S 3023
· 119th Congress
· Crime and Law Enforcement
Safe Cloud Storage Act
Sponsor
Latest action
Placed on Senate Legislative Calendar under General Orders. Calendar No. 345.
Action timeline
Every recorded action on this bill, newest first. Stage badges color-code the legislative path.
Feb 24, 2026
committee
Committee on the Judiciary. Reported by Senator Grassley with an amendment in the nature of a substitute. Without written report.
Judiciary Committee
Feb 24, 2026
other
Placed on Senate Legislative Calendar under General Orders. Calendar No. 345.
Feb 05, 2026
committee
Committee on the Judiciary. Ordered to be reported with an amendment in the nature of a substitute favorably.
Judiciary Committee
Oct 21, 2025
introduced
Introduced in Senate
Oct 21, 2025
introduced
Read twice and referred to the Committee on the Judiciary.
Judiciary Committee
Text versions
Each stage of the bill — official text published by GPO. Click any format to read on congress.gov / govinfo.
Changelog
ⓘ
How a bill moves through Congress. Each stage produces a new official text. The diff between them shows what changed at that step.
ih / is — Introduced in House / Senate. First filed version.rfh / rfs — Referred to a committee for review.rh / rs — Reported back by the committee to the floor (often with amendments — this is where most language changes happen).pcs / pch — Placed on Calendar for floor consideration.eh / es — Engrossed. Passed by the originating chamber. Text is now what was actually voted on.rdh / rds — Received by the other chamber.eah / eas — Engrossed Amendment. The other chamber passed an amended version.ath / ats — Agreed to. Both chambers settled on the same text.enr — Enrolled. Final reconciled text, sent to the President.pl — Public Law. Signed by the President. It's now law.pp — Public Print. Official printing post-enactment.
Most bills die before eh/es. Going from pcs → enr is the full path through both chambers.
ⓘ
How a bill moves through Congress. Each stage produces a new official text. The diff between them shows what changed at that step.
ih/is— Introduced in House / Senate. First filed version.rfh/rfs— Referred to a committee for review.rh/rs— Reported back by the committee to the floor (often with amendments — this is where most language changes happen).pcs/pch— Placed on Calendar for floor consideration.eh/es— Engrossed. Passed by the originating chamber. Text is now what was actually voted on.rdh/rds— Received by the other chamber.eah/eas— Engrossed Amendment. The other chamber passed an amended version.ath/ats— Agreed to. Both chambers settled on the same text.enr— Enrolled. Final reconciled text, sent to the President.pl— Public Law. Signed by the President. It's now law.pp— Public Print. Official printing post-enactment.
Most bills die before eh/es. Going from pcs → enr is the full path through both chambers.
Line-level diff between text versions of this bill — what actually changed at each legislative stage.
+275
−66
70 unchanged
--- Introduced (Senate)
+++ Reported (Senate)
@@ -1,10 +1,11 @@
[From the U.S. Government Publishing Office]
-[S. 3023 Introduced in Senate (IS)]
+[S. 3023 Reported in Senate (RS)]
<DOC>
+Calendar No. 345
119th CONGRESS
-1st Session
+2d Session
S. 3023
To limit liability for certain entities storing child sexual abuse
@@ -16,9 +17,16 @@
October 21, 2025
-Mrs. Blackburn (for herself, Ms. Klobuchar, Mr. Cornyn, and Mr.
