On April 11, DOJ issued a press release,[1] Compliance Guide,[2] list of FAQs,[3] and Implementation and Enforcement Policy[4] (the Policy) providing further information and guidance on its final rule on Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (the Data Security Program or DSP), effective April 8, 2025. The A&M National Security, Trade and Technology team published an article[5] on December 13, 2024, and a second article[6] on March 31, 2025, that focused on how companies might approach operationalizing compliance regimes responsive to the DSP. Here, we identify three items clarified through DOJ’s additional guidance that pertain to how companies operationalize a security and compliance regime responsive to the DSP.

1. Nonenforcement Period Provided Good Faith Implementation Efforts. Through the Policy, DOJ has indicated that it will not focus on civil enforcement during the first 90 days that the DSP is in effect (i.e., until July 8, 2025), provided that a company can demonstrate “good faith efforts” to comply with the DSP during the initial 90-day window. 

DOJ-provided examples of good faith efforts are summarized below:

To emphasize the criticality of good faith efforts to the application of the 90-day nonenforcement period, the Policy specifies that:

"During this 90-day period, [DOJ] will pursue penalties and other enforcement actions as appropriate for egregious, willful violations. This policy does not limit [DOJ’s] authority and discretion to pursue civil enforcement if such persons did not engage in good-faith efforts to comply with, or come into compliance with, the DSP." (Emphasis added.)

After the 90-day period, DOJ made clear that it expects “individuals and entities [to] be in full compliance with the DSP and should expect [DOJ] to pursue appropriate enforcement with respect to any violations.” (Emphasis added.)

Based on this guidance, it will be important for companies actively engaged in efforts to build out processes to meet DSP requirements to document their “good faith efforts,” and to be on a path to demonstrate full compliance with the DSP by July 8, 2025.

2. Clarifying Guidance for Security Requirements for Nonexempt Restricted Transactions. In the Compliance Guide, DOJ provided clarifying guidance on what is expected of companies that will engage in nonexempt restricted transactions that implicate the DSP. This guidance is important to how companies think about, and value the costs of, building the security apparatus to engage in nonexempt restricted transactions in a manner compliant with the DSP. In addition to restressing the need for security measures that meet the CISA standards[7] specific to the DSP, examples of key clarifying guidance include:

• Leadership and compliance personnel must be accountable for supporting, building, and maintaining a responsive Data Compliance Program.
• A tailored Data Compliance Program must underpin restricted transactions to “prevent, detect, and remediate” potential violations of the DSP.
• Policies and procedures must be developed and implemented for data compliance, risk-based due diligence and security controls application.
• Screening for current and prospective vendors must be deployed, and related processes should be documented.
• Tailored and appropriately scoped training for personnel should periodically be conducted.
• Regular audits of restricted transactions should be performed to identify compliance gaps and potential violations of the DSP for disclosure to the National Security Division (NSD).
• A comprehensive recordkeeping of all transactions subject to the DSP must be retained for at least 10 years after the date of such transaction.

3. Timing of Adjudicating License and Advisory Opinion Requests. Expecting a significant volume of informal inquiries about the DSP during the first 90-day period, DOJ has specified in the Implementation and Enforcement Policy that it will accept submission of license or advisory opinion requests during the first 90-day period, but it will “not review or adjudicate” those requests absent “emergency or imminent threat to public safety or national security.”

The “emergency or imminent threat to public safety or national security” is anticipated to set a high operational bar to DOJ disposition on a license or advisory opinion request during the 90-day period. The allowance for submission of such requests, however, could mean that DOJ might face a backlog that must be addressed after the 90-day window lapses. This means that companies that otherwise would seek a license or an advisory opinion related to a potentially novel application of the DSP should build into their operational expectations potential short-term delays in the resolution of such requests.

*****

The clarifying guidance issued by DOJ is simultaneously an acknowledgement of the compliance complexities presented by the DSP — via the 90-day nonenforcement period for good faith compliance efforts — and the high priority that DOJ is placing on compliance and enforcement — via taking time to more precisely detail security expectations while emphasizing that all companies must achieve full compliance by July 8, 2025.

The bottom line is that companies need to develop and quickly implement a comprehensive DSP compliance regime or risk the significant penalties of noncompliance, including criminal penalties for certain levels of misconduct. This requires being able to show sufficient controls to assure either that the company does not engage in nonexempt restricted transactions or that the company can currently and prospectively identify all of its nonexempt, restricted transactions subject to the DSP and has implemented sufficient security controls across those transactions. In short, by July 8, 2025, companies must be ready to demonstrate that they know their data, know their people, know their suppliers and know their customers.