The bill directs the Secretary of Defense to ensure that any wireless mobile phone the Department provides to senior officials or any Department employee who performs sensitive national security functions is acquired only under contracts or agreements that include enhanced cybersecurity protections. It does not itself create new criminal penalties or operational authorities; it conditions procurement and telecommunications services on specified technical safeguards.
This matters because the Department sets a procurement baseline for the devices used by its most sensitive personnel. The requirement centralizes expectations for device encryption, identifier-management, and continuous monitoring, and it forces procurement and program offices and commercial suppliers to adapt quickly.
The bill also requires a congressional report listing contracts, the Secretary’s criteria for covered employees, and total costs, creating a short window for oversight and budget visibility.
At a Glance
What It Does
The bill requires the Department of Defense to acquire, through contracts or agreements, secure wireless mobile phones and related telecommunications services for senior officials and DoD employees performing sensitive functions. It defines three mandatory protections: full data and traffic encryption, capabilities to mitigate or rotate persistent device identifiers, and continuous device monitoring.
Who It Affects
Directly affects senior DoD officials and Department employees the Secretary designates as performing sensitive national security functions; it also binds DoD procurement offices, managed service providers, and telecommunications vendors that supply phones or services to those users. The bill does not explicitly extend to non‑employee contractors or state/local actors.
Why It Matters
By tying these protections to procurement contracts, the bill shifts the baseline security requirements toward government-directed device controls and monitoring for high-risk users. That creates near-term compliance work for acquisition teams and may reshape how commercial vendors design and price ‘secure’ mobile offerings for the government market.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill is short and focused. It creates a procurement rule: if the Department of Defense provides a mobile phone to a covered person, that phone and its associated telecom services must be supplied under a contract or agreement that requires enhanced cybersecurity protections.
The Secretary of Defense decides which Department employees perform “sensitive national security functions,” so determining the population of covered users is an internal DoD governance task.
The statute enumerates three technical protections that contractors must deliver: encryption of data stored on the device and of communications to and from it; capabilities to obfuscate or periodically rotate persistent device identifiers to reduce tracking risk; and the ability to continuously monitor the devices. Those are stated as mandatory contract terms, which means acquisition documentation (statements of work, security annexes, contract clauses) must be updated to translate the statutory language into implementable technical and testing requirements.The bill imposes short internal timelines.
The Department must start complying within 90 days of enactment, a tight window that pushes procurement and IT security teams to rapidly identify covered personnel, specify technical requirements, select vendors, and stand up any monitoring infrastructure. Separately, within 180 days the Secretary must report to the congressional defense committees with the contracts entered, the criteria used to designate covered employees and their number, and the total costs incurred, giving Congress an early accounting of scope and expense.Operationally, the requirements will interact with existing DoD cybersecurity and supply chain authorities.
Implementers will need to decide whether to use commercial-off-the-shelf devices with added controls, government‑managed handsets or SIMs, or bespoke government solutions. They will also need to integrate continuous monitoring with existing security operations centers and decide what remediation, incident reporting, and data-retention rules apply to monitored telemetry.
Finally, privacy and civil‑liberties considerations will arise because ‘‘continuous monitoring’’ and identifier rotation have technical and personnel implications that extend beyond pure device hardening.
The Five Things You Need to Know
The Secretary must begin complying within 90 days of enactment — a short implementation deadline that applies to contracts and agreements providing devices to covered personnel.
The statutory protections required in contracts are threefold: encryption of on-device data and communications, capability to mitigate or rotate persistent device identifiers, and capability for continuous device monitoring.
The Secretary must submit a report to the congressional defense committees within 180 days listing contracts entered under the provision, the criteria used to identify employees performing sensitive national security functions and the total number of such employees, and the total costs of phones and services.
The statute conditions procurement practices — it requires DoD to acquire devices under contracts or agreements that impose these protections rather than authorizing new operational monitoring authorities outside procurement vehicles.
The bill leaves the definition of who performs ‘‘sensitive national security functions’’ to the Secretary, making coverage of personnel a discretionary, internal DoD determination that will affect scope and costs.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
This brief provision names the bill the "Defense Secure Mobile Phones Act of 2025." It has no operational effect but sets the statute’s label for reference in guidance, contract clauses, and reporting.