-Blumenthal) introduced the following bill; which was read twice and
-referred to the Committee on the Judiciary
+Mrs. Blackburn (for herself, Ms. Klobuchar, Mr. Cornyn, Mr. Blumenthal,
+Mrs. Britt, Mr. Coons, Mr. Lee, and Mrs. Moody) introduced the
+following bill; which was read twice and referred to the Committee on
+the Judiciary
+
+February 24, 2026
+
+Reported by Mr. Grassley, with an amendment
+[Strike out all after the enacting clause and insert the part printed
+in italic]
_______________________________________________________________________
@@ -30,11 +38,161 @@
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
+<DELETED>SECTION 1. SHORT TITLE.</DELETED>
+
+<DELETED> This Act may be cited as the ``Safe Cloud Storage
+Act''.</DELETED>
+
+<DELETED>SEC. 2. STORAGE OF CHILD SEXUAL ABUSE MATERIAL.</DELETED>
+
+<DELETED> (a) In General.--Title II of the PROTECT Our Children Act
+of 2008 (34 U.S.C. 21101 et seq.) is amended by inserting after section
+201 the following:</DELETED>
+
+<DELETED>``SEC. 202. MODERNIZING LAW ENFORCEMENT'S ABILITY TO STORE
+CHILD PORNOGRAPHY AND CHILD OBSCENITY AND LIMITED
+LIABILITY FOR APPROVED VENDORS.</DELETED>
+
+<DELETED> ``(a) Definitions.--In this section:</DELETED>
+<DELETED> ``(1) Approved vendor.--The term `approved vendor'
+means an organization, corporation, or entity that--</DELETED>
+<DELETED> ``(A) offers digital storage services,
+including remote or cloud-based storage, and analytical
+and forensic tool processing support; and</DELETED>
+<DELETED> ``(B) has been contractually retained and
+designated by a law enforcement or prosecutorial agency
+based in the United States to support the duties of
+such agency by--</DELETED>
+<DELETED> ``(i) storing digital child
+pornography or child obscenity;</DELETED>
+<DELETED> ``(ii) making such child
+pornography or child obscenity available to the
+contracting agency, or any law enforcement or
+prosecutorial agency designated by the
+contracting agency, upon request; and</DELETED>
+<DELETED> ``(iii) providing maintenance,
+technical and analytical assistance, and
+forensic tool processing support upon request
+by the contracting agency.</DELETED>
+<DELETED> ``(2) Child pornography.--The term `child
+pornography' has the meaning given that term in section 2256 of
+title 18, United States Code.</DELETED>
+<DELETED> ``(b) Limited Liability for Approved Vendors.--</DELETED>
+<DELETED> ``(1) Limited liability for law enforcement
+approved vendors.--Except as provided in paragraph (2), a civil
+claim or criminal charge may not be brought in any Federal or
+State court against an approved vendor relating to the approved
+vendor's performance of any contractual obligation or service
+described in subsection (a)(1).</DELETED>
+<DELETED> ``(2) Intentional, reckless, or other
+misconduct.--A civil claim or criminal charge may be brought in
+any Federal or State court against an approved vendor if the
+approved vendor--</DELETED>
+<DELETED> ``(A) engaged in--</DELETED>
+<DELETED> ``(i) intentional misconduct;
+or</DELETED>
+<DELETED> ``(ii) negligent
+conduct;</DELETED>
+<DELETED> ``(B) acted, or failed to act--</DELETED>
+<DELETED> ``(i) with actual
+malice;</DELETED>
+<DELETED> ``(ii) with reckless disregard to
+a substantial risk of causing injury without
+legal justification; or</DELETED>
+<DELETED> ``(iii) for a purpose unrelated to
+the performance of any responsibility or
+function described in subsection
+(a)(1)(B).</DELETED>
+<DELETED> ``(c) Vendor Cybersecurity Requirements.--With respect to
+any visual depiction stored and available for analysis in the cloud
+storage service of an approved vendor, and pursuant to the duties of
+law enforcement in the investigation of the sexual exploitation of
+children, an approved vendor shall--</DELETED>
+<DELETED> ``(1) secure such visual depiction in a manner
+that is consistent with the most recent version of the
+Cybersecurity Framework developed by the National Institute of
+Standards and Technology, or any successor thereto;</DELETED>
+<DELETED> ``(2) only access the visual depictions upon
+consent of the law enforcement or prosecutorial agency
+contracting the service and for the purpose of providing
+maintenance, technical assistance, and forensic tool processing
+support in the cloud;</DELETED>
+<DELETED> ``(3) minimize the number of employees that may be
+able to obtain access to such visual depiction;</DELETED>
+<DELETED> ``(4) employ end-to-end encryption for data
+storage and transfer functions, or an equivalent technological
+standard;</DELETED>
+<DELETED> ``(5) undergo an independent annual cybersecurity
+audit to determine whether such visual depiction is secured as
+required under paragraph (1); and</DELETED>
