Sponsors (2)
The bill aims to strengthen cyber threat detection and sharing—including by enabling AI and offering voluntary technical help to private infrastructure—but does so while adding agency discretion and permissive language that may reduce consistent federal support and raise privacy risks for individuals and smaller operators.
Non-Federal critical infrastructure owners and operators (e.g., utilities, energy companies, small businesses, rural community operators) will receive a one-time federal read-in and voluntary technical assistance to adopt and use cyber threat indicators, improving their threat awareness and response capabilities.
Owners/operators such as utilities and state governments can use AI in threat-sharing processes because the bill explicitly adds AI to relevant definitions and permits AI-enabled automated detection and sharing, enabling faster identification and dissemination of cyber threat indicators.
State and local governments and other non-Federal entities gain clearer federal guidance because DHS and DOJ must update and publish policies, outreach plans, and brief Congress, increasing transparency and practical guidance for using shared threat information.
Utilities, energy companies, and small businesses may receive less timely or complete threat information because agencies are given discretion to limit sharing and to preclude AI use in some cybersecurity activities, reducing the flow of actionable intelligence to private operators.
Small businesses and rural community operators risk inconsistent or reduced federal assistance and guidance because mandatory duties are replaced by permissive language, potentially leaving less-resourced entities without needed support.
Individuals and local governments face increased privacy and data-protection risks because expanding AI use in threat-sharing could lead to personal data being shared if safeguards and robust de-identification aren't enforced.
Based on analysis of 2 sections of legislative text.
Updates the Cybersecurity Act to add AI and infrastructure definitions, expand federal cyber information-sharing and assistance, narrow when AI can be precluded, and require joint public policy updates.
Introduced September 2, 2025 by Andrew R. Garbarino · Last progress September 2, 2025
Amends the Cybersecurity Act of 2015 to add definitions (including "artificial intelligence" and a reference to critical infrastructure), broaden and make ongoing the federal duty to develop and update cyber information-sharing guidance, add a mechanism for one-time "read-ins" for select non-federal individuals identified by critical infrastructure owners/operators, and require the Attorney General and the Secretary of Homeland Security to jointly update and publicly release implementing policies and procedures. The changes also convert some previously mandatory language to permissive language and add limits on when AI use may be precluded for authorized cybersecurity activities.