The bill adds a new Section 202 to the PROTECT Our Children Act to create an "approved vendor" pathway for private cloud and forensic-storage providers that are contractually retained by U.S. law enforcement or prosecutors to store and process child sexual abuse material (CSAM). It grants those approved vendors broad protection from civil and criminal claims tied to performance of their contracted duties while carving out exceptions for intentional, reckless, or otherwise wrongful conduct.
This construct aims to make it easier for agencies to outsource large-scale storage and analytic processing of CSAM by reducing legal risk for vendors, but it also imposes operational obligations — cybersecurity baselines, annual audits, U.S.-only storage, evidence-retention rules, and mandatory notices to DOJ or state attorneys general — that will shape procurement, vendor selection, and litigation dynamics going forward.
At a Glance
What It Does
The bill creates a statutory definition of an "approved vendor" and shields such vendors from most civil and criminal claims when they store or process CSAM under a contract with a U.S. law enforcement or prosecutorial agency. It also prescribes operational standards — cybersecurity, custody, and retention rules — and requires vendors to notify the Department of Justice after contracting and on certain contract failures.
Who It Affects
Cloud-storage providers, digital-forensics firms, and hosting/analytics vendors that consider contracts to store or analyze CSAM for federal, state, or local agencies; federal, state, and local law enforcement and prosecutors who may rely on third parties for storage and processing; defense counsel and civil-rights plaintiffs whose claims might be limited against covered vendors.
Why It Matters
By lowering legal exposure for private vendors, the bill could expand the pool of firms willing to accept CSAM under contract and speed forensic processing, but it also concentrates sensitive material with private actors and creates new compliance and oversight obligations that vendors and contracting agencies must meet.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill inserts a new Section 202 into the PROTECT Our Children Act and builds around a single device: an "approved vendor" that a U.S. law enforcement or prosecutorial agency contracts to hold, make available, and analyze visual depictions that meet the federal definition of child pornography. An approved vendor must perform three core services for the contracting agency—store the material, make it available to the contracting agency (and any other law enforcement or prosecutorial agency it designates), and provide maintenance, technical analysis, and forensic-tool processing on request.
Rather than creating new criminal offenses or affirmative obligations for agencies, the statute focuses on limiting third-party exposure: it bars civil claims and criminal charges against an approved vendor for actions taken in the course of performing those contractual duties, but explicitly preserves claims where the vendor engaged in intentional misconduct, negligence, actual malice, reckless disregard of a substantial risk of injury, or actions taken for purposes unrelated to the contract. That creates a safe-harbor with enumerated exceptions rather than an absolute immunity.Operational controls sit alongside the liability limitation.
Approved vendors must secure stored depictions to standards consistent with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (or successor framework), minimize employee access, employ end-to-end encryption (or an equivalent technical standard) for storage and transfer, submit to an independent annual cybersecurity audit, and promptly fix deficiencies identified in audits. The vendor’s ability to access material is limited to instances where the contracting agency consents and for purposes tied to maintenance or forensic support.On custody and recordkeeping, the bill requires that CSAM held under the statute remain in the United States, and it ties retention to existing Criminal Justice Information Services (CJIS) security policy and applicable evidence-retention laws, with a statutory fallback: if no specific rule applies, retention must last at least as long as the statute of limitations or any sentence (including post-conviction review).
Finally, approved vendors must file a notice with DOJ within 30 days of entering a qualifying contract, update DOJ on changes, and notify DOJ or the relevant state attorney general within 30 days if the contracting agency breaches or terminates without arranging lawful transfer—while continuing to preserve the data until lawful custody is transferred.
The Five Things You Need to Know
The bill bars most civil claims and criminal charges against an "approved vendor" for acts performed under a qualifying contract to store or process CSAM, creating a broad statutory safe-harbor for contract performance.
The liability shield does not apply if the vendor engaged in intentional misconduct or negligent conduct, acted with actual malice or reckless disregard of a substantial risk of harm, or acted for a purpose unrelated to the contracting agency’s duties.
Approved vendors must secure CSAM consistent with the NIST Cybersecurity Framework (or successor), use end-to-end encryption or an equivalent technical standard, limit employee access, and undergo independent annual cybersecurity audits with prompt remediation.
All CSAM stored under these contracts must remain in the United States, and evidence retention must follow FBI CJIS security policy or applicable retention rules — or, absent such rules, at least the statute of limitations or the duration of any sentence including post-conviction review.
Vendors must file a notification letter with DOJ within 30 days of entering a qualifying contract (naming the vendor, point of contact, contracting agency, period of performance, and a pledge to update DOJ); if a contracting agency breaches or terminates a contract without lawful transfer, the vendor must notify DOJ or the appropriate state attorney general within 30 days and continue preserving the evidence until lawful transfer occurs.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions and scope: who qualifies as an "approved vendor"
This subsection defines the new statutory actor: an approved vendor is any organization that offers digital storage services (including cloud storage) and analytical/forensic processing, and that has been contractually retained and designated by a U.S. law enforcement or prosecutorial agency to store, make available, and process CSAM. The practical effect is to anchor the immunity and obligations to a contractual relationship initiated by an agency rather than to voluntary activity by a private host.
