America has spent decades building its cyber defenses based on a familiar assumption: If we can stop a
breach, we can protect the mission.
Today's threat environment demands a broader test of cyber power: how quickly the United States can recover when the mission is under attack.
Nation-state adversaries,
especially the People's Republic of China, are positioning themselves to hold U.S. systems at risk, disrupt continuity, and create cascading effects during a crisis. They understand that data drives command decisions, logistics, intelligence, public services, emergency response, and critical infrastructure operations. When data becomes inaccessible, corrupted, or slow to restore, then disruption becomes a strategy.
The
National Defense Data Resilience Act, introduced by Representatives
Suhas Subramanyam (D-Virginia) and
Dr. Rich McCormick (R-Georgia), begins where the stakes are highest: the Department of Defense (DoD).
The bill would require DoD to identify mission-critical data, establish mandatory recovery time objectives, deploy modern recovery capabilities, test those capabilities against realistic nation-state scenarios, and report the results to Congress.
The bill reflects the principle that should guide the next phase of federal cybersecurity:
Resilience depends on recoverability. Congress should make recovery a measurable requirement, starting with DoD, and establish a standard to sustain mission continuity across the federal enterprise.
The strategic gap is recovery
Federal cybersecurity policy has long emphasized defensive tools like firewalls, endpoint protection, network monitoring, and other capabilities designed to detect and stop intrusions. Modern cyber resilience requires an equally disciplined approach to recovery.
Advanced persistent threats can dodge defenses,
move laterally, corrupt data, and target critical recovery systems. The ability to rapidly recover mission-critical data is a core measure of national preparedness.
Recovery Time Objectives (RTOs) provide that measure. They specify how quickly systems and data must be restored after a disruption. For federal agencies responsible for national security and public safety, RTOs should be treated as operational requirements tied to readiness, testing, investment, and accountability.
Federal recovery expectations remain fragmented and uneven. Agencies may maintain backups, disaster recovery plans, or continuity procedures, but the federal enterprise needs enforceable standards that address destructive cyberattacks,
compromised backups, data corruption, and adversaries already present in sensitive environments.
The next phase of federal cybersecurity should build the same level of maturity in
mission recovery.
What H.R. 8710 would require
The National Defense Data Resilience Act makes recoverability an operational requirement. The bill directs the Secretary of Defense to designate DoD data as critical, important, or necessary and to establish mandatory RTOs based on data type and threat exposure. Critical data would receive RTOs within 180 days of enactment; important and necessary data would receive RTOs within 270 days.
The bill also shifts recovery from planning to performance. DoD would be required to field recovery capabilities for critical data within 180 days and for important and necessary data within 270 days.
These capabilities must prioritize critical services supporting national defense, maintain continuous monitoring for unauthorized changes, prevent tampering, support secure restoration, and operate within architectures isolated from production environments.
Testing and oversight are central to the framework. H.R. 8710 requires annual exercises that simulate nation-state cyberattacks and audits that mimic
adversary tactics, techniques, and procedures to validate whether DoD elements can meet their recovery objectives under realistic threat conditions. The Department would also submit annual auditable recovery certification reports to the
congressional defense committees.
That is the substance of the bill. It treats recovery as a tested capability, tied to data criticality, mission risk, and congressional oversight. It gives DoD a practical way to measure whether it can restore what the mission depends on when data is lost, degraded, or destroyed.
DoD should set the federal standard
DoD is the right starting point. Its missions depend on trusted data, available systems, and the ability to operate under pressure. Defense data supports command decisions, logistics, intelligence, weapons systems support, and the confidence leaders need during a crisis.
The same logic applies across the federal enterprise. Civilian agencies manage public health systems, emergency response functions, financial operations, and
critical infrastructure dependencies. Each depends on data that must remain available, accurate, and recoverable under stress. A recovery standard built for DoD can serve as a model for sustaining mission continuity across government.
A government-wide approach should standardize recovery expectations, improve coordination during cross-agency incidents, and strengthen public trust in continuity during crises. In a coordinated cyber campaign, adversaries will seek to trigger cascading effects across military, civilian, and critical infrastructure systems. The federal government should be prepared to restore essential data and sustain operations at the speed national resilience requires.
Recovery changes the adversary's calculus
Recovery changes the value of an attack. When adversaries believe that disruption will be prolonged, recovery slow, and essential functions degraded for the long term, they gain leverage. When the United States can restore mission-critical data, sustain operations, and continue the mission under pressure, that leverage diminishes.
Cyber deterrence depends on convincing adversaries that their attacks will fail to achieve their strategic objectives. In the cyber domain, that requires robust defenses and the ability to recover quickly, with confidence and discipline.
Congress should pass H.R. 8710 and make recoverability a national security standard. The United States needs a federal cyber posture built for continuity under attack, and DoD should lead the way.