HR8710Referred to Committee

National Defense Data Resilience Act

Share:
Introduced
In Committee
3
Passed One Chamber
4
Passed Both
5
Signed into Law
119th
Congress
2026-05-07
Introduced
1
Cosponsors
HR
Type

Sponsor

Suhas Subramanyam
Suhas Subramanyam
Democrat · VA · Representative
Votes with party: 96.2% (602 recorded votes)
Top industries funding sponsor:
  • Climate & Environment$106k

Full profile: /officials/S001230

Source: Congress.gov · FEC

Cosponsors (1)

Members who have signed on to support this bill since introduction. Source: Congress.gov.

Latest Action

The most recent step in the bill's legislative path. Committee Activity below shows referrals and reports; the full action-by-action history including floor proceedings lives at Congress.gov →

Referred to the House Committee on Armed Services.

2026-05-07

Source: Congress.gov

Committee Activity

Currently in

Previously

Plain-English Summary

The Department of Defense would be required to develop and maintain backup systems to protect critical military data from being permanently lost, damaged, or destroyed by accidents, cyberattacks, or other incidents. This ensures that essential defense information can be quickly recovered and restored so military operations and decision-making aren't disrupted by data loss. The change affects how the Pentagon manages and safeguards its computer systems and information infrastructure.

AI-assisted summary generated from the official bill metadata (title, subjects, actions) sourced from Congress.gov. Cached and reviewed. Always verify against the official text linked below.

Subjects

Armed Forces and National Security

Full Bill Text

Verbatim text published on Congress.gov via GovInfo. Use Cmd+F / Ctrl+F to search within this excerpt.

[Congressional Bills 119th Congress] [From the U.S. Government Publishing Office] [H.R. 8710 Introduced in House (IH)] <DOC> 119th CONGRESS 2d Session H. R. 8710 To amend title 10, United States Code, to require the Secretary of Defense to implement resilient capabilities to recover critical Department of Defense data in the event such data is lost, degraded, or destroyed, and for other purposes. _______________________________________________________________________ IN THE HOUSE OF REPRESENTATIVES May 7, 2026 Mr. Subramanyam (for himself and Mr. McCormick) introduced the following bill; which was referred to the Committee on Armed Services _______________________________________________________________________ A BILL To amend title 10, United States Code, to require the Secretary of Defense to implement resilient capabilities to recover critical Department of Defense data in the event such data is lost, degraded, or destroyed, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ``National Defense Data Resilience Act''. SEC. 2. DATA RECOVERY REQUIREMENTS AND STRATEGY. (a) Data Recovery Requirements.--Chapter 19 of title 10, United States Code, is amended by inserting after section 391b the following new section: ``Sec. 391c. Data recovery requirements ``(a) Mandatory Recovery Time Objectives.-- ``(1) The Secretary of Defense shall, with respect to each element of the Department of Defense, carry out the following: ``(A) Designate data as one of the following types, as applicable: ``(i) Critical data. ``(ii) Important data. ``(iii) Necessary data. ``(B) Not later than 180 days after the date of the enactment of this section, establish mandatory recovery time objectives for data so designated as critical data. ``(C) Not later than 270 days after the date of the enactment of this section, establish mandatory recovery time objectives for data so designated as important data or necessary data. ``(2) Each recovery time objective established under paragraph (1) shall satisfy the following requirements: ``(A) Be based upon the type of data to which such objective applies, including with respect to threat exposure. ``(B) Be updated in response to intelligence on evolving threats from state and non-state actors, including the People's Republic of China. ``(3) Not later than one year after the date of the enactment of this section and annually thereafter, the Secretary of Defense shall, for each element of the Department of Defense, submit to the congressional defense committees an auditable recovery certification report that includes information relating to the following: ``(A) Each recovery time objective that is established under paragraph (1) and applies to such element. ``(B) Whether such objective satisfies the requirements listed in paragraph (2). ``(b) Data Recovery Capability Requirements.-- ``(1) Not later than 180 days after the date of the enactment of this section, the Secretary of Defense shall, for data designated as critical data pursuant to subparagraph (A) of subsection (a)(1), field data recovery capabilities that satisfy the following requirements: ``(A) Prioritize providing critical services in support of national defense. ``(B) Include the following: ``(i) Immutable backups that satisfy the following requirements: ``(I) Preserve logically separated copies of data. ``(II) Are selectively segmented or isolated from external networks by means of software, firewalls, or other controls. ``(ii) Continuous monitoring of backup environments to detect tampering, insider threats, and malicious corruption. ``(iii) Annual recovery exercises that simulate sophisticated nation-state cyberattacks designed to cripple data systems. ``(iv) Audits in which external or internal independent groups mimic tactics, techniques, and procedures of cyberattacks to assess and validate the ability of each element of the Department of Defense to carry out the objectives established under such subsection with respect to realistic threat conditions. ``(2)
Show the remaining 452 words
Not later than 270 days after the date of the enactment of this section, the Secretary of Defense shall, for data designated as important data or necessary data pursuant to subsection (a)(1)(A), field data recovery capabilities described in paragraph (1). ``(c) Approved Technology Standards.--In fielding a data recovery capability under subsection (b), the Secretary of Defense may not adopt technology unless the following requirements are satisfied: ``(1) Such technology is listed in an inventory of the Department of Defense for certified cybersecurity and data protection technology. ``(2) If such technology is technology for recovering or repairing damaged or lost data, such technology provides for the following: ``(A) Immutable storage. ``(B) Robust recovery capabilities. ``(C) Full audit trails. ``(D) Continuous monitoring for data integrity and anomalous activity. ``(d) Definitions.--In this section: ``(1) The term `critical data' means data, so vital to the United States, that the incapacity or destruction of such data would have a debilitating impact on security, national economic security, national public health or safety, or any combination thereof. ``(2) The term `data recovery capability' means a technology, process, or governance framework to ensure rapid, secure, and verifiable recovery after a destructive cyberattack. ``(3) The term `important data' means data that is important to the United States and the incapacity or destruction of such data would have a significant impact on security, national economic security, national public health or safety, or any combination thereof. ``(4) The term `necessary data' means data, the incapacity or destruction of which would have a measurable impact on security, national economic security, national public health or safety, or any combination thereof. ``(5) The term `recovery time objective' means the maximum allowable time the Secretary of Defense determines necessary to restore critical functions and data following a cyberattack.''. (b) Clerical Amendment.--The table of sections for chapter 19 of title 10, United States Code, is amended by inserting after the item relating to section 391b the following new item: ``391c. Data recovery requirements.''. (c) Data Recovery Strategy.-- (1) Not later than 90 days after the date of the enactment of this Act, the Secretary of Defense shall submit to the congressional defense committees a data recovery strategy for the Department of Defense that includes information relating to the following: (A) Recovery time objectives for such strategy. (B) The technology necessary for such objectives. (C) Oversight processes with respect to such strategy. (D) The funds necessary to carry out such strategy. (2) The strategy under paragraph (1) shall be submitted in unclassified form, but may contain a classified annex. (3) In this subsection, the term ``recovery time objective'' means the maximum allowable time the Secretary of Defense determines necessary to restore critical functions and data following a cyberattack. <all>

Related legislation

Bills by the same sponsor or covering overlapping subjects.