(a) Data recovery requirements
Chapter 19 of title 10, United States Code, is amended by inserting after section 391b the following new section:
(b) Data resilience pilot program
(1) Establishment
Not later than 180 days after the date of the enactment of this Act, the Secretary of Defense shall establish a pilot program to assess the feasibility and effectiveness of fielding data resilience capabilities for data that is mission critical or essential to the operation of Department of Defense information systems and national security systems, including—
immutable backups that preserve logically separated copies of data isolated from external networks by means of software, firewalls, or other controls; and
continuous monitoring of backup environments to detect tampering, insider threats, and malicious corruption.
(2) Scope
The Secretary shall carry out the pilot program under paragraph (1) across not fewer than three covered systems selected by the Secretary, prioritizing covered systems with the highest concentration of data that is mission critical or essential to the operation of Department of Defense information systems and national security systems.
(3) Report
Not later than one year after the establishment of the pilot program under paragraph (1), the Secretary shall submit to the congressional defense committees a report on the pilot program that includes—
an assessment of the effectiveness of the capabilities fielded under the pilot program in supporting recovery time objectives established under section 391c of title 10, United States Code, as added by subsection (a);
the cost of fielding such capabilities; and
a recommendation on whether to extend such capabilities Department-wide.
(4) Definition
In this subsection, the term covered system means an information system or national security system of the Department of Defense that stores or processes data that is mission critical, as identified pursuant to subsection (a)(1)(A) of such section 391c.
(c) Data recovery strategy
(1) Submission to committees
Not later than 90 days after the date of the enactment of this Act, the Secretary of Defense shall submit to the congressional defense committees a data recovery strategy for the Department of Defense that includes information relating to the following:
Recovery time objectives for such strategy.
The approach to accomplish such objectives.
Oversight processes with respect to such strategy.
The funds necessary to carry out such strategy.
The approach to fielding data resilience capabilities for data that is mission critical or essential to the operation of Department of Defense information systems and national security systems, including immutable backups that preserve logically separated copies isolated from external networks, and continuous monitoring of backup environments to detect tampering, insider threats, and malicious corruption.
(2) Form
The strategy under paragraph (1) shall be submitted in unclassified form, but may contain a classified annex.
(3) Definition
In this subsection, the term recovery time objective means the maximum allowable time the Secretary of Defense determines necessary to restore critical functions and data following a cyberattack.