This bill directs a coordinated federal initiative to examine how People’s Republic of China state‑sponsored cyber actors target United States critical infrastructure and to surface recommendations for detection, mitigation, and resilience. It singles out the actor labeled “Volt Typhoon” and requires both classified contingency assessments and public-facing summaries intended for owners, operators, and Congress.
Why it matters: the measure compels cross‑agency information sharing, creates a standing reporting cadence, and instructs agencies to produce sector‑specific analyses of operational, economic, and defense impacts—products that could change how regulators, operators, and defense planners prioritize cyber hardening and resource allocation.
At a Glance
What It Does
The Director of CISA leads a CISA–FBI‑centered interagency task force that must collect information from Federal departments and Sector Risk Management Agencies, analyze PRC state‑sponsored activity (including Volt Typhoon), and produce an initial classified report followed by annual reports for five years. Each report must include sector risk assessments, resource/authority gap analysis, and classified contingency scenarios describing effects on military mobility and economic/social disruption.
Who It Affects
Federal cyber and homeland security agencies (CISA, FBI, DOJ, SRMAs), members of the intelligence community who must supply classified inputs, critical infrastructure owners and operators who will be targeted for outreach, and Congressional oversight committees that receive classified briefings and public executive summaries.
Why It Matters
This law forces formal alignment across agencies on PRC targeting of critical infrastructure, institutionalizes a public/unclassified transparency channel for strategic findings, and creates classified analytic deliverables planners can use for wartime contingency planning—shifting both operational posture and industry engagement on priority vulnerabilities.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill sets a concrete organizational and reporting framework to convert disparate federal cyber work into a focused, product‑driven effort on PRC state‑sponsored threats to critical infrastructure. The Director of CISA chairs the interagency body and the FBI Director serves as vice chair; the statute expects agencies to populate the group with technical subject‑matter experts (digital forensics, threat intelligence, TTP familiarity) able to evaluate persistent access and intrusion techniques.
The task force may dovetail with existing efforts to avoid duplication, but the statute gives it explicit authorities to demand internal assessments and classified inputs from participating agencies.
Reporting is the bill’s center of gravity. The task force must deliver an initial comprehensive report and then annual updates for five years.
Those deliverables are structured: unclassified executive summaries will be published publicly on DHS’s website while the substantive judgments—about potential destruction, the United States’ ability to respond during a major crisis, effects on military mobility, and economic and social fallout—are classified. The reports must also identify gaps in authorities and resources and recommend steps for the Homeland Security Enterprise and private sector actors.To do its work the task force receives broad access: participating agencies must provide documents, analyses, audits, and other relevant information, but access is conditioned on appropriate security clearances and handling rules.
The statute also requires the task force to prepare a one‑time awareness campaign plan to link critical infrastructure owners and operators to federal security resources. Finally, the task force is temporary: it sunsets shortly after completing its final congressional briefing, and the statute carves out exemptions from the Federal Advisory Committee Act and the Paperwork Reduction Act to speed operations and limit formal procedural constraints.
The Five Things You Need to Know
The bill requires the task force to be stood up within 120 days of enactment.
The task force must deliver an initial report within 540 days of establishment and then annual reports for five years.
Reports must include classified contingency assessments of potential disruption to U.S. Armed Forces’ mobility (rail, aviation, ports) and the economic/social consequences of sector outages.
The task force is exempt from the Federal Advisory Committee Act and the Paperwork Reduction Act, and members must hold appropriate security clearances to access classified inputs.
Unclassified executive summaries of each report must be posted publicly on DHS’s website, but the substantive assessments and briefings to congressional committees are classified.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Task force structure, leadership, and membership standards
The Director of CISA chairs the new interagency