(a) Data compliance program. By no later than October 6, 2025, U.S. persons engaging in any restricted transactions shall develop and implement a data compliance program.
(b) Requirements. The data compliance program shall include, at a minimum, each of the following requirements:
(1) Risk-based procedures for verifying data flows involved in any restricted transaction, including procedures to verify and log, in an auditable manner, the following:
(i) The types and volumes of government-related data or bulk U.S. sensitive personal data involved in the transaction;
(ii) The identity of the transaction parties, including any ownership of entities or citizenship or primary residence of individuals; and
(iii) The end-use of the data and the method of data transfer;
(2) For restricted transactions that involve vendors, risk-based procedures for verifying the identity of vendors;
(3) A written policy that describes the data compliance program and that is annually certified by an officer, executive, or other employee responsible for compliance;
(4) A written policy that describes the implementation of the security requirements as defined in § 202.248 and that is annually certified by an officer, executive, or other employee responsible for compliance; and
(5) Any other information that the Attorney General may require.
(a) Audit required. U.S. persons that, on or after October 6, 2025, engage in any restricted transactions under § 202.401 shall conduct an audit that complies with the requirements of this section.
(b) Who may conduct the audit. The auditor:
(1) Must be qualified and competent to examine, verify, and attest to the U.S. person's compliance with and the effectiveness of the security requirements, as defined in § 202.248, and all other applicable requirements, as defined in § 202.401, implemented for restricted transactions;
(2) Must be independent; and
(3) Cannot be a covered person or a country of concern.
(c) When required. The audit must be performed once for each calendar year in which the U.S. person engages in any restricted transactions.
(d) Timeframe. The audit must cover the preceding 12 months.
(e) Scope. The audit must:
(1) Examine the U.S. person's restricted transactions;
(2) Examine the U.S. person's data compliance program required under § 202.1001 and its implementation;
(3) Examine relevant records required under § 202.1101;
(4) Examine the U.S. person's security requirements, as defined by § 202.248; and
(5) Use a reliable methodology to conduct the audit.
(f) Report. (1) The auditor must prepare and submit a written report to the U.S. person within 60 days of the completion of the audit.
(2) The audit report must:
(i) Describe the nature of any restricted transactions engaged in by the U.S. person;
(ii) Describe the methodology undertaken, including the relevant policies and other documents reviewed, relevant personnel interviewed, and any relevant facilities, equipment, networks, or systems examined;
(iii) Describe the effectiveness of the U.S. person's data compliance program and its implementation;
(iv) Describe any vulnerabilities or deficiencies in the implementation of the security requirements that have affected or could affect the risk of access to government-related data or bulk U.S. sensitive personal data by a country of concern or covered person;
(v) Describe any instances in which the security requirements failed or were otherwise not effective in mitigating the risk of access to government-related data or bulk U.S. sensitive personal data by a country of concern or covered person; and
(vi) Recommend any improvements or changes to policies, practices, or other aspects of the U.S. person's business to ensure compliance with the security requirements.
(3) U.S. persons engaged in restricted transactions must retain the audit report for a period of at least 10 years, consistent with the recordkeeping requirements in § 202.1101.