Cybersecurity isn't only about keeping attackers out of your network. A whole body of law aims to keep sensitive U.S. technology, infrastructure, and data out of the wrong hands in the first place — by regulating who can invest in, supply, or access it. If you build technology, handle controlled data, or take on foreign investment, these rules can matter as much as your NIST controls.
The five regimes to know
1. CFIUS — foreign investment review. The Committee on Foreign Investment in the United States reviews foreign acquisitions of, and certain investments in, U.S. businesses for national-security risk, and the President can block or unwind a deal. Since FIRRMA (2018), CFIUS reaches certain non-controlling investments in critical-technology, critical-infrastructure, and sensitive-personal-data businesses, with mandatory filings for some deals. (See the Ralls v. CFIUS case post.)
2. Export controls — the EAR and ECRA. The Export Control Reform Act and the Export Administration Regulations govern who can receive "dual-use" technology. Watch two traps: deemed exports (giving a foreign national in the U.S. access to controlled technology counts as an export to their country), and the Entity List (named foreign parties you generally can't ship to without a license).
3. Section 889 — banned telecom and surveillance gear. The government won't buy covered Chinese telecom/video-surveillance equipment (Part A), and won't contract with companies that use it anywhere in their operations (Part B). That makes Section 889 a company-wide inventory-and-representation obligation.
4. ICTS supply-chain review (EO 13873). Commerce can review and prohibit transactions in information and communications technology and services that involve foreign adversaries.
5. The bulk-data rule (EO 14117). A DOJ rule effective April 8, 2025 restricts transfers of Americans' bulk sensitive personal data and government-related data to "countries of concern" and covered persons.
Why it matters for contractors
These regimes overlap with your cyber obligations and with each other. A single defense-technology firm might simultaneously face CFIUS review on its cap table, EAR controls on its technology, Section 889 representations in SAM, and the bulk-data rule on its datasets. The common thread is supply-chain risk management: know your investors, suppliers, components, and data flows. Treat foreign-access compliance as part of the same program as your NIST 800-171 controls — not a separate silo.