The Department of Justice’s recent rule — Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (the Rule) — is part of a suite of actions being undertaken or evaluated by U.S. policymakers to secure sensitive data from foreign parties that would seek to exploit it. The Rule is responsive to U.S. policymaker recognition that new technologies, particularly large language models and other AI technologies, that allow for the rapid ingestion, processing and inferencing of large data sets present an emergent and significant threat to U.S. national security.

For companies that control bulk sensitive data or government-related data as it pertains to certain transaction types involving covered persons or Countries of Concern, the Rule has broad implications. The Rule also contains an IT governance overlay, incorporating guidance related to the Rule that was issued by Cybersecurity and Infrastructure Security Agency (CISA).

Alvarez & Marsal (A&M) provides strategic national security and information governance and data privacy guidance to clients navigating the complexities of this sweeping regulation. A&M helps companies determine with fidelity whether they hold data in sufficient volumes to be subject to the Rule. For those that do, A&M helps develop and implement a tailored, risk-based security controls approach to Rule compliance that is practical, sustainable and cost-effective, while being responsive to Rule requirements and U.S. Government equities.

OUR SERVICES

Know Your Data, Know Your Suppliers, and Know Your Customers

A&M leverages technical tools and know-how to help organizations assess with fidelity: (i) whether they house data in quantities sufficient to implicate the Rule, (ii) whether they do business with suppliers, customers or other stakeholders of a type that implicates restrictions around countries of concern or covered persons and (iii) if both are true, how to build an effective solution tailored to achieving Rule compliance while minimizing business impact. We leverage our expertise in:

• Assessing a company’s approach to data collection and classification relative to assessing whether the company collects data of the types and at the volumes that trigger the Rule
• Developing standards for assessing, implementing and enhancing covered data identification and classification, management and access controls
• Leveraging automated data discovery, classification and access monitoring tools
• Assessing the sufficiency of the company’s approach to vendor, supplier, customer and other diligence
• Instituting diligence and screening programming, supported by technical tools, to ensure that restricted persons are prevented from accessing bulk sensitive data, grounded within ticketing systems to facilitate auditability
• Evaluating the sufficiency of inter-functional engagement within companies to assure a consistent and predictable process for defining transaction types, tying in diligence data and, where needed, evaluating data access
• Drafting a clear governance framework in the form of roles and responsibilities that defines the expectations of each business function relative to assuring Rule compliance

CISA IT Governance Overlay 

A&M professionals have extensive experience working with organizations to build programs responsive to satisfy various IT governance frameworks or benchmarks. This includes deep experience with the types of controls and tools to secure bulk sensitive data expressed within the CISA guidance. We have expertise in:

• Implementing end-to-end encryption for bulk sensitive data at rest and in transit
• Deploying role-based access controls with multi-factor authentication and least privilege principles
• Establishing geographic access restrictions to prevent data access from Countries of Concern
• Creating tailored micro-services security solutions, compliance workflows and automated tools to implement in complex environments
• Implementing network segmentation, DLP tools, data anonymization and masking tools, and other controls
• Maintaining a comprehensive data inventory identifying all regulated data repositories
• Creating audit logs tracking all access attempts and data movements
• Preparing requisite supporting documentation, including security control inventory and implementation specifications, risk assessment and compliance validation reports, and access control policies and monitoring implementation details
   

CONTACT OUR TEAM