Request for Comment on Security Requirements for Restricted Transactions Under Executive Order 14117

<NOTICE> DEPARTMENT OF HOMELAND SECURITY <DEPDOC>[Docket No. CISA-2024-0029]</DEPDOC> <SUBJECT>Request for Comment on Security Requirements for Restricted Transactions Under Executive Order 14117</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> Cybersecurity and Infrastructure Security Agency (CISA), DHS. <HD SOURCE="HED">ACTION:</HD> Notice and request for comment. <SUM> <HD SOURCE="HED">SUMMARY:</HD> CISA seeks public input on the development of security requirements for restricted transactions as directed by Executive Order (E.O.) 14117, “Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” E.O. 14117 addresses national-security and foreign-policy threats that arise when countries of concern and covered persons can access bulk U.S. sensitive personal data or government-related data. The proposed CISA security requirements for restricted transactions would apply to classes of restricted transactions identified in regulations issued by the Department of Justice (DOJ). </SUM> <DATES> <HD SOURCE="HED">DATES:</HD> Written comments are requested on or before November 29, 2024. </DATES> <HD SOURCE="HED">ADDRESSES:</HD> You may send comments, identified by docket number CISA-2024-0029, through the Federal eRulemaking Portal available at <E T="03">http://www.regulations.gov.</E> <E T="03">Instructions:</E> All comments received will be posted to <E T="03">https://www.regulations.gov,</E> including any personal information provided. For detailed instructions on sending comments and for information on the types of comments that are of particular interest to CISA, see the “Public Participation” and “Request for Public Input” heading of the <E T="02">SUPPLEMENTARY INFORMATION</E> section of this document. Please note that this notice and request for comment is not a rulemaking and that the Federal eRulemaking Portal is being utilized only as a mechanism for receiving comments. <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> Alicia Smith, Senior Policy Counsel, Cybersecurity and Infrastructure Security Agency, <E T="03">EOSecurityReqs@cisa.dhs.gov,</E> 202-316-1560. </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> <HD SOURCE="HD1">I. Public Participation</HD> All interested stakeholders are invited to comment on this notice and the security requirements described herein by submitting written data, comments, views, or arguments using the method identified in the <E T="02">ADDRESSES</E> section. Interested stakeholders may view a copy of the proposed security requirements on CISA's website by visiting <E T="03">https://www.cisa.gov</E> and searching for “Proposed Security Requirements for Restricted Transactions.” A copy of the proposed security requirements is also included in the docket for this notice and request for comment, docket number CISA-2024-0029. All members of the public are invited to comment including, but not limited to, specialists in the field, academic experts, industry stakeholders, and public interest groups. <E T="03">Instructions:</E> All submissions must include the agency name and Docket ID for this notice. Comments may be submitted electronically via the Federal e-Rulemaking Portal. To submit comments electronically: 1. Go to <E T="03">www.regulations.gov</E> and enter CISA-2024-0029 in the search field, 2. Click the “Comment Now!” icon, complete the required fields, and 3. Enter or attach your comments. All submissions, including attachments and other supporting materials, will become part of the public record and may be subject to public disclosure. CISA reserves the right to publish relevant comments publicly, unedited and in their entirety. Personal information, such as account numbers or Social Security numbers, or names of other individuals, should not be included. Do not submit confidential business information or otherwise sensitive or protected information. All comments received will be posted to <E T="03">http://www.regulations.gov.</E> Commenters are encouraged to identify the number of the specific topic or topics that they are addressing. <E T="03">Docket:</E> For access to the docket to read background documents or comments received, go to <E T="03">http://www.regulations.gov</E> and search for the Docket ID. <HD SOURCE="HD1">II. Background</HD> <HD SOURCE="HD2">A. History and Legal Authority</HD> On February 28, 2024, the President issued E.O. 14117 entitled “Preventing Access to Americans' Bulk Sensitive Personal Data and U.S. Government-Related Data by Countries of Concern” (the “Order”), pursuant to his authority under the Constitution and laws of the United States, including the International Emergency Economic Powers Act (50 U.S.C. 1701 <E T="03">et seq.</E> ), the National Emergencies Act (50 U.S.C. 1601 <E T="03">et seq.