Sponsors (2)
The bill improves access to federal cyber threat information, training, and technical assistance—especially for small and rural critical infrastructure—and reduces legal uncertainty for AI defenses, but it also risks weakening mandatory sharing, raising privacy/exposure concerns, and increasing compliance burdens for small entities.
Non‑federal critical‑infrastructure owners and operators — including small, rural utilities and state/local governments — will get expanded federal support and clearer guidance: DHS and DOJ must update and publish policies, conduct outreach (including a 90‑day plan), provide voluntary technical assistance, and emphasize training to help these entities use cyber threat indicators and defensive best
Designated individuals at non‑Federal critical‑infrastructure organizations will be eligible for one‑time security read‑ins so they can access threat intelligence faster and more directly from federal sources.
Organizations can more confidently adopt AI tools for cybersecurity because the bill clarifies that AI developed or deployed for defensive cyber purposes is permissible, reducing legal uncertainty for entities using AI in their defenses.
Converting some previously mandatory information‑sharing or issuance duties into permissive authorities may reduce the consistency, timeliness, or reliability of interagency and federal‑to‑nonfederal cyber information sharing.
Providing one‑time read‑ins and encouraging broader AI use in cyber operations could increase the risk that sensitive data is exposed if vetting, access controls, or data‑handling processes are inadequate.
Expanding covered definitions (e.g., AI, IoT, OT, edge) and adding outreach, reporting, and program obligations could impose additional compliance costs and administrative burdens on small and rural entities.
Based on analysis of 2 sections of legislative text.
Updates the Cybersecurity Act to add AI and infrastructure definitions, expand voluntary federal cyber assistance, permit one‑time read‑ins for select critical‑infrastructure individuals, and revise info‑sharing rules.
Introduced September 2, 2025 by Andrew R. Garbarino · Last progress September 2, 2025
Amends the Cybersecurity Act of 2015 to add and reorganize definitions (including a definition for artificial intelligence and for critical infrastructure), broaden federal information‑sharing procedures, and expand federal authority to provide voluntary technical assistance and one‑time security read‑ins for selected individuals identified by non‑federal critical infrastructure owners/operators. It also directs the Attorney General and the Secretary of Homeland Security, with other federal leaders as appropriate, to update and publicly issue policies, procedures, and guidance to reflect these changes. The bill does not appropriate new funds or create new mandatory programs; it mainly revises authorities, clarifies permissible uses of AI for cybersecurity, and shifts some sharing language from mandatory to permissive while adding explicitly authorized activities and administrative duties for federal agencies.