H.R. 5079
119th CONGRESS 1st Session
To reauthorize the Cybersecurity Act of 2015, and for other purposes.
IN THE HOUSE OF REPRESENTATIVES · September 2, 2025 · Sponsor: Mr. Garbarino
Table of contents
SEC. 1. Short title
- This Act may be cited as the Widespread Information Management for the Welfare of Infrastructure and Government Act.
SEC. 2. Reauthorization of Cybersecurity Act of 2015
- (a) In general
- The Cybersecurity Act of 2015 (; enacted as division N of the Consolidated Appropriations Act, 2016; ) is amended— 6 U.S.C. 1501 et seq.; Public Law 114–113
- in section 102 (; relating to definitions)— 6 U.S.C. 1501
- by redesignating paragraphs (4), (5), (6), (7), (8), (9), (10), (11), (12), (13), (14), (15), (16), (17), and (18) as paragraphs (6), (7), (8), (9), (10), (11), (12), (13), (14), (15), (16), (17), (19), (20), and (21), respectively;
- (4) Artificial intelligence
- The term has the meaning given such term in section 5002 of the National Artificial Intelligence Initiative Act of 2020 ().
artificial intelligence15 U.S.C. 9401
- The term has the meaning given such term in section 5002 of the National Artificial Intelligence Initiative Act of 2020 ().
- (5) Critical infrastructure
- The term has the meaning given such term in section 1016(e) of ().
critical infrastructurePublic Law 107–56; 42 U.S.C. 5195c(e)
- The term has the meaning given such term in section 1016(e) of ().
- (4) Artificial intelligence
- by inserting after paragraph (3) the following new paragraphs:
- (18) Sector Risk Management Agency
- The term has the meaning given such term in section 2200 of the Homeland Security Act of 2002 ().
Sector Risk Management Agency6 U.S.C. 650
- The term has the meaning given such term in section 2200 of the Homeland Security Act of 2002 ().
- (18) Sector Risk Management Agency
- by inserting after paragraph (17), as so redesignated, the following new paragraph:
- by redesignating paragraphs (4), (5), (6), (7), (8), (9), (10), (11), (12), (13), (14), (15), (16), (17), and (18) as paragraphs (6), (7), (8), (9), (10), (11), (12), (13), (14), (15), (16), (17), (19), (20), and (21), respectively;
- in section 103 (; relating to sharing of information by the Federal Government)— 6 U.S.C. 1502
- in subsection (a), in the matter preceding paragraph (1), by striking
develop and issueand insertingdevelop, issue, and, as appropriate, update; - in subsection (b)—
- (i) in paragraph (1)—
- in the matter preceding subparagraph (A), by inserting after ;
- ensure the Federal Government maintains the capability to provide technical assistance, on a voluntary basis, to non-Federal entities in utilizing cyber threat indicators and defensive measures for cybersecurity purposes;
- by amending subparagraph (A) to read as follows:
- in subparagraph (E)(ii), by striking after the semicolon;
- in subparagraph (F), by striking the period and inserting
; and; and- pursuant to section 2212 of the Homeland Security Act of 2002 (), provide one-time read-ins, as appropriate, to select individuals identified by non-Federal entities that own or operate critical infrastructure; 6 U.S.C. 662
- by adding at the end the following new subparagraph:
- (ii) in paragraph (2)—
- by inserting after ; and
- in subsection (c)—
- (i) by inserting after ; and
- (ii) by inserting after ;
- in subsection (a), in the matter preceding paragraph (1), by striking
- in section 104 (; relating to authorizations for preventing, detecting, analyzing, and mitigating cybersecurity threats)— 6 U.S.C. 1503
- in subsection (c)—
- (i) in paragraph (1), by inserting after ;
- (ii) in paragraph (3)—
- in the matter preceding subparagraph (A), by striking
shall beand insertingmay be; - in subparagraph (A), by striking after the semicolon;
- in subparagraph (B), by striking the period and inserting ; and
- to preclude the use of artificial intelligence that is developed or strictly deployed for cybersecurity purposes in carrying out the activities authorized under paragraph (1).
