28 CFR §202.1001
Verified against eCFR.gov as of June 20, 2026View official text on eCFR.gov ↗
- (a)Data compliance program. By no later than October 6, 2025, U.S. persons engaging in any restricted transactions shall develop and implement a data compliance program.
- (b)Requirements. The data compliance program shall include, at a minimum, each of the following requirements:
- (1)Risk-based procedures for verifying data flows involved in any restricted transaction, including procedures to verify and log, in an auditable manner, the following:
- (i)The types and volumes of government-related data or bulk U.S. sensitive personal data involved in the transaction;
- (ii)The identity of the transaction parties, including any ownership of entities or citizenship or primary residence of individuals; and
- (iii)The end-use of the data and the method of data transfer;
- (2)For restricted transactions that involve vendors, risk-based procedures for verifying the identity of vendors;
- (3)A written policy that describes the data compliance program and that is annually certified by an officer, executive, or other employee responsible for compliance;
- (4)A written policy that describes the implementation of the security requirements as defined in § 202.248 and that is annually certified by an officer, executive, or other employee responsible for compliance; and
- (5)Any other information that the Attorney General may require.
- (1)Risk-based procedures for verifying data flows involved in any restricted transaction, including procedures to verify and log, in an auditable manner, the following: