US SB3023

Grants limited civil and criminal liability protection to cloud storage vendors contractually retained by federal, state, or local law enforcement agencies to store child sexual abuse material as evidence for investigations and prosecutions

Requires approved vendors to meet cybersecurity standards including NIST Framework compliance, end-to-end encryption, annual independent security audits, and maintaining lists of employees with access to stored material

Mandates that stored evidence remain within the United States unless a contracting agency provides express consent for transfer abroad for investigative purposes

Requires vendors to file notification letters with the DOJ Criminal Division within 30 days of entering contracts and to notify authorities within 30 days if agencies breach contracts or fail payment

Preserves liability for vendors engaging in intentional misconduct, negligent conduct, actual malice, or reckless disregard, and preserves agencies' obligations to comply with constitutional requirements, court orders, and victim requests