WeVote

Bill

Bill

HR 8710

National Defense Data Resilience Act

119th Congress Introduced by Rich McCormick and 1 co-sponsor

The bill requires DoD to classify data by critical, important, and necessary and establish firm recovery time objectives with actionable, auditable, and tested data recovery capabi

Introduced in House
0
WeVote Research Nonpartisan
Bill Summary · HR 8710

Overview

  • Bill: H.R. 8710 (National Defense Data Resilience Act)
  • Session: 119th Congress, 2nd Session
  • Introduced: May 7, 2026 by Rep. Supramanyam (and Rep. McCormick)
  • Purpose: Amend title 10, U.S. Code to require the Secretary of Defense to establish resilient capabilities to recover critical Department of Defense data in the event such data is lost, degraded, or destroyed, and to outline related strategy, standards, and reporting.

Main purpose and intent

  • Ensure rapid, secure, and verifiable recovery of critical DoD data after cyber disruptions or attacks.
  • Establish formal definitions and categorizations of DoD data (critical, important, necessary) and set recovery time objectives (RTOs) accordingly.
  • Require a comprehensive data recovery capability development, including immutable backups, continuous monitoring, annual recovery drills, and independent audits.
  • Obligate the DoD to develop and submit a data recovery strategy to Congress, with a focus on timelines, required technology, oversight, and funding.

Key provisions and changes

Data classification and recovery timelines

  • Introduces a new section (§391c) in Chapter 19, title 10, U.S. Code.
  • Data must be designated into three categories:
    • Critical data
    • Important data
    • Necessary data
  • Recovery Time Objectives (RTOs):
    • For critical data: mandatory RTOs established within 180 days of enactment.
    • For important and necessary data: mandatory RTOs established within 270 days of enactment.
  • Each RTO must be:
    • Based on data type and threat exposure
    • Updated in response to evolving threats (including state and non-state actors, e.g., China)

Data recovery capability requirements

  • By 180 days after enactment, DoD must field data recovery capabilities for critical data that include:
    • Immutable backups with logically separated copies and network isolation
    • Continuous monitoring of backups to detect tampering and insider threats
    • Annual recovery exercises simulating nation-state cyberattacks
    • Audits where external/internal groups mimic cyberattack tactics to test capabilities
  • By 270 days after enactment, similar recovery capabilities must be fielded for important and necessary data.

Technology standards

  • DoD may not adopt technology for data recovery unless:
    • It is listed in the DoD inventory of certified cybersecurity and data protection technologies
    • It provides immutable storage, robust recovery capabilities, full audit trails, and continuous monitoring for data integrity and anomalous activity

Definitions

  • Critical data: data vital to the United States whose loss would debilitate security, economic security, public health/safety, or combinations thereof
  • Important data: data important to the United States whose loss would have a significant impact
  • Necessary data: data whose loss would have a measurable impact
  • Data recovery capability: technology/process/governance ensuring rapid, secure, verifiable recovery after a destructive cyberattack
  • Recovery time objective: maximum allowable time to restore critical functions/data after a cyberattack

Data recovery strategy and oversight

  • Within 90 days of enactment, DoD must submit a data recovery strategy to the congressional defense committees, detailing:
    • Recovery time objectives
    • Technologies required
    • Oversight processes
    • Estimated funding
  • The strategy must be provided in unclassified form (classified annex allowed)

Compliance and reporting

  • An auditable recovery certification report must be submitted annually to the congressional defense committees, starting one year after enactment and then annually thereafter, covering:
    • Each recovery time objective for every element
    • Whether each objective meets the specified requirements

Who/what is affected

  • Department of Defense elements and data systems (all DoD components) will be subject to:
    • Data classification processes
    • Implementation of designated recovery capabilities
    • Adoption of approved cybersecurity and data protection technologies
    • Regular testing, audits, and exercises
  • DoD leadership and the Secretary of Defense: responsible for designating data categories, establishing RTOs, and fielding capabilities
  • Congressional defense committees: receive annual auditable recovery certification reports and data recovery strategy
  • External and internal auditing/assessing bodies: may participate in the annual and independent audits

Procedural and timeline aspects

  • Enactment window triggers initial deadlines:
    • 180 days to field critical data recovery capabilities
    • 270 days to field important/necessary data recovery capabilities
    • 90 days to submit a comprehensive data recovery strategy to Congress
  • Annual reporting: starting one year after enactment, an auditable recovery certification report is due each year
  • Optional: strategy may include a classified annex; unclassified version required for public/ Congressional access

Potential impacts and considerations

  • Enhances resilience of DoD data against cyber threats by mandating formal RTOs, immutable backups, and ongoing testing
  • Increases focus on supply chain and threat intelligence integration for updating RTOs
  • Requires significant allocation of funding and resources to implement advanced data protection technologies and training
  • Establishes a governance and accountability framework with regular congressional reporting

If you’d like, I can pull out specific deadlines and create a quick reference checklist or provide a plain-language explainer for non-experts.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.