Limited liability with enumerated exceptions
Subsection (b) creates the liability rule: generally bars civil and criminal claims against approved vendors for actions tied to contract performance, but preserves claims when the vendor’s conduct meets statutory exception language (intentional or negligent conduct; actual malice; reckless disregard of substantial risk; or acts unrelated to contract duties). For practitioners, this provision converts many operational risks into an inquiry about whether conduct crossed the line from contract performance into tortious, malicious, or unrelated activity — shifting litigation fights to fact-intensive showings on intent and causation.
Cybersecurity and access controls for stored depictions
Subsection (c) prescribes operational requirements: vendors must secure stored depictions per the latest NIST Cybersecurity Framework (or successor), use end-to-end encryption (or an equivalent), limit the number of employees who can access the material, only access material with contracting-agency consent for maintenance/forensic support, and submit to an independent annual cybersecurity audit with a duty to fix identified issues. In procurement terms, these are minimum compliance hurdles vendors must meet to qualify for the statutory safe-harbor and to avoid exposure under the exceptions.
Evidence storage and retention rules
This provision requires agencies to ensure cloud-stored evidence complies with FBI CJIS security policy and to retain evidence per applicable federal, state, or local retention rules; where no rule exists, the fallback is retention for at least the statute of limitations or the duration of any sentence (including post-conviction review). That pushes agencies to treat vendor-held CSAM as formal evidence and ties private custody to the same longevity and chain-of-custody expectations as physical or agency-held digital evidence.
U.S.-only storage, DOJ notification, and breach-of-contract duties
Subsection (e) adds administrative controls: vendors must ensure covered CSAM remains in the United States, file a notification letter with DOJ within 30 days after entering a qualifying contract (with contact and contract particulars), and notify DOJ or the appropriate state attorney general within 30 days if a contracting agency fails to pay, breaches, or terminates without arranging a lawful transfer. Crucially, it requires vendors to preserve the integrity of evidence after such a notification until lawful transfer occurs — a continuing custody obligation that carries operational and cost implications.
This bill is one of many.
Codify tracks hundreds of bills on Justice across all five countries.
Explore Justice in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Federal, state, and local law enforcement and prosecutors — can outsource large-scale storage and forensic processing with fewer vendor refusals and reduced procurement friction, potentially accelerating investigations and cross-jurisdictional sharing of evidence.
- Cloud-storage and digital-forensics vendors that qualify as approved vendors — gain a statutory reduction in civil and criminal exposure for contract performance and access to a new market for government contracts.
- Victims and investigative teams — may see faster analytic throughput (hashing, identification, victim-witness triage) when specialized vendors assume storage and tooling responsibilities, shortening time-to-identification for victims.
Who Bears the Cost
- Non-qualifying providers and smaller vendors — face compliance costs to meet NIST controls, encryption, annual independent audits, and U.S.-only data residency, which may price them out of the market.
- Defense counsel and civil-rights plaintiffs — may face a higher factual and legal bar to sue vendors whose conduct is within the statutory safe-harbor, shifting disputes toward proving intentional, reckless, or malicious behavior.
- Contracting agencies and approved vendors — inherit custody and preservation costs, including continued preservation after contract breaches or terminations and the administrative burden of DOJ/state notifications and audit remediation.
Key Issues
The Core Tension
The central dilemma is between accelerating and expanding law-enforcement use of private cloud/forensic services by removing legal risk for vendors, and maintaining accountability, security, and judicially enforceable remedies: the bill reduces vendor exposure to encourage participation but places trust in private actors and post-contract audits rather than creating a formal approval and oversight regime, concentrating sensitive evidence while leaving open difficult questions about enforcement, standards, and victims’ and defendants’ rights.
The statute trades reduced vendor liability for a set of operational controls and supervisory touchpoints, but many implementation questions remain. Who decides whether a vendor truly qualifies as an "approved vendor" beyond the fact of a contract?
The bill relies on the contracting relationship and notice to DOJ rather than a formal federal approval process, so DOJ’s role is informational unless other oversight mechanisms are later created. That leaves room for uneven vetting and for vendors to self-designate with only post-hoc scrutiny.
The cybersecurity requirements reference the NIST framework and demand end-to-end encryption and annual independent audits, but the bill does not define equivalence standards or the scope and depth of those audits. That creates a compliance gap: lawyers and procurement officers will need to translate high-level standards into measurable contract clauses and testing regimens.
The mandate that data remain in the United States addresses cross-border legal risk but raises practical questions about multinational vendors with global infrastructure and subsidiary operations. Finally, the preservation obligation after a contracting failure could force vendors to bear extended storage and legal costs while disputes over payment or transfer are resolved, and the statutory safe-harbor may reduce vendor liability while simultaneously concentrating risk in fewer, larger service providers whose failure or compromise would have outsized consequences.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.