+<DELETED> ``(6) promptly address all issues identified by an
+audit described in paragraph (5).</DELETED>
+<DELETED> ``(d) Evidence Storage.--Any law enforcement or
+prosecutorial agency that stores evidence of child pornography and
+child obscenity using cloud-based or remote storage services shall
+retain such evidence--</DELETED>
+<DELETED> ``(1) in compliance with the security policy of
+the Criminal Justice Information Services of the Federal Bureau
+of Investigation;</DELETED>
+<DELETED> ``(2) for a period consistent with the evidence
+retention requirements applicable to the investigating or
+prosecuting agency under the relevant Federal, State, or local
+law, rule of criminal procedure, or prosecutorial policy;
+or</DELETED>
+<DELETED> ``(3) in the absence of such law, rule, or policy,
+for a period not less than the applicable statute of
+limitations or the duration of any sentence imposed, including
+the period of post-conviction review.</DELETED>
+<DELETED> ``(e) Additional Requirements for Approved Vendors.--
+</DELETED>
+<DELETED> ``(1) In general.--Each approved vendor shall
+ensure that cloud-based storage and analytics of child
+pornography and child obscenity under this section remain in
+the United States.</DELETED>
+<DELETED> ``(2) Notification letter.--</DELETED>
+<DELETED> ``(A) In general.--Approved vendors shall
+file a notification letter with the Department of
+Justice not later than 30 days after entering into a
+contract described in subsection (a)(1)(B).</DELETED>
+<DELETED> ``(B) Contents.--The notification letter
+shall include the entity name and point of contact
+information of the approved vendor, the name of the
+contracting agency, the period of performance of the
+contract, and an acknowledgment by the approved vendor
+that the approved vendor will notify the Department of
+Justice of any changes to the information in the
+letter.</DELETED>
+<DELETED> ``(3) Breach of contract.--</DELETED>
+<DELETED> ``(A) In general.--If a law enforcement or
+prosecutorial agency fails to make required payment
+under a contract, breaches any material term of such
+contract, or otherwise terminates such contract without
+establishing lawful transfer of the evidence, the
+approved vendor shall, not later than 30 days after the
+failure, breach, or termination, notify the Department
+of Justice, or in the case of a State or local agency,
+the appropriate State attorney general.</DELETED>
+<DELETED> ``(B) Maintenance of evidence.--Upon
+making a notification under subparagraph (A), the
+approved vendor shall continue to preserve and maintain
+the integrity of the evidence until a lawful transfer
+of custody occurs to the Department of Justice or
+another Federal, State, or local law enforcement agency
+with jurisdiction.''.</DELETED>
+<DELETED> (b) Clerical Amendment.--Section 1(b) of the PROTECT Our
+Children Act of 2008 (Public Law 110-401; 122 Stat. 4229) is amended by
+inserting after the item relating to section 201 the
+following:</DELETED>
+
+<DELETED>``Sec. 202. Modernizing law enforcement's ability to store
+child pornography and child obscenity and
+limited liability for approved vendors.''.
+
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Safe Cloud Storage Act''.
-SEC. 2. STORAGE OF CHILD SEXUAL ABUSE MATERIAL.
+SEC. 2. STORAGE OF CHILD PORNOGRAPHY AND CHILD OBSCENITY.
(a) In General.--Title II of the PROTECT Our Children Act of 2008
(34 U.S.C. 21101 et seq.) is amended by inserting after section 201 the
@@ -50,10 +208,8 @@
``(A) offers digital storage services, including
remote or cloud-based storage, and analytical and
forensic tool processing support; and
-``(B) has been contractually retained and
-designated by a law enforcement or prosecutorial agency
-based in the United States to support the duties of
-such agency by--
+``(B) has been contractually retained by a covered
+agency to support the duties of such agency by--
``(i) storing digital child pornography or
child obscenity;
``(ii) making such child pornography or
@@ -66,8 +222,18 @@
processing support upon request by the
contracting agency.
``(2) Child pornography.--The term `child pornography' has
-the meaning given that term in section 2256 of title 18, United
-States Code.
+the meaning given that term in section 2256(8) of title 18,
+United States Code.
+``(3) Covered agency.--The term `covered agency' means a
+Federal, State, or local law enforcement or prosecutorial
+agency.
+``(4) Local.--The term `local' means any political
+subdivision of a State.
+``(5) State.--The term `State' means any of the 50 States
+of the United States, the District of Columbia, the
+Commonwealth of Puerto Rico, the Virgin Islands of the United
+States, Guam, American Samoa, or the Commonwealth of the
+Northern Mariana Islands.