</E> ), and section 301 of Title 3, United States Code. In the Order, the President expanded the scope of the national emergency declared in E.O. 13873 of May 15, 2019 “Securing the Information and Communications Technology and Services Supply Chain,” and further addressed the national emergency with additional measures in E.O. 14034 of June 9, 2021, “Protecting Americans' Sensitive Data from Foreign Adversaries.” Specifically, Section 2(a) of E.O. 14117 directs the Attorney General, in coordination with the Secretary of Homeland Security and in consultation with the heads of relevant agencies, to issue, subject to public notice and comment, regulations that prohibit or otherwise restrict United States persons from engaging in any acquisition, holding, use, transfer, transportation, or exportation of, or dealing in, any property in which a foreign country or national thereof has any interest (“transaction”), where the transaction: (i) involves bulk sensitive personal data or United States Government-related data, as defined by final rules implementing the Order; (ii) is a member of a class of transactions that has been determined by the Attorney General to pose an unacceptable risk to the national security of the United States because the transactions may enable countries of concern or covered persons to access bulk sensitive personal data or United States Government-related data in a manner that contributes to the national emergency described in the Order; and (iii) meets other criteria specified by the Order. <SU>1</SU> <FTREF/> <FTNT> <SU>1</SU>  The other criteria do not directly impact the development of the security requirements but are related to DOJ's implementation of the E.O.'s directive via their regulations. <E T="03">See</E> E.O. 14117, sec. 2(a)(iii)-(v), 89 FR 15421, 15423 (Mar. 1, 2024). </FTNT> Among other things, the E.O., at Section 2(c) instructs the Attorney General, in coordination with the Secretary of Homeland Security and in consultation with the relevant agencies, to issue regulations identifying specific categories of transactions (“restricted transactions”) that meet the criteria described in (ii) above for which the Attorney General determines that security requirements, to be established by the Secretary of Homeland Security through the Director of CISA in accordance with Section 2(d) of the Order, adequately mitigate the risks of access by countries of concern or covered persons  <SU>2</SU> <FTREF/> to bulk sensitive personal data or United States Government-related data. In turn, Section 2(d) directs the Secretary of Homeland Security, acting through the Director of CISA, to propose, seek public comment on, and publish those security requirements, and Section 2(e) delegates to the Secretary of Homeland Security the President's powers under IEPPA as necessary to carry out Section 2(d). <FTNT> <SU>2</SU>  Section 2(c)(iii) of the Order requires the Attorney General to identify, with the concurrence of the Secretaries of State and Commerce, countries of concern and, as appropriate, classes of covered persons for the purposes of the Order. </FTNT> On March 5, 2024, DOJ published an advance notice of proposed rulemaking (ANPRM) explaining a proposed framework that DOJ is considering for its forthcoming rules that would regulate certain data transactions involving bulk U.S. sensitive personal data and government-related data, as DOJ proposed to define these terms in the ANPRM. 89 FR 15780. The ANPRM states that DOJ is considering identifying three classes of restricted data transactions to address critical risk areas to the extent they involve countries of concern or covered persons and bulk U.S. sensitive personal data: vendor agreements; employment agreements; and investment agreements. 89 FR 15783. If implemented as described, such categories of transactions would be restricted, and otherwise prohibited unless they meet the security requirements developed by DHS in coordination with DOJ. <E T="03">See</E> 89 FR 15788. The ANPRM includes an outline of what the security requirements might entail. 89 FR 15795. Through the ANPRM, DOJ also proposes a framework for enforcement of its regulations. <E T="03">See</E> 89 FR 15797-15798. DOJ is issuing a notice of proposed rulemaking (NPRM), Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons, [DOJ Docket No. NSD-104, RIN 1124-AA01], in the proposed rule section of this issue of the <E T="04">Federal Register</E> for public comment. Through this notice, CISA announces the proposed security requirements applicable to the classes of restricted transactions defined in DOJ's NPRM and requests public comment on the content of the security requirements. <HD SOURCE="HD2">B. Purpose and Structure of Proposed Security Requirements</HD> The primary goal of the proposed security requirements is to address national-securi ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Preview showing 10k of 30k characters. Full document text is stored and available for version comparison. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━