- by adding at the end the following new subparagraph:
- (iii) in subparagraph (B) of subsection (d)(2), by inserting after ;
- in subsection (c)—
- in section 105 (); relating to sharing of cyber threat indicators and defensive measures with the Federal Government— 6 U.S.C. 1504
- in subsection (a)—
- (i) in paragraph (2), by adding at the end the following new sentences: ;
As appropriate, the Attorney General and the Secretary of Homeland Security shall, in consultation with the heads of the appropriate Federal entities, jointly update such policies and procedures, and issue and make publicly available such updated policies and procedures. Such updates shall prioritize rapid dissemination to State, local, Tribal, and territorial governments and owners and operators of non-Federal critical infrastructure of relevant and actionable cyber threat indicators and defensive measures. - (ii) in paragraph (3), in the matter preceding subparagraph (A), by striking
developed or issuedand insertingdeveloped, issued, or, as appropriate, updated,; and - (iii) in paragraph (4)—
- in subparagraph (A), by adding at the end the following new sentence: ; and
As appropriate, the Attorney General and the Secretary of Homeland Security shall jointly update and make publicly available such guidance to so assist entities and promote such sharing of cyber threat indicators and defensive measures with such Federal entities under this title. - in subparagraph (B), in the matter preceding clause (i), by inserting after ;
- (i) in paragraph (2), by adding at the end the following new sentences: ;
- in subsection (b)—
- (i) in paragraph (2)(B), by inserting after ; and
- (ii) in paragraph (3), in the matter preceding subparagraph (A), by inserting after ;
- in subsection (c)—
- (i) in paragraph (1)(D), by inserting before the semicolon;
- (ii) in paragraph (2), by adding at the end the following new subparagraph:
- (C) Outreach
- Not later than 90 days after the date of the enactment of this subparagraph, the Secretary of Homeland Security shall develop and continuously implement an outreach plan, including targeted engagement, to ensure Federal and non-Federal entities, particularly small or rural owners or operators of critical infrastructure which often lack dedicated cybersecurity staff but remain vital to national security—
- (i) are aware of the capability and process required by paragraph (1) to share cyber threat indicators and defensive measures, including the benefits real-time information sharing provides;
- (ii) understand how to share cyber threat indicators and defensive measures;
- (iii) understand the obligation to remove certain personal information in accordance with section 104(d)(7) prior to sharing a cyber threat indicator;
- (iv) understand how cyber threat indicators and defensive measures are received, processed, used, and protected;
- (v) understand the protections they are afforded in sharing any cyber threat indicators and defensive measures; and
- (vi) can provide feedback to the Secretary when policies, procedures, and guidelines that are unclear or unintentionally prohibitive to sharing cyber threat indicators and defensive measures.
- Not later than 90 days after the date of the enactment of this subparagraph, the Secretary of Homeland Security shall develop and continuously implement an outreach plan, including targeted engagement, to ensure Federal and non-Federal entities, particularly small or rural owners or operators of critical infrastructure which often lack dedicated cybersecurity staff but remain vital to national security—
- (C) Outreach
- (iii) by adding at the end the following new subparagraph:
- (D) Briefings on outreach
- The Secretary of Homeland Security shall annually provide to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a briefing on the implementation of outreach pursuant to subparagraph (B).
- (D) Briefings on outreach
- in subsection (d)—
- (i) in paragraph (1), by inserting before ; and
- (ii) in paragraph (5)(A),
- in clause (iv), by striking after the semicolon;
- in clause (v)(III), by striking the period and inserting ; and
- (vi) the purpose of rapidly providing other Federal entities, including Sector Risk Management Agencies, awareness of a cybersecurity threat that may impact the information systems of such Agencies.
- by adding at the end the following new clause:
- in subsection (a)—
- in section 108 (; relating to construction and preemption)— 6 U.S.C. 1507
- in subsection (c)—
- (i) in the matter preceding paragraph (1), by striking
shall beand insertingmay be; - (ii) in paragraph (2), by striking after the semicolon;
- (iii) in paragraph (3), by striking the period and inserting ; and
- (iv) by adding at the end the following new paragraph:
- to preclude the use of artificial intelligence that is developed or strictly deployed for cybersecurity purposes in carrying out activities authorized by this title.
- (i) in the matter preceding paragraph (1), by striking
- in subsection (f)—
- (i) in paragraph (3)—
- by inserting after ; and
- by striking after the semicolon;
- (ii) in paragraph (4), by striking the period and inserting ; and
- (iii) by adding at the end the following new paragraph:
- to limit or modify, notwithstanding any other provision of law, the authorization to share pursuant to section 104(c)(1) with Sector Risk Management Agencies described in such section.
- in subsection (c)—
- in section 109 (; relating to report on cybersecurity threats)— 6 U.S.C. 1508
- in subsection (a)—
- (i) by inserting after ;
- (ii) by inserting after ;
- (iii) by inserting before ;
- (iv) by inserting before ; and
- (v) by inserting after ; and
- in subsection (b)—
- (i) in paragraph (1), by inserting after ;
- (i) in paragraph (2), by inserting after ;
- (i) in paragraph (3), by inserting after each place it appears; and
- (i) in paragraph (4), by inserting after ; and
- in subsection (a)—
- in section 111(a) (, relating to effective period), by striking and inserting . 6 U.S.C. 1510(a)
- in section 102 (; relating to definitions)— 6 U.S.C. 1501
- The Cybersecurity Act of 2015 (; enacted as division N of the Consolidated Appropriations Act, 2016; ) is amended— 6 U.S.C. 1501 et seq.; Public Law 114–113
- (b) Conforming amendments
- Section 2200 of the Homeland Security Act of 2002 (; relating to definitions) is amended— 6 U.S.C. 650
- in paragraph (5)—
- in subparagraph (B), by inserting after ;
- in subparagraph (C), by inserting after ;
- in subparagraph (D), by inserting after ; and
- in subparagraph (F), by inserting after ;
- in paragraph (14), by amending subparagraph (B) to read as follows:
- includes, in accordance with section 104(d)(2) of the Cybersecurity Sharing Act of 2015 ()— 6 U.S.C. 1503(d)(2)
- (i) operational technology, including industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers;
- (ii) edge devices; and
- (iii) internet of things devices, including digital and physical infrastructure impacted by ransomware.
- includes, in accordance with section 104(d)(2) of the Cybersecurity Sharing Act of 2015 ()— 6 U.S.C. 1503(d)(2)
- in paragraph (25), by inserting after .
- in paragraph (5)—
- Section 2200 of the Homeland Security Act of 2002 (; relating to definitions) is amended— 6 U.S.C. 650