← Back to Blog
ComplianceData SecurityData SovereigntyDOJNational Security

DOJ 28 CFR Part 202 Enforcement Starts October 6. Data-Centric Controls Carry the Evidence.

Lattix branded cover for DOJ 28 CFR Part 202 Enforcement Starts October 6. /19 section number, October 6 2026 enforcement deadline metadata, six countries of concern statistic, IBM Plex Mono on dark grid background, surgical yellow accent on the enforcement milestone in a rule timeline strip.

The Department of Justice National Security Division's Bulk Sensitive Data rule under 28 CFR Part 202 implements Executive Order 14117 and restricts transactions that provide access to bulk U.S. sensitive personal data or government-related data to countries of concern or covered persons. The rule took effect April 8, 2025. The general compliance requirements applied beginning July 8, 2025. Active enforcement actions begin October 6, 2026, against entities that failed to come into compliance during the wind-down period. The rule reaches commercial and research transactions that legal teams have been working through for a year. The technical evidence the rule actually requires has received less attention, and the evidence is the question that will decide enforcement outcomes.

The countries of concern listed in the rule are China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela. Covered persons include entities organized in or headquartered in a country of concern, foreign persons employed by or acting on behalf of a country of concern, and any person determined by the Attorney General to act on behalf of a country of concern. The data categories that trigger the rule are bulk U.S. sensitive personal data, defined to include human genomic data, biometric identifiers, precise geolocation, health and financial data, and certain personal identifiers above defined thresholds, and government-related data, which has no volume threshold.

What the rule actually prohibits and restricts

The rule splits regulated transactions into two categories. Prohibited transactions, set out in subpart B, include data brokerage transactions and certain genomic data transactions with countries of concern or covered persons. These transactions cannot occur. Restricted transactions, set out in subpart C, include vendor agreements, employment agreements, and investment agreements that provide access to bulk U.S. sensitive personal data or government-related data. Restricted transactions are permitted only if the U.S. person complies with the security requirements set out in subpart D.

The subpart D security requirements reference the CISA Security Requirements for Restricted Transactions, jointly issued by DOJ and CISA in January 2025. The requirements are organizational, system-level, and data-level. The organizational requirements address governance, asset inventory, vendor due diligence, and incident response. The system-level requirements address access management, network segmentation, vulnerability management, and logging. The data-level requirements are where most compliance programs are underprepared.

The data-level requirements demand encryption, access controls bound to data sensitivity, and audit logging of access to covered data. The requirements specify cryptographic protection sufficient to render the data unintelligible to a country of concern that obtains the encrypted bytes. They specify access controls that prevent covered persons from reading covered data even when those persons have legitimate access to other data on the same system. They specify audit logs that record access decisions and survive tampering.

Where most compliance programs are exposed

The legal community has produced extensive analysis of the rule's scope, the country-of-concern definitions, and the contracting language. The compliance posture most organizations have built is a contracting posture. Vendors sign data security addenda. Employment agreements add covered person attestations. Investment review processes add country-of-concern screening.

These controls satisfy parts of the organizational requirements. They do not satisfy the data-level requirements. A contracting control does not encrypt data. A contracting control does not enforce attribute-based access at read time. A contracting control does not produce an audit log of access decisions. A covered person who breaches a contracting control still reads the data. The enforcement question that DOJ asks after October 6 is not what the contracts said. It is what the technical controls did when the contracts failed.

The October 2024 final rule preamble and the subsequent DOJ guidance issued in April 2025 and August 2025 reinforce this point. The Department's National Security Division explicitly notes that contractual controls are necessary but not sufficient. The Department reserves enforcement discretion against organizations whose technical controls did not prevent covered access even when the contracting controls were in place.

The evidence the rule actually requires

Three evidence categories appear across the subpart D requirements and the CISA Security Requirements.

The first is cryptographic protection traceable to the covered data. Encryption at rest under a validated module is the baseline. The rule's structure requires that the encryption travel with the data, not stop at the boundary of the system that stores it. A covered person who exfiltrates a database backup must obtain ciphertext. A covered person who accesses a replicated copy in a foreign environment must obtain ciphertext. The cryptographic boundary has to follow the data, not the system.

The second is access control bound to attribute claims. The rule's prohibition on covered person access cannot be enforced through identity-only controls. A covered person is defined by attributes that include country of organization, country of headquarters, employment relationships, and Attorney General determinations. The access control system has to evaluate those attributes against the data classification at read time, and has to fail closed when the attributes do not match. Identity-based access without attribute evaluation cannot make this determination at the policy enforcement point.

The third is audit log integrity. The rule requires audit logs of access to covered data. The logs become enforcement evidence when DOJ investigates a suspected violation. Logs that the organization cannot prove are tamper-evident are logs that face evidentiary challenge. A covered person who reaches a position to alter access logs after a covered transaction can produce a defense. An audit log written to tamper-evident storage with cryptographic lineage cannot be altered after the access event.

Where object-level enforcement satisfies the rule natively

The architecture that produces these three evidence categories without bolt-on controls is data-centric zero trust. Each data object carries its own encryption key and policy. Each read event traverses a policy decision point that evaluates the requesting principal's attributes against the object's classification. Each release event is recorded in a Merkle-tree lineage chain in tamper-evident audit storage.

Lattix Technologies implements this pattern through attribute-based access control (ABAC) at the policy enforcement point (PEP), FIPS 140-3 validated cryptographic modules using ML-KEM-768 and ML-KEM-1024, and Merkle-tree lineage. A covered data object protected through this architecture meets all three evidence categories simultaneously. The encryption travels with the data. The access control evaluates country-of-concern and covered-person attributes at every release. The release events are recorded in an audit chain that DOJ can verify cryptographically.

The architecture does not eliminate the contracting layer. Contracts and attestations still document the relationship and establish vendor obligations. The architecture does change what happens when a contracting control fails. In a contract-only posture, a covered person who circumvents the contracting layer reads cleartext. In a data-centric posture, the covered person who circumvents the contracting layer reads ciphertext, generates an audit record at the policy decision point, and surfaces the failure to detection rather than to disclosure.

What organizations should be doing in the next 145 days

The window between today and October 6 is the implementation window for technical controls that will carry enforcement evidence. Three operational priorities matter.

The first is data discovery against the rule's categories. The organization needs to know where covered data resides, who has access to it, and how it flows to vendors, employees, and investment counterparties. The data discovery deliverable feeds every other compliance activity. Organizations that have built contracting controls without a data inventory have built controls against data they cannot identify.

The second is the cryptographic and access control architecture against covered data. The organization needs to determine whether existing controls produce encryption traceable to the data object and attribute-based access bound to country-of-concern attributes. Where they do not, the architecture gap is the gap that enforcement will reach. Closing the gap takes longer than 145 days for organizations starting from a contract-only posture. The architecture work that finishes by Q3 2026 will produce evidence for enforcement in Q4. The architecture work that does not finish will produce contract attestations and no technical evidence.

The third is the audit trail. The organization needs to determine whether existing audit logs are tamper-evident, attribute-aware, and complete across the covered data set. Logs scattered across application servers, database engines, and network appliances do not meet the rule's requirements. A consolidated, cryptographically-anchored lineage record does.

The October 6 enforcement window is shorter than the calendar suggests once the technical work is scoped. The contracting layer has been the focus of the compliance community for a year. The technical layer is what enforcement will actually examine.

References

← Back to Blog