``(b) Limited Liability for Approved Vendors.--
``(1) Limited liability for law enforcement approved
vendors.--Except as provided in paragraph (2), a civil claim or
@@ -80,7 +246,7 @@
court against an approved vendor if the approved vendor--
``(A) engaged in--
``(i) intentional misconduct; or
-``(ii) negligent conduct;
+``(ii) negligent conduct; or
``(B) acted, or failed to act--
``(i) with actual malice;
``(ii) with reckless disregard to a
@@ -89,77 +255,101 @@
``(iii) for a purpose unrelated to the
performance of any responsibility or function
described in subsection (a)(1)(B).
-``(c) Vendor Cybersecurity Requirements.--With respect to any
-visual depiction stored and available for analysis in the cloud storage
-service of an approved vendor, and pursuant to the duties of law
-enforcement in the investigation of the sexual exploitation of
-children, an approved vendor shall--
-``(1) secure such visual depiction in a manner that is
-consistent with the most recent version of the Cybersecurity
-Framework developed by the National Institute of Standards and
-Technology, or any successor thereto;
-``(2) only access the visual depictions upon consent of the
-law enforcement or prosecutorial agency contracting the service
-and for the purpose of providing maintenance, technical
-assistance, and forensic tool processing support in the cloud;
+``(c) Vendor Cybersecurity Requirements.--With respect to any child
+pornography or child obscenity stored, maintained, or processed by an
+approved vendor, such approved vendor shall--
+``(1) secure such child pornography or child obscenity in a
+manner that is consistent with the most recent version of the
+Cybersecurity Framework developed by the National Institute of
+Standards and Technology, or any successor thereto;
+``(2) only access the child pornography or child obscenity
+upon consent of the covered agency contracting the service and
+for the purpose of providing maintenance, technical assistance,
+and forensic tool processing support in the cloud;
``(3) minimize the number of employees that may be able to
-obtain access to such visual depiction;
+obtain access to such child pornography or child obscenity and
+maintain a list of employees who have obtained such access;
``(4) employ end-to-end encryption for data storage and
transfer functions, or an equivalent technological standard;
``(5) undergo an independent annual cybersecurity audit to
-determine whether such visual depiction is secured as required
-under paragraph (1); and
+determine whether such child pornography or child obscenity is
+secured as required by paragraph (1), including by assessing
+compliance with the National Institute of Standards and
+Technology Special Publication 800-53, Revision 5 (relating to
+security and privacy controls for information systems and
+organizations) or any successor documents or revisions; and
``(6) promptly address all issues identified by an audit
described in paragraph (5).
-``(d) Evidence Storage.--Any law enforcement or prosecutorial
-agency that stores evidence of child pornography and child obscenity
-using cloud-based or remote storage services shall retain such
-evidence--
+``(d) Evidence Storage.--Any covered agency that stores child
+pornography and child obscenity pursuant to a contract with an approved
+vendor shall retain such evidence--
``(1) in compliance with the security policy of the
-Criminal Justice Information Services of the Federal Bureau of
-Investigation;
+Criminal Justice Information Services Division of the Federal
+Bureau of Investigation, or any other similar and appropriate
+division within the Federal Bureau of Investigation;
``(2) for a period consistent with the evidence retention
-requirements applicable to the investigating or prosecuting
-agency under the relevant Federal, State, or local law, rule of
-criminal procedure, or prosecutorial policy; or
+requirements applicable to the covered agency under the
+relevant Federal, State, or local law, rule of criminal
+procedure, or prosecutorial policy; or
``(3) in the absence of such law, rule, or policy, for a
period not less than the applicable statute of limitations or
the duration of any sentence imposed, including the period of
post-conviction review.
``(e) Additional Requirements for Approved Vendors.--
-``(1) In general.--Each approved vendor shall ensure that
-cloud-based storage and analytics of child pornography and
-child obscenity under this section remain in the United States.
+``(1) Location of data.--
+``(A) In general.--Except as provided in
+subparagraph (B), each approved vendor shall ensure
+that child pornography and child obscenity stored
+pursuant to this section remains in the United States.
