Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 119th Congress · S. 2296 (Engrossed in Senate) — To authorize appropriations for fiscal year 2026 for military activities of the Department of Defense, for military c... · Sec. 1630

Sec. 1630. Enhanced protection of data affecting operational security of Department of Defense personnel

610 words·~3 min read·/bill/119/s/2296/es/section-1630·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

In carrying out the duties of the Secretary of Defense, the Secretary shall identify and prioritize the protection of personal data that is related to or may have impacts on the operational security of members of the Armed Forces and civilian employees of the Department of Defense through the prevention of collection, use, dissemination, or retention of such data that does not conform with provisions of law and practices relating to privacy that were in effect on the day before the date of the enactment of this Act.
Not later than June 1, 2026, the Secretary of Defense will review all applicable guidance and policy relating to the protection of personal data that is related to or may have impacts on the operational security of Department personnel and, if necessary, issue revised or new guidance for enhanced protection measures for such data. Such guidance shall cover provisions of law and practices relating to privacy and personnel security that were in effect on the day before the date of the enactment of this Act.
The Secretary shall ensure that no Department personal data related to or that may have impacts on the operational security of Department personnel is stored on a non-Department server or cloud service except pursuant to a contract or other agreement entered into by the Secretary and a contractor or subcontractor of the Department or, for personnel data, with the permission of the data subject. The Secretary may waive paragraph
(1)in a case in which the Secretary certifies in writing that such waiver— appropriately considers the operational security risks to an employee of the Department with respect to whom such data may relate; does not pose a risk to national security; and is necessary in the interest of national security. Not later than 30 days after the date on which the Secretary changes a Department issuance relating to the protection of personal data that is related to or may have impacts on the operational security of Department personnel, the Secretary shall submit to Congress notice of the change. The requirement of paragraph
(1)shall terminate on the date that is five years after the date of the enactment of this Act. Not later than 30 days after the date of the occurrence of an event described in paragraph (2), the Secretary shall submit to Congress notice of the event. An event described in this paragraph is an occurrence of an event in which— the Secretary issues a waiver under subsection (c)(2); personal data related to or that may have an impact on operational security of Department personnel is not stored according to Department regulations or exfiltrated in violation of Department regulations; personal data related to or that may have an impact on operational security of Department personnel is stored on a non-Department server or cloud service that has not undergone an authorization process in accordance with Department regulations; or personal data related to or that may have an impact on operational security of Department of Defense personnel is exposed in any cybersecurity incident. The Secretary shall develop standards, training, reporting, and security debriefing requirements for Department personnel who receive write or read access privileges as system owners across more than one platform of Department information systems that hosts personal data related to or that may have an impact on operational security of Department personnel. The Secretary shall ensure that personnel described in paragraph
(1)are provided regular security debriefings, including after departing the Department. Not later than 30 days after the completion of the development of the standards, training, reporting, and security debriefing requirements in paragraph
(1)the Secretary shall submit to Congress details of the requirements.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.