Navigating New Security Requirements under DOJ’s Bulk Data Regulations: Is NIST Compliance Enough?

Question: My organization adheres to the NIST Cybersecurity Framework (version 2.0). Am I ready to process Restricted Transactions?

Answer: No, adhering to the NIST Cybersecurity Framework (CSF) does not necessarily mean you comply with the Cybersecurity and Infrastructure Security Agency’s (CISA) Security Requirements for Restricted Transactions[1] (Security Requirements). Although the Security Requirements are based upon specific subcategories of the NIST Cybersecurity Framework (CSF) Core and the Privacy Framework (PF) Core, in many cases, the Security Requirements go beyond the NIST standards.

While the Security Requirements only apply to Covered Systems[2] and Covered Data,[3] many of the Security Requirements are stricter than the NIST standards that CISA references. We discuss below the key areas and actions where subject companies may need to go beyond the NIST CSF and PF to meet the Security Requirements by April 8, 2025 (the effective date for the Bulk Sensitive Data Regulations).

Organizational- and System-Level Requirements: The Security Requirements are organized into two categories: (1) Organizational- and System-Level Requirements and (2) Data-Level Requirements. Security Requirements in the first category are mandatory; all of the Organizational- and System-Level Requirements must be implemented before a company can participate in Restricted Transactions. We discuss below non-exclusive examples where subject companies may need to implement controls beyond the NIST CSF to meet the Security Requirements:

Organizational-Level

• Leadership: Appoint an organizational-level leader responsible and accountable for governance, risk, and compliance (in addition to cybersecurity).
• Incident Response Planning: Review the incident response plan(s) applicable to Covered Systems at least annually.
• Risk Assessment: Conduct a risk assessment of the Data-Level Requirements and review the risk assessment annually.

System-Level

 For all Covered Systems:

• Asset Inventory: Update extensive Asset inventories at least monthly.
• Vulnerability Management: Remediate all known exploited vulnerabilities (KEVs) in 45 calendar days (with options for alternative compensating controls).
• Vendor Agreements: Document and maintain all vendor/supplier agreements (including contractual IT and cybersecurity requirements).
• Network Map: Develop and maintain an accurate network topology of the Covered System(s) and, where technically feasible, any network interfacing with a Covered System(s).
• Hardware/Software Approval: Implement and maintain a risk-informed allowlist of approved hardware and software.
• Multifactor Authentication (MFA): Enforce MFA or require strong passwords with 15+ characters.
• Identity and Credential Management: Promptly revoke any credentials (including shared credentials) or authorized access for any individuals upon departure from their role.
• Log Collection: Collect and store all access and security event logs for covered system(s) for a minimum of 12 months in a central system.
• Log Alerting: Implement an alerting process to notify cybersecurity personnel when a critical log source is not producing or retaining logs as expected.
• Connection Management: Deny by default all connections to Covered Systems and the networks on which those systems reside (except for a specific allowlist for system functionality).

Data-Level Requirements: The Data-Level Requirements are somewhat flexible because subject companies may choose any combination of the listed data mitigation strategies so long as they are sufficient to fully and effectively prevent access to Covered Data that is linkable, identifiable, unencrypted, or decryptable (using commonly available technology) by covered persons and/or countries of concern.

In addition to the requirement to fully and effectively prevent access to Covered Data, and similar to the Organizational- and System-Level Requirements, there are also areas where subject companies may need to go beyond the NIST PF to meet the Security Requirements:

• If you use Data Minimization/Data Masking Strategies, you should also
• Review your written data retention and deletion policy annually; and
• Process data in such a way that ensures it is no longer Covered Data or that minimizes linkability to U.S. person entities (including ensuring identities cannot be inferred or extrapolated from the data set at issue or in combination with other data sets held by the organization).
• If you use Encryption Techniques, you should also
• Ensure your encryption is comprehensive;[4]
• Encrypt Covered Data in a Restricted Transaction during storage and transit; and
• Apply the specified encryption key management practices, including preventing covered persons from accessing encryption keys.
• If you use Privacy-Enhancing Technologies, you should also
• Prevent covered persons from participating as trusted parties in your privacy-preserving computations; and
• Ensure that Covered Data (including information that could reasonably be used to reconstruct Covered Data) is not otherwise revealed to covered persons.
• If you use Identity and Access Management Techniques, you should also ensure that Identity and Access Management system configurations deny access to Covered Data by covered persons and countries of concern.

[1] The Security Requirements are set forth by CISA. “Restricted Transactions” and other terms are defined in the Bulk Sensitive Data Regulations.

[2] A Covered System:

• means an Information System used to obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of, view, receive, collect, process, maintain, use, share, disseminate, or dispose of (collectively, “interact with”) Covered Data as part of a restricted transaction, regardless of whether the data is encrypted, anonymized, pseudonymized, or de-identified; and
• does not include an Information System (e.g., an end user workstation) that has the ability to view or read sensitive personal data (other than sensitive personal data that constitutes government-related data) but does not ordinarily interact with such data in bulk form.

An Information System means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

[3] Covered Data means government-related data or bulk U.S. sensitive personal data.

[4] For the purposes of this requirement, CISA considers comprehensive encryption to mean cryptographic algorithms, ciphers, and protocols that are ordinarily accepted by U.S. persons with significant expertise in cryptography as being sufficient to provide confidentiality and integrity protections to sensitive data against compromise by currently known techniques and a level of computing power that is reasonably foreseeable to be available to any person, organization, or country in the near future. CISA considers U.S. government-approved encryption algorithms, ciphers, and protocols to meet this standard, but organizations may determine that other algorithms, ciphers, and protocols also qualify. For connections made using Transport Layer Security (TLS), only version 1.2 or higher is considered comprehensive encryption.