National Defense Data Resilience Act

[Congressional Bills 119th Congress] [From the U.S. Government Publishing Office] [H.R. 8710 Introduced in House (IH)]

<DOC>

119th CONGRESS 2d Session H. R. 8710

To amend title 10, United States Code, to require the Secretary of Defense to implement resilient capabilities to recover critical Department of Defense data in the event such data is lost, degraded, or destroyed, and for other purposes.

_______________________________________________________________________

IN THE HOUSE OF REPRESENTATIVES

May 7, 2026

Mr. Subramanyam (for himself and Mr. McCormick) introduced the following bill; which was referred to the Committee on Armed Services

_______________________________________________________________________

A BILL

To amend title 10, United States Code, to require the Secretary of Defense to implement resilient capabilities to recover critical Department of Defense data in the event such data is lost, degraded, or destroyed, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the ``National Defense Data Resilience Act''.

SEC. 2. DATA RECOVERY REQUIREMENTS AND STRATEGY.

(a) Data Recovery Requirements.--Chapter 19 of title 10, United States Code, is amended by inserting after section 391b the following new section: ``Sec. 391c. Data recovery requirements ``(a) Mandatory Recovery Time Objectives.-- ``(1) The Secretary of Defense shall, with respect to each element of the Department of Defense, carry out the following: ``(A) Designate data as one of the following types, as applicable: ``(i) Critical data. ``(ii) Important data. ``(iii) Necessary data. ``(B) Not later than 180 days after the date of the enactment of this section, establish mandatory recovery time objectives for data so designated as critical data. ``(C) Not later than 270 days after the date of the enactment of this section, establish mandatory recovery time objectives for data so designated as important data or necessary data. ``(2) Each recovery time objective established under paragraph (1) shall satisfy the following requirements: ``(A) Be based upon the type of data to which such objective applies, including with respect to threat exposure. ``(B) Be updated in response to intelligence on evolving threats from state and non-state actors, including the People's Republic of China. ``(3) Not later than one year after the date of the enactment of this section and annually thereafter, the Secretary of Defense shall, for each element of the Department of Defense, submit to the congressional defense committees an auditable recovery certification report that includes information relating to the following: ``(A) Each recovery time objective that is established under paragraph (1) and applies to such element. ``(B) Whether such objective satisfies the requirements listed in paragraph (2). ``(b) Data Recovery Capability Requirements.-- ``(1) Not later than 180 days after the date of the enactment of this section, the Secretary of Defense shall, for data designated as critical data pursuant to subparagraph (A) of subsection (a)(1), field data recovery capabilities that satisfy the following requirements: ``(A) Prioritize providing critical services in support of national defense. ``(B) Include the following: ``(i) Immutable backups that satisfy the following requirements: ``(I) Preserve logically separated copies of data. ``(II) Are selectively segmented or isolated from external networks by means of software, firewalls, or other controls. ``(ii) Continuous monitoring of backup environments to detect tampering, insider threats, and malicious corruption. ``(iii) Annual recovery exercises that simulate sophisticated nation-state cyberattacks designed to cripple data systems. ``(iv) Audits in which external or internal independent groups mimic tactics, techniques, and procedures of cyberattacks to assess and validate the ability of each element of the Department of Defense to carry out the objectives established under such subsection with respect to realistic threat conditions. ``(2) Not later than 270 days after the date of the enactment of this section, the Secretary of Defense shall, for data designated as important data or necessary data pursuant to subsection (a)(1)(A), field data recovery capabilities described in paragraph (1). ``(c) Approved Technology Standards.--In fielding a data recovery capability under subsection (b), the Secretary of Defense may not adopt technology unless the following requirements are satisfied: ``(1) Such technology is listed in an inventory of the Department of Defense for certified cybersecurity and data protection technology. ``(2) If such technology is technology for recovering or repairing damaged or lost data, such technology provides for the following: ``(A) Immutable storage. ``(B) Robust recovery capabilities. ``(C) Full audit trails. ``(D) Continuous monitoring for data integrity and anomalous activity. ``(d) Definitions.--In this section: ``(1) The term `critical data' means data, so vital to the United States, that the incapacity or destruction of such data would have a debilitating impact on security, national economic security, national public health or safety, or any combination thereof. ``(2) The term `data recovery capability' means a technology, process, or governance framework to ensure rapid, secure, and verifiable recovery after a destructive cyberattack. ``(3) The term `important data' means data that is important to the United States and the incapacity or destruction of such data would have a significant impact on security, national economic security, national public health or safety, or any combination thereof. ``(4) The term `necessary data' means data, the incapacity or destruction of which would have a measurable impact on security, national economic security, national public health or safety, or any combination thereof. ``(5) The term `recovery time objective' means the maximum allowable time the Secretary of Defense determines necessary to restore critical functions and data following a cyberattack.''. (b) Clerical Amendment.--The table of sections for chapter 19 of title 10, United States Code, is amended by inserting after the item relating to section 391b the following new item:

``391c. Data recovery requirements.''. (c) Data Recovery Strategy.-- (1) Not later than 90 days after the date of the enactment of this Act, the Secretary of Defense shall submit to the congressional defense committees a data recovery strategy for the Department of Defense that includes information relating to the following: (A) Recovery time objectives for such strategy. (B) The technology necessary for such objectives. (C) Oversight processes with respect to such strategy. (D) The funds necessary to carry out such strategy. (2) The strategy under paragraph (1) shall be submitted in unclassified form, but may contain a classified annex. (3) In this subsection, the term ``recovery time objective'' means the maximum allowable time the Secretary of Defense determines necessary to restore critical functions and data following a cyberattack. <all>