[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[S. 3161 Introduced in Senate (IS)]
<DOC>
119th CONGRESS
1st Session
S. 3161
To enhance protection of data affecting operational security of
Department of Defense personnel, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
November 7, 2025
Ms. Slotkin (for herself and Ms. Ernst) introduced the following bill;
which was read twice and referred to the Committee on Armed Services
_______________________________________________________________________
A BILL
To enhance protection of data affecting operational security of
Department of Defense personnel, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Protecting DOD Data Act of 2025''.
SEC. 2. ENHANCED PROTECTION OF DATA AFFECTING OPERATIONAL SECURITY OF
DEPARTMENT OF DEFENSE PERSONNEL.
(a) Priorities for Protection of Personal Data for Operational
Security.--In carrying out the duties of the Secretary of Defense, the
Secretary shall identify and prioritize the protection of personal data
that is related to or may have impacts on the operational security of
members of the Armed Forces and civilian employees of the Department of
Defense through the prevention of collection, use, dissemination, or
retention of such data that does not conform with provisions of law and
practices relating to privacy that were in effect on the day before the
date of the enactment of this Act.
(b) Review and Issuance of New Guidance Related to Protection of
Personal Data Related to Operational Security.--Not later than June 1,
2026, the Secretary of Defense shall review all applicable guidance and
policy relating to the protection of personal data that is related to
or may have impacts on the operational security of Department personnel
and, if necessary, issue revised or new guidance for enhanced
protection measures for such data. Such guidance shall cover provisions
of law and practices relating to privacy and personnel security that
were in effect on the day before the date of the enactment of this Act.
(c) Storage of Data.--
(1) Limitation.--The Secretary shall ensure that no
Department personal data related to or that may have impacts on
the operational security of Department personnel is stored on a
non-Department server or cloud service except pursuant to a
contract or other agreement entered into by the Secretary and a
contractor or subcontractor of the Department or, for personnel
data, with the permission of the data subject.
(2) Waivers.--The Secretary may waive paragraph (1) in a
case in which the Secretary certifies in writing that such
waiver--
(A) appropriately considers the operational
security risks to an employee of the Department with
respect to whom such data may relate;
(B) does not pose a risk to national security; and
(C) is necessary in the interest of national
security.
(d) Congressional Notification of Changes to Departmental
Issuances.--
(1) In general.--Not later than 30 days after the date on
which the Secretary changes a Department issuance relating to
the protection of personal data that is related to or may have
impacts on the operational security of Department personnel,
the Secretary shall submit to Congress notice of the change.
(2) Sunset.--The requirement of paragraph (1) shall
terminate on the date that is five years after the date of the
enactment of this Act.
(e) Congressional Notification of Events.--
(1) In general.--Not later than 30 days after the date of
the occurrence of an event described in paragraph (2), the
Secretary shall submit to Congress notice of the event.
(2) Events described.--An event described in this paragraph
is an occurrence of an event in which--
(A) the Secretary issues a waiver under subsection
(c)(2);
(B) personal data related to or that may have an
impact on operational security of Department personnel
is not stored according to Department regulations or
exfiltrated in violation of Department regulations;
(C) personal data related to or that may have an
impact on operational security of Department personnel
is stored on a non-Department server or cloud service
that has not undergone an authorization process in
accordance with Department regulations; or
(D) personal data related to or that may have an
impact on operational security of Department of Defense
personnel is exposed in any cybersecurity incident.
(f) Standards, Training, and Reporting Processes for System
Owners.--
(1) In general.--The Secretary shall develop standards,
training, reporting, and security debriefing requirements for
Department personnel who receive write or read access
privileges as system owners across more than one platform of
Department information systems that hosts personal data related
to or that may have an impact on operational security of
Department personnel.
(2) Security debriefings.--The Secretary shall ensure that
personnel described in paragraph (1) are provided regular
security debriefings, including after departing the Department.
(3) Notification of congress under certain circumstances.--
Not later than 30 days after the completion of the development
of the standards, training, reporting, and security debriefing
requirements in paragraph (1) the Secretary shall submit to
Congress details of the requirements.
<all>