“A bill to enhance protection of data affecting operational security of Department of Defense personnel, and for other purposes.”
No CRS summary available for this bill.
This section directs the Secretary of Defense to prioritize protection of personal data related to or impacting operational security of Armed Forces members and Department of Defense (DoD) civilian employees, preventing non-conforming collection, use, dissemination, or retention relative to pre-enactment privacy laws and practices. The section further requires the Secretary to (1) review by June 1, 2026, and if necessary issue revised or new guidance on such protections; (2) prohibit storage of such data on non-DoD servers or cloud services except via DoD contract, subcontractor agreement, or data subject permission, with waivers allowed upon written certification of no national security risk and necessity; (3) notify Congress within 30 days of changes to related DoD issuances (sunsetting after five years) or specified events (e.g., waivers issued, regulatory storage violations or exfiltration, unauthorized non-DoD storage, or cybersecurity exposures involving such data); and (4) develop standards, training, reporting, and security debriefings (including post-departure) for system owners with multi-platform access to such data, with congressional notification within 30 days of development.