This Act may be cited as the "Layered Oversight for Clearance Keepers Act of 2025" or the "LOCK Act".

1. (a)
   title 50, United States Code, is amended by inserting after section 3341 the following:

   "§ 3341a. Continuous vetting"

   1. (1)
      "(a) REQUIREMENT. — beginning 180 days after enactment of the LOCK Act, every individual who holds, or is nominated or assigned to hold, national-security eligibility shall be enrolled in an automated continuous-vetting service that —

      1. (A)
         "(1) at intervals not to exceed 30 days, and where technically feasible at least once every 24 hours, queries financial, criminal, counter-terrorism, foreign-travel, and other risk-relevant data sets; and
      2. (B)
         "(2) operates in accordance with continuous-monitoring guidance issued under NIST Special Publication 800-137 or any successor publication.
   2. (2)
      "(b) IMPLEMENTATION AUTHORITY. — the Security Executive Agent may refine or expand the data categories in subsection (a) consistent with risk-based intelligence and emerging analytic methods, but may not waive enrollment.
   3. (3)
      "(c) PRIVACY SAFEGUARDS. —

      1. (A)
         "(1) Written consent. — enrollment shall be conditioned on an executed consent acknowledging collection and automated review of covered data.
      2. (B)
         "(2) Adverse-action notice and dispute. — an individual shall receive written notice of any adverse personnel action initiated on the basis of continuous-vetting data and shall have not fewer than 30 days to contest the accuracy of such data under procedures consistent with the Privacy Act of 1974 and the Fair Credit Reporting Act.
      3. (C)
         "(3) Data-minimisation. — covered data that do not trigger an adjudicative action shall be retained no longer than 5 years, unless required for litigation hold or law-enforcement purposes.
   4. (4)
      "(d) LOW-RISK EXCEPTION. — nothing in this section requires enrollment for individuals occupying positions designated 'public trust' or lower under 5 C.F.R. § 731, provided such individuals are not granted logical or physical access to classified information systems as defined in section 9(2) of the LOCK Act."

1. (a)
   interim eligibility above the SECRET level shall automatically terminate at 23:59 (local) on the 60th day after initial access unless the full background investigation has been finally adjudicated.
2. (b)
   a single 30-day extension may be granted once per individual by the head of the employing agency if —

   1. (1)
      operational necessity is certified in writing; and
   2. (2)
      the certification is transmitted within 7 calendar days to the House Permanent Select Committee on Intelligence and the Senate Select Committee on Intelligence.
3. (c)
   consecutive or renewed provisional eligibilities are prohibited.
4. (d)
   SURGE STAFFING. — during a national emergency declared under the National Emergencies Act or the Robert T. Stafford Disaster Relief and Emergency Assistance Act, the head of an agency may grant emergency interim eligibility not exceeding 72 hours, limited to information classified at SECRET and compartmented within a physically separate enclave; written notice of each grant shall be provided to the committees referred to in subsection (b)(2) within 24 hours.

1. (a)
   each Executive agency shall maintain an append-only, cryptographically verifiable log of —

   1. (1)
      each entry to a controlled facility housing classified material; and
   2. (2)
      each authenticated login to a classified information system.
2. (b)
   the logging solution shall, at a minimum, implement the applicable controls in the Audit and Accountability (AU) family of NIST Special Publication 800-53, Revision 5 (or any successor revision) and follow the reference architecture set forth in NIST SP 1800-10, "Protecting Log Integrity," or any successor publication of equal or greater assurance.
3. (c)
   continuous monitoring and risk scoring for such logs shall conform to NIST SP 800-137 (or any successor publication).
4. (d)
   the Inspector General of the employing agency shall have continuous read-only access to the audit log; the Comptroller General of the United States shall receive copies or extracts upon written request under security procedures mutually agreed to by the Comptroller General and the agency.

1. (a)
   no funds appropriated or otherwise made available by any Act may be obligated or expended to compensate, badge, grant logical or physical access to, or otherwise support any individual who —

   1. (1)
      is not enrolled in continuous vetting as required by section 2;
   2. (2)
      holds interim eligibility beyond the period authorized in section 3;
   3. (3)
      is not subject to the audit-logging regime mandated by section 4.
2. (b)
   REMEDIATION SEQUENCE. —

   1. (1)
      within 30 calendar days after written notice of non-compliance from the Inspector General, the employing agency shall submit a corrective action plan to the Inspector General and to the Office of Management and Budget.
   2. (2)
      if the agency fails to implement the corrective action plan within 60 calendar days after such notice, the obligation or expenditure of funds described in subsection (a) shall be suspended.
   3. (3)
      if non-compliance persists 90 calendar days after the initial notice, the Director of the Office of Management and Budget shall impose such additional fiscal controls or reprogramming restrictions as the Director deems necessary until compliance is restored.
3. (c)
   ADMINISTRATIVE LEAVE. — nothing in this section prohibits an agency from placing an individual on paid administrative leave, in a non-duty status without access to classified information, pending final adjudication or appeal of any personnel action.
4. (d)
   COMPLIANCE IN CONTRACTS. — agencies shall incorporate into every contract exceeding the micro-purchase threshold (as defined in 41 U.S.C. § 1902) a clause requiring the contractor and all tiers of subcontractors to comply with sections 2 through 4; breach shall constitute a material failure subject to remedies under the Federal Acquisition Regulation.

1. (a)
   an agency with fewer than 100 total cleared positions may, within 30 days of enactment, submit to the Director of the Office of Management and Budget a plan for phased compliance over a period not to exceed 24 months.
2. (b)
   OMB shall approve or disapprove each plan within 30 days of receipt.

1. (a)
   not later than 18 months after the effective date of this Act, the Comptroller General shall submit to the committees of jurisdiction a report assessing implementation costs, benefits, false-positive rates, and any operational impacts of this Act.
2. (b)
   the Comptroller General shall submit subsequent reports every 2 years thereafter.

1. (a)
   there are authorized to be appropriated to carry out this Act $200,000,000 for fiscal year 2026, to remain available until expended.
2. (b)
   the Secretary of Defense may credit amounts collected through the Defense Counterintelligence and Security Agency working-capital fund toward the authorization specified in subsection (a).

1. (a)
   "continuous vetting" has the meaning given in Security Executive Agent Directive 6, or any successor directive;
2. (b)
   "logical or physical access" means any credential, badge, or network permission that allows unescorted entry to Federal facilities or information systems not open to the public;
3. (c)
   "micro-purchase threshold" has the meaning set forth in 41 U.S.C. § 1902.

Nothing in this Act shall be construed to impair the President's constitutional authority to classify or declassify information. Nothing in this section shall be interpreted to waive or supersede the requirements of sections 2 through 5.

This Act and the amendments made by it take effect 180 days after the date of enactment.

If any provision of this Act, or the application thereof, is held invalid, the remainder of the Act and the application of the provision to other persons or circumstances shall not be affected.