National Defense Data Resilience Act
- Bill Number
- H.R. 8710
- Origin Chamber
- House
- Congress
- 119th Congress, Session 2
- Policy Area
- Armed Forces and National Security
- Status
- Introduced
- Latest Action
- 2026-05-07: Referred to the House Committee on Armed Services.
- Last Updated
- 2026-05-13T21:21:14Z
AI-Generated Summary
Purpose
The National Defense Data Resilience Act (H.R. 8710) aims to enhance the U.S. Department of Defense's (DoD) ability to recover critical data if it is lost, degraded, or destroyed, particularly due to cyberattacks. It mandates resilient data recovery systems to protect national security.
Key Provisions
- Data Classification and Recovery Time Objectives (RTOs):
- DoD must classify data as critical (vital, with debilitating impact on security, economy, health/safety), important (significant impact), or necessary (measurable impact).
- Establish mandatory RTOs—the maximum time to restore data/functions after a cyberattack—within 180 days for critical data and 270 days for other data.
- RTOs must account for threats (e.g., from China) and be updated annually; annual auditable reports to congressional defense committees.
- Data Recovery Capabilities:
- Deploy for critical data within 180 days, and others within 270 days, including:
- Immutable backups (unchangeable, isolated copies).
- Continuous monitoring for threats.
- Annual recovery exercises simulating nation-state cyberattacks.
- Independent audits mimicking real attacks.
- Technology Standards:
- Use only certified DoD-listed tech; recovery tools must have immutable storage, strong recovery, audit trails, and monitoring.
- Data Recovery Strategy:
- Submit to Congress within 90 days (unclassified, with optional classified annex), covering RTOs, needed technology, oversight, and funding.
- Amends title 10 U.S. Code by adding section 391c.
Significant Changes to Existing Law
- Inserts new section 391c into Chapter 19 of title 10 U.S. Code, creating mandatory data recovery requirements, timelines, certifications, and reporting not previously specified.
- Adds corresponding entry to the chapter's table of sections.
Potential Impacts
- Government Agencies: DoD must invest in new tech, processes, and exercises, improving cyber resilience but requiring funding and resources; annual reporting increases congressional oversight.
- Citizens: Indirectly enhances national security by protecting defense data from cyberattacks, reducing risks to public safety, economy, and defense operations.
- International Relations: Bolsters U.S. defenses against state actors (e.g., China), potentially deterring cyber aggression but signaling heightened cyber preparedness.
Main Stakeholders
- Department of Defense: All elements must implement and report on requirements.
- Secretary of Defense: Responsible for designations, RTOs, capabilities, strategy, and compliance.
- Congressional Defense Committees: Receive reports, strategy, and certifications for oversight.
- Technology Providers: Must meet certification for DoD use in recovery systems.
Notable Legal, Constitutional, or Political Implications
- Legal: Enforceable timelines and auditable reports allow Congress to monitor/hold DoD accountable; definitions clarify scope without ambiguity.
- Constitutional: Aligns with Congress's authority over military (Article I, Section 8) and defense spending.
- Political: Emphasizes threats from specific actors (e.g., China), promoting bipartisan focus on cybersecurity; short timelines pressure rapid DoD action.
This summary was generated by AI and may contain inaccuracies. Refer to the official source document for the authoritative text.
Sponsor
Rep. Subramanyam, Suhas [D-VA-10]
Cosponsors (1)
Rep. McCormick, Richard [R-GA-7]
Recent Actions
- 2026-05-07: Referred to the House Committee on Armed Services.
- 2026-05-07: Introduced in House
- 2026-05-07: Introduced in House
Bill Versions
- National Defense Data Resilience Act — issued 2026-05-07 — PDF (8 pages)