Protecting DOD Data Act of 2025

In carrying out the duties of the Secretary of Defense, the Secretary shall identify and prioritize the protection of personal data that is related to or may have impacts on the operational security of members of the Armed Forces and civilian employees of the Department of Defense through the prevention of collection, use, dissemination, or retention of such data that does not conform with provisions of law and practices relating to privacy that were in effect on the day before the date of the enactment of this Act.

Not later than June 1, 2026, the Secretary of Defense shall review all applicable guidance and policy relating to the protection of personal data that is related to or may have impacts on the operational security of Department personnel and, if necessary, issue revised or new guidance for enhanced protection measures for such data. Such guidance shall cover provisions of law and practices relating to privacy and personnel security that were in effect on the day before the date of the enactment of this Act.

The Secretary shall ensure that no Department personal data related to or that may have impacts on the operational security of Department personnel is stored on a non-Department server or cloud service except pursuant to a contract or other agreement entered into by the Secretary and a contractor or subcontractor of the Department or, for personnel data, with the permission of the data subject.

The Secretary may waive paragraph (1) in a case in which the Secretary certifies in writing that such waiver—

(A) appropriately considers the operational security risks to an employee of the Department with respect to whom such data may relate;

(B) does not pose a risk to national security; and

(C) is necessary in the interest of national security.

Not later than 30 days after the date on which the Secretary changes a Department issuance relating to the protection of personal data that is related to or may have impacts on the operational security of Department personnel, the Secretary shall submit to Congress notice of the change.

The requirement of paragraph (1) shall terminate on the date that is five years after the date of the enactment of this Act.

Not later than 30 days after the date of the occurrence of an event described in paragraph (2), the Secretary shall submit to Congress notice of the event.

An event described in this paragraph is an occurrence of an event in which—

(A) the Secretary issues a waiver under subsection (c)(2);

(B) personal data related to or that may have an impact on operational security of Department personnel is not stored according to Department regulations or exfiltrated in violation of Department regulations;

(C) personal data related to or that may have an impact on operational security of Department personnel is stored on a non-Department server or cloud service that has not undergone an authorization process in accordance with Department regulations; or

(D) personal data related to or that may have an impact on operational security of Department of Defense personnel is exposed in any cybersecurity incident.

The Secretary shall develop standards, training, reporting, and security debriefing requirements for Department personnel who receive write or read access privileges as system owners across more than one platform of Department information systems that hosts personal data related to or that may have an impact on operational security of Department personnel.

The Secretary shall ensure that personnel described in paragraph (1) are provided regular security debriefings, including after departing the Department.

Not later than 30 days after the completion of the development of the standards, training, reporting, and security debriefing requirements in paragraph (1) the Secretary shall submit to Congress details of the requirements.