This bill mandates the Secretary of Defense to significantly enhance the protection of personal data critical to the operational security of both military members and civilian employees. The Secretary must identify and prioritize this sensitive data, ensuring its collection, use, dissemination, or retention adheres strictly to existing privacy laws and practices. Furthermore, the bill requires a comprehensive review of current guidance and, by June 1, 2026, the issuance of new or revised policies to strengthen these protection measures. A key provision limits the storage of such personal data on non-Department servers or cloud services, permitting it only under specific contracts or with the individual's permission. The Secretary can waive this limitation if certifying it considers operational security risks, poses no national security risk, and is necessary for national security. The bill also establishes congressional notification requirements, mandating reports within 30 days of any changes to departmental issuances related to data protection or the occurrence of specific events, such as waiver issuances, unauthorized data storage, or cybersecurity incidents involving sensitive personnel data. Finally, the legislation directs the Secretary to develop new standards, training, reporting, and security debriefing requirements for Department personnel who manage sensitive personal data across multiple information systems. These requirements include regular security debriefings for system owners, even after they depart the Department. Congress must be notified of the details of these developed requirements within 30 days of their completion.