+``(B) Exception.--Child pornography and child
+obscenity under this section may be transferred outside
+the United States only with the express consent of the
+contracting covered agency if such agency deems the
+transfer necessary for investigative purposes.
``(2) Notification letter.--
``(A) In general.--Approved vendors shall file a
-notification letter with the Department of Justice not
-later than 30 days after entering into a contract
-described in subsection (a)(1)(B).
-``(B) Contents.--The notification letter shall
-include the entity name and point of contact
-information of the approved vendor, the name of the
-contracting agency, the period of performance of the
-contract, and an acknowledgment by the approved vendor
-that the approved vendor will notify the Department of
-Justice of any changes to the information in the
-letter.
+notification letter with the Criminal Division of the
+Department of Justice not later than 30 days after
+entering into a contract described in subsection
+(a)(1)(B).
+``(B) Contents.--The notification letter described
+in subparagraph (A) shall include the entity name and
+point of contact information of the approved vendor,
+the name of the contracting covered agency, the period
+of performance of the contract, and an acknowledgment
+by the approved vendor that the approved vendor will
+notify the Child Exploitation and Obscenity Section of
+the Criminal Division of the Department of Justice of
+any changes to the information in the letter.
``(3) Breach of contract.--
-``(A) In general.--If a law enforcement or
-prosecutorial agency fails to make required payment
-under a contract, breaches any material term of such
-contract, or otherwise terminates such contract without
-establishing lawful transfer of the evidence, the
-approved vendor shall, not later than 30 days after the
-failure, breach, or termination, notify the Department
-of Justice, or in the case of a State or local agency,
-the appropriate State attorney general.
+``(A) In general.--If a covered agency fails to
+make required payment under a contract, breaches any
+material term of such contract, or otherwise terminates
+such contract without establishing lawful transfer of
+the evidence, the approved vendor shall, not later than
+30 days after the failure, breach, or termination,
+notify the Criminal Division of the Department of
+Justice in the case of a breach by a Federal agency, or
+the appropriate State attorney general in the case of a
+breach by a State or local agency.
``(B) Maintenance of evidence.--Upon making a
notification under subparagraph (A), the approved
vendor shall continue to preserve and maintain the
-integrity of the evidence until a lawful transfer of
-custody occurs to the Department of Justice or another
-Federal, State, or local law enforcement agency with
-jurisdiction.''.
+integrity of the evidence until a prompt and lawful
+transfer of custody occurs to the Criminal Division of
+the Department of Justice or another Federal, State, or
+local law enforcement agency with jurisdiction.
+``(f) Rule of Construction.--Nothing in this section shall be
+construed to limit--
+``(1) bona fide use by the contracting covered agency of
+child pornography or child obscenity being stored by the
+approved vendor, which includes providing such child
+pornography or child obscenity to any other party as necessary
+for an investigation or prosecution; or
+``(2) the obligation of the contracting covered agency to
+comply with a constitutional or statutory obligation, court
+order, or request from a victim made pursuant to section
+3509(m)(3) of title 18, United States Code.''.
(b) Clerical Amendment.--Section 1(b) of the PROTECT Our Children
Act of 2008 (Public Law 110-401; 122 Stat. 4229) is amended by
inserting after the item relating to section 201 the following:
@@ -167,4 +357,23 @@
``Sec. 202. Modernizing law enforcement's ability to store child
pornography and child obscenity and limited
liability for approved vendors.''.
-<all>
+Calendar No. 345
+
+119th CONGRESS
+
+2d Session
+
+S. 3023
+
+_______________________________________________________________________
+
+A BILL
+
+To limit liability for certain entities storing child sexual abuse
+material for law enforcement agencies, and for other purposes.
+
+_______________________________________________________________________
+
+February 24, 2026
+
+Reported with an amendment
Lobbying activity
Organizations whose LDA filings reference this bill, ranked by filing count. Position not disclosed — LDA does not require lobbyists to report support / oppose / monitor. Bill-number references can be stale (lobbyists sometimes copy text year-over-year), so verify against the filing description.
3
filings · 2026 Q4
SNAP INC.
LAW
1
filings · 2026 Q1
via Senate LDA · self-reported quarterly. Filing count = filings mentioning this bill (no position required), not money spent on it. Click a client to see all bills they've filed on.
Cosponsors (8)
Members who signed on to support this bill.