DOJ Data Security Program deadline: Who’s in scope and a same-day compliance checklist

The Department of Justice (DOJ) Data Security Program (DSP) hits its final compliance date today (October 6, 2025), tightening controls on certain cross-border data transfers and access involving “countries of concern.”

A WilmerHale client alert confirms the deadline and notes this phase follows earlier implementation steps.

For enterprises, exposure spans AI model training, analytics, and third-party vendors, anywhere bulk sensitive data moves outside the United States or is accessible by covered persons in countries of concern.

Effective today

From today forward, covered entities must operate a documented program that assigns accountability, performs counterparty due diligence for restricted transactions, maintains long-term recordkeeping, and supports audits and required reporting, as outlined in DOJ’s Data Security Program FAQs.

Scope and restrictions

Under the rule, restricted transactions can include giving foreign affiliates or vendors access to bulk sensitive personal data, precise geolocation, financial and health datasets, or U.S. government-related data.

DOJ’s FAQ outlines the compliance architecture: written program, diligence on counterparties, reporting and recordkeeping, and adherence to specified security requirements designed to limit unauthorized access by covered persons or entities.

Same-day checklist (EOD triage)

Inventory any bulk sensitive data and government-related data used in analytics, AI training, or data science sandboxes; tag flows that cross borders or involve offshore teams. Temporarily halt transactions that may qualify as restricted until diligence and controls meet DSP standards.

Identify third parties, BPOs, model trainers, MSSPs, data brokers,  with potential access; demand written attestations and update contractual controls. Finalize your written DSP program: roles, diligence steps, audit cadence, reporting and recordkeeping. Store evidence of reviews.

Name an accountable executive for DSP; schedule an internal audit window and board-level reporting. Capture today’s policy updates, access revocations, and gating decisions for potential DOJ inquiries. Documentation separates defensible programs from post-hoc scrambles when regulators knock.