Newsroom
Events
Subscribe

Key takeaways

The U.S. government recently launched the Data Security Program (DSP), a sweeping national security initiative that redefines data protection for affected organizations. Led by the Department of Justice (DOJ), this program reclassifies certain data practices as national security concerns, fundamentally changing how many businesses with global operations conduct in-scope sensitive data processes. Early awareness and proactive measures are critical to manage your risk and ensure operational continuity.

The DSP introduces export-style controls to prevent foreign adversaries from accessing bulk sensitive U.S. personal and government-related data. Organizations that manage in-scope sensitive data must now consider international data access through the lens of national security. The DSP has far-reaching implications for businesses with global operations and ties (e.g., through investments or third parties) to designated “countries of concern”: China (including Hong Kong and Macau), Venezuela, Cuba, Russia, North Korea and Iran.

Could your business be affected? If your organization handles sensitive U.S. data and works with international partners in the covered regions, the answer may be yes.

Are you in the crosshairs? Assess your exposure.

Ask yourself these key questions to determine your organization's potential obligations under the DSP:

  • Data exposure: Does your organization handle bulk sensitive U.S. personal data or government-related data?
  • International operations and/or partnerships: Do you have operations or employees in, and/or investment/business relationships with, entities in China (including Hong Kong and Macau), Venezuela, Cuba, Russia, North Korea or Iran?
  • Data access: Do you share data with any of these covered foreign entities, which could subject you to DSP restrictions?

If you answered "yes" or "maybe" to any of these questions, it is crucial to seek experienced guidance to understand your specific obligations and prepare for potential requirements under the DSP.

Impact of noncompliance

Violations of the DSP may result in civil and criminal penalties, which can be substantial.

  • Maximum civil penalties are not to exceed the greater of $368,136 or twice the value of the transaction that is the basis of the violation.
  • Upon conviction, an individual may also be fined up to $1 million and/or imprisoned for up to 20 years.

Navigating the DSP

Organizations should implement a comprehensive program that encompasses the complexities of the DSP, leveraging experienced external support where necessary. For example, RSM’s DSP compliance approach consists of three key phases:

The takeaway

The DSP is a complex regulatory program with potentially significant impacts on in-scope organizations. Proactive engagement is essential for managing risk and ensuring your business is not caught unprepared.

Don't wait for the deadlines to approach. Contact our advisors to help you confidently navigate the complexities and challenges related to the DSP.

Contact our risk professionals

Complete this form and an RSM representative will be in touch shortly

ASSURANCE | TAX | CONSULTING

RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent assurance, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/about for more information regarding RSM US LLP and RSM International.

© 2026 RSM US LLP. All rights reserved.