[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[H.R. 8710 Introduced in House (IH)]
<DOC>
119th CONGRESS
2d Session
H. R. 8710
To amend title 10, United States Code, to require the Secretary of
Defense to implement resilient capabilities to recover critical
Department of Defense data in the event such data is lost, degraded, or
destroyed, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
May 7, 2026
Mr. Subramanyam (for himself and Mr. McCormick) introduced the
following bill; which was referred to the Committee on Armed Services
_______________________________________________________________________
A BILL
To amend title 10, United States Code, to require the Secretary of
Defense to implement resilient capabilities to recover critical
Department of Defense data in the event such data is lost, degraded, or
destroyed, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``National Defense Data Resilience
Act''.
SEC. 2. DATA RECOVERY REQUIREMENTS AND STRATEGY.
(a) Data Recovery Requirements.--Chapter 19 of title 10, United
States Code, is amended by inserting after section 391b the following
new section:
``Sec. 391c. Data recovery requirements
``(a) Mandatory Recovery Time Objectives.--
``(1) The Secretary of Defense shall, with respect to each
element of the Department of Defense, carry out the following:
``(A) Designate data as one of the following types,
as applicable:
``(i) Critical data.
``(ii) Important data.
``(iii) Necessary data.
``(B) Not later than 180 days after the date of the
enactment of this section, establish mandatory recovery
time objectives for data so designated as critical
data.
``(C) Not later than 270 days after the date of the
enactment of this section, establish mandatory recovery
time objectives for data so designated as important
data or necessary data.
``(2) Each recovery time objective established under
paragraph (1) shall satisfy the following requirements:
``(A) Be based upon the type of data to which such
objective applies, including with respect to threat
exposure.
``(B) Be updated in response to intelligence on
evolving threats from state and non-state actors,
including the People's Republic of China.
``(3) Not later than one year after the date of the
enactment of this section and annually thereafter, the
Secretary of Defense shall, for each element of the Department
of Defense, submit to the congressional defense committees an
auditable recovery certification report that includes
information relating to the following:
``(A) Each recovery time objective that is
established under paragraph (1) and applies to such
element.
``(B) Whether such objective satisfies the
requirements listed in paragraph (2).
``(b) Data Recovery Capability Requirements.--
``(1) Not later than 180 days after the date of the
enactment of this section, the Secretary of Defense shall, for
data designated as critical data pursuant to subparagraph (A)
of subsection (a)(1), field data recovery capabilities that
satisfy the following requirements:
``(A) Prioritize providing critical services in
support of national defense.
``(B) Include the following:
``(i) Immutable backups that satisfy the
following requirements:
``(I) Preserve logically separated
copies of data.
``(II) Are selectively segmented or
isolated from external networks by
means of software, firewalls, or other
controls.
``(ii) Continuous monitoring of backup
environments to detect tampering, insider
threats, and malicious corruption.
``(iii) Annual recovery exercises that
simulate sophisticated nation-state
cyberattacks designed to cripple data systems.
``(iv) Audits in which external or internal
independent groups mimic tactics, techniques,
and procedures of cyberattacks to assess and
validate the ability of each element of the
Department of Defense to carry out the
objectives established under such subsection
with respect to realistic threat conditions.
``(2) Not later than 270 days after the date of the
enactment of this section, the Secretary of Defense shall, for
data designated as important data or necessary data pursuant to
subsection (a)(1)(A), field data recovery capabilities
described in paragraph (1).
``(c) Approved Technology Standards.--In fielding a data recovery
capability under subsection (b), the Secretary of Defense may not adopt
technology unless the following requirements are satisfied:
``(1) Such technology is listed in an inventory of the
Department of Defense for certified cybersecurity and data
protection technology.
``(2) If such technology is technology for recovering or
repairing damaged or lost data, such technology provides for
the following:
``(A) Immutable storage.
``(B) Robust recovery capabilities.
``(C) Full audit trails.
``(D) Continuous monitoring for data integrity and
anomalous activity.
``(d) Definitions.--In this section:
``(1) The term `critical data' means data, so vital to the
United States, that the incapacity or destruction of such data
would have a debilitating impact on security, national economic
security, national public health or safety, or any combination
thereof.
``(2) The term `data recovery capability' means a
technology, process, or governance framework to ensure rapid,
secure, and verifiable recovery after a destructive
cyberattack.
``(3) The term `important data' means data that is
important to the United States and the incapacity or
destruction of such data would have a significant impact on
security, national economic security, national public health or
safety, or any combination thereof.
``(4) The term `necessary data' means data, the incapacity
or destruction of which would have a measurable impact on
security, national economic security, national public health or
safety, or any combination thereof.
``(5) The term `recovery time objective' means the maximum
allowable time the Secretary of Defense determines necessary to
restore critical functions and data following a cyberattack.''.
(b) Clerical Amendment.--The table of sections for chapter 19 of
title 10, United States Code, is amended by inserting after the item
relating to section 391b the following new item:
``391c. Data recovery requirements.''.
(c) Data Recovery Strategy.--
(1) Not later than 90 days after the date of the enactment
of this Act, the Secretary of Defense shall submit to the
congressional defense committees a data recovery strategy for
the Department of Defense that includes information relating to
the following:
(A) Recovery time objectives for such strategy.
(B) The technology necessary for such objectives.
(C) Oversight processes with respect to such
strategy.
(D) The funds necessary to carry out such strategy.
(2) The strategy under paragraph (1) shall be submitted in
unclassified form, but may contain a classified annex.
(3) In this subsection, the term ``recovery time
objective'' means the maximum allowable time the Secretary of
Defense determines necessary to restore critical functions and
data following a cyberattack.
<all>