Bill Summary
The "Protecting DOD Data Act of 2025" is legislation aimed at enhancing the security and protection of personal data related to the operational security of Department of Defense (DOD) personnel. Key provisions include:
1. **Prioritization of Data Protection**: The Secretary of Defense is tasked with identifying and prioritizing the safeguarding of personal data that could impact the operational security of military members and DOD civilian employees, ensuring compliance with existing privacy laws.
2. **Guidance Review and Updates**: By June 1, 2026, the Secretary must review and, if necessary, update guidance related to the protection of personal data, ensuring it aligns with pre-existing laws and practices.
3. **Data Storage Restrictions**: Personal data affecting operational security must not be stored on non-DOD servers or cloud services unless authorized by a contract or with explicit permission from the data subject. Waivers can be granted under specific national security conditions.
4. **Congressional Notification**: The Secretary must notify Congress within 30 days of any changes to data protection policies or significant events, such as data breaches or unauthorized storage incidents.
5. **Training and Standards**: The Secretary is required to implement standards, training, and reporting processes for personnel with access to sensitive data, including regular security briefings.
Overall, the act is designed to bolster the protection of sensitive data, mitigate risks to national security, and ensure accountability through congressional oversight.
Possible Impacts
The "Protecting DOD Data Act of 2025" could affect people in various ways. Here are three examples:
1. **Enhanced Privacy Protection for Service Members**: The legislation prioritizes the protection of personal data related to the operational security of Department of Defense (DOD) personnel. This means that service members and civilian employees may experience greater assurance that their personal information is safeguarded against unauthorized collection and dissemination. As a result, they could feel more secure knowing that their sensitive data, which could be exploited by adversaries, is being carefully managed and protected.
2. **Compliance and Training Requirements**: The requirement for the Secretary of Defense to develop standards and training related to data protection will affect personnel who access sensitive information systems. Those who receive write or read access privileges will need to undergo regular training and security debriefings. This could lead to an increased workload and responsibility for these individuals, as they must stay compliant with new protocols and ensure that they understand the importance of data security in their roles.
3. **Impact of Data Storage Regulations**: The legislation imposes strict limitations on where personal data related to operational security can be stored, primarily restricting it to Department-controlled servers or cloud services. Employees or contractors who handle this data may experience operational changes as they adapt to these requirements, potentially leading to disruptions in workflow or the need to change how they manage data. If waivers are issued, they must be justified to prevent risks, which could create additional bureaucratic processes that personnel must navigate.
[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[S. 3161 Introduced in Senate (IS)]
<DOC>
119th CONGRESS
1st Session
S. 3161
To enhance protection of data affecting operational security of
Department of Defense personnel, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
November 7, 2025
Ms. Slotkin (for herself and Ms. Ernst) introduced the following bill;
which was read twice and referred to the Committee on Armed Services
_______________________________________________________________________
A BILL
To enhance protection of data affecting operational security of
Department of Defense personnel, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Protecting DOD Data Act of 2025''.
SEC. 2. ENHANCED PROTECTION OF DATA AFFECTING OPERATIONAL SECURITY OF
DEPARTMENT OF DEFENSE PERSONNEL.
(a) Priorities for Protection of Personal Data for Operational
Security.--In carrying out the duties of the Secretary of Defense, the
Secretary shall identify and prioritize the protection of personal data
that is related to or may have impacts on the operational security of
members of the Armed Forces and civilian employees of the Department of
Defense through the prevention of collection, use, dissemination, or
retention of such data that does not conform with provisions of law and
practices relating to privacy that were in effect on the day before the
date of the enactment of this Act.
(b) Review and Issuance of New Guidance Related to Protection of
Personal Data Related to Operational Security.--Not later than June 1,
2026, the Secretary of Defense shall review all applicable guidance and
policy relating to the protection of personal data that is related to
or may have impacts on the operational security of Department personnel
and, if necessary, issue revised or new guidance for enhanced
protection measures for such data. Such guidance shall cover provisions
of law and practices relating to privacy and personnel security that
were in effect on the day before the date of the enactment of this Act.
(c) Storage of Data.--
(1) Limitation.--The Secretary shall ensure that no
Department personal data related to or that may have impacts on
the operational security of Department personnel is stored on a
non-Department server or cloud service except pursuant to a
contract or other agreement entered into by the Secretary and a
contractor or subcontractor of the Department or, for personnel
data, with the permission of the data subject.
(2) Waivers.--The Secretary may waive paragraph (1) in a
case in which the Secretary certifies in writing that such
waiver--
(A) appropriately considers the operational
security risks to an employee of the Department with
respect to whom such data may relate;
(B) does not pose a risk to national security; and
(C) is necessary in the interest of national
security.
(d) Congressional Notification of Changes to Departmental
Issuances.--
(1) In general.--Not later than 30 days after the date on
which the Secretary changes a Department issuance relating to
the protection of personal data that is related to or may have
impacts on the operational security of Department personnel,
the Secretary shall submit to Congress notice of the change.
(2) Sunset.--The requirement of paragraph (1) shall
terminate on the date that is five years after the date of the
enactment of this Act.
(e) Congressional Notification of Events.--
(1) In general.--Not later than 30 days after the date of
the occurrence of an event described in paragraph (2), the
Secretary shall submit to Congress notice of the event.
(2) Events described.--An event described in this paragraph
is an occurrence of an event in which--
(A) the Secretary issues a waiver under subsection
(c)(2);
(B) personal data related to or that may have an
impact on operational security of Department personnel
is not stored according to Department regulations or
exfiltrated in violation of Department regulations;
(C) personal data related to or that may have an
impact on operational security of Department personnel
is stored on a non-Department server or cloud service
that has not undergone an authorization process in
accordance with Department regulations; or
(D) personal data related to or that may have an
impact on operational security of Department of Defense
personnel is exposed in any cybersecurity incident.
(f) Standards, Training, and Reporting Processes for System
Owners.--
(1) In general.--The Secretary shall develop standards,
training, reporting, and security debriefing requirements for
Department personnel who receive write or read access
privileges as system owners across more than one platform of
Department information systems that hosts personal data related
to or that may have an impact on operational security of
Department personnel.
(2) Security debriefings.--The Secretary shall ensure that
personnel described in paragraph (1) are provided regular
security debriefings, including after departing the Department.
(3) Notification of congress under certain circumstances.--
Not later than 30 days after the completion of the development
of the standards, training, reporting, and security debriefing
requirements in paragraph (1) the Secretary shall submit to
Congress details of the requirements.
<all>