Procurement requirement for covered devices
Subsection (a) mandates that, within 90 days of enactment, the Secretary ensure every wireless mobile phone provided to a senior official or any DoD employee who performs sensitive national security functions is acquired under contracts or agreements requiring enhanced protections. Practically, this forces program and contracting officers to add the mandated security requirements to solicitations, task orders, and blanket purchase arrangements for covered users. It also means legacy provisioning programs must be reviewed for compliance or replaced.
Mandatory cybersecurity protections
Subsection (b) spells out three protections: encryption of data on devices and of all telecommunications traffic, capabilities to mitigate or rotate persistent device identifiers to limit tracking, and continuous monitoring capability. Each requirement will need translating into technical specifications, test procedures, and acceptance criteria in contracts (for example, cryptographic standards, rotation intervals, telemetry formats, and monitoring thresholds). Implementers will also need to address interoperability with commercial networks and accreditation under DoD security frameworks.
Congressional report requirements
Subsection (c) requires a report to the congressional defense committees within 180 days that lists contracts or agreements entered under (a), explains the criteria the Secretary used to designate covered employees and the total number so designated, and states the total costs of phones and services. This provision provides quick Congressional visibility into the program’s scope and expense but does not prescribe follow‑on funding or oversight mechanisms beyond the report itself.
This bill is one of many.
Codify tracks hundreds of bills on Defense across all five countries.
Explore Defense in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Senior Department of Defense officials and DoD employees performing sensitive national security functions — they gain hardening against interception, tracking, and certain device-based compromises.
- Department of Defense cybersecurity and operations teams — standardized contractual security requirements simplify expectations and can centralize monitoring and incident response for high-risk users.
- Vendors and managed service providers that can offer verifiable, government‑grade security features — they gain a potential market advantage if they can demonstrate compliance with the specified protections.
Who Bears the Cost
- DoD acquisition and program offices — they must rewrite solicitations, negotiate new contract terms, and oversee compliance on an accelerated schedule.
- Telecommunications vendors and device manufacturers — they must adapt products and service offerings (encryption implementations, identifier‑rotation features, monitoring telemetry) or risk losing contracts; smaller suppliers may be priced out.
- Taxpayers and DoD budgets — hardened devices and managed monitoring services typically cost more than commodity smartphones and bring lifecycle and operations expenses that the bill’s one‑time language does not explicitly fund.
- Covered employees — continuous monitoring raises workplace privacy and operational constraints; employees may face limits on certain device functions or personal use if government‑provided devices adopt lock-down configurations.
Key Issues
The Core Tension
The central dilemma is straightforward: the Department needs stronger technical controls on the devices used by its most sensitive personnel to reduce espionage and tracking risks, but imposing strict encryption, monitoring, and identifier‑rotation requirements can reduce interoperability, raise privacy concerns for monitored users, and force reliance on a narrow set of vendors — trading immediate operational security gains against usability, transparency, and long‑term market competition.
The bill packs several implementation and policy trade-offs into a short statutory text. First, the technical terms are high‑level. ‘‘Encryption’’ and ‘‘continuous monitoring’’ are specified without tying them to standards, key management regimes, accreditation processes, or incident reporting rules; acquisition teams will need to convert these mandates into enforceable contract language and testing protocols.
That translation will determine the real security outcome, but the statute leaves it to DoD and contracting officers rather than prescribing standards.
Second, continuous monitoring and identifier‑rotation will interact with user privacy, civil‑liberties expectations, and operational usability. Continuous monitoring can be narrowly scoped (device health telemetry) or broad (location, usage metadata); the bill does not define limits or retention.
Identifier rotation can interfere with lawful intercept, roaming, emergency services, and third‑party apps that rely on stable identifiers. Finally, the 90‑day compliance window and the 180‑day reporting deadline compress procurement and technical work into a short period, increasing the risk of uneven implementation, higher short‑term costs, or reliance on a small set of vetted suppliers — all of which have supply‑chain and competition implications.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.