under attorney-client privilege to identify exposure.
   2. Use technical frameworks such as the Cybersecurity and Infrastructure Security Agency's (CISA) Cybersecurity Performance Goals (CPG) to assess current controls.
   3. Evaluate vendor service level agreements, contracts, and privacy policies to locate red-flag practices.
   4. Centralize findings into a compliance risk register.
3. Phase 3: Implementation & Safeguards
   1. Deploy governance, technology, and data protection controls, for example:
      1. Organizational: Appoint leads, create approval workflows.
      2. Technical: Multi-factor authentication, endpoint security, logging, encryption.
      3. Data: Anonymization, minimization, privacy-enhancing technologies.
      4. Third-Party: Vendor clauses review, update, and assessment.
4. Phase 4: Reassessment & Governance Maturity
   1. Schedule periodic reviews of vendor risk, data flows, and legal updates.
   2. Run simulation exercises to test readiness.
   3. Involve counsel to ensure legal protection of internal assessments.

Success Factors in Navigating E.O. 14117 Compliance

1. Cross-Border Consulting Collaboration
   • Integrated teams spanning China and the U.S. enable holistic analysis of local practices and global expectations, facilitating smoother cross-border data assessments.
2. Partnership with Legal Counsel
   • Active collaboration with legal counsel ensures privilege-protected assessments and accurate regulatory interpretation.

Conclusion

E.O. 14117 represents a fundamental change in U.S. data governance, positioning national security as a top compliance priority. Organizations with cross-border operations must approach compliance with strategic discipline and operational rigor.

Sustainable compliance hinges on continuous improvement, robust governance, and trusted legal/cybersecurity expert firm partnerships.

Case Study: Chinese Internet of Things Exporter with U.S. Operations

Scenario:

A Chinese smart device company operating in the U.S. via mobile apps and e-commerce platforms stored data on American web services but allowed Chinese-based teams to access backend systems.

Identified Risks:

Sensitive data was exposed through telemetry logs, customer service channels, and software updates, activities deemed risky under E.O. 14117.

Applied Measures:

1. Phase 1–2: Conducted legal-technical review, mapped data types and flow.
2. Phase 3: Restricted China-based access, encrypted data, segregated environments.
3. Phase 4: Instituted internal audits and coordinated with U.S. counsel under privilege.

For further suggestions or tailored implementation support, please contact our team.

Sign up to receive all the latest insights from Ankura. Subscribe now 

^{© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.}