Sponsors (2)
This is not an official government website.
Copyright © 2026 PLEJ LC. All rights reserved.
Revises federal cybersecurity law to add and clarify definitions (including “artificial intelligence” and “Sector Risk Management Agency”), expand voluntary federal cyber-threat information sharing and technical assistance for critical infrastructure, and require DHS outreach and annual briefings to better include small, rural, and non‑Federal infrastructure owners and operators. The bill also permits some uses of authorities where they were previously mandatory, adds SRMAs to rapid notification lists, prohibits certain uses of AI developed or deployed strictly for cybersecurity in specified activities, and updates the Homeland Security Act definition of SRMA to explicitly cover operational technology, edge devices, and IoT (including assets affected by ransomware). A 90-day deadline is set for DHS to develop an outreach plan, followed by annual briefings to two congressional committees.
The bill strengthens outreach, notification, and voluntary federal assistance to improve cyber-threat awareness and response for critical infrastructure, but it also makes some federal actions discretionary, limits certain AI uses, and raises compliance and resource costs for operators and agencies.
Owners/operators of critical infrastructure (especially small or rural), and federal/state/local entities will receive more outreach, annual briefings, and clearer guidance for sharing cyber-threat indicators, improving situational awareness and speed of response to cyber incidents.
Agencies responsible for sector resilience (SRMAs) will be added to rapid-notification channels so threats to operational technology and IoT are communicated faster, improving response for utilities, hospitals, and state-level incident coordinators.
Non-federal operators (including small businesses and utilities) gain clearer, voluntary access to federal technical assistance and one-time 'read-ins', enabling them to use federal cyber defenses and information without triggering mandatory federal takeover.
State and local governments and critical infrastructure operators could receive less consistent federal support because some previously mandatory federal actions are changed from 'shall' to 'may', making assistance discretionary.
Utilities, hospitals, and state governments may be restricted from using AI tools developed or configured specifically for cybersecurity in some authorized activities, which could limit defenders' detection and response capabilities.
Small infrastructure owners and utilities may face higher compliance and reporting burdens because operational technology and IoT are explicitly included in expanded definitions, increasing costs for some small operators.
Introduced September 2, 2025 by Andrew R. Garbarino · Last progress September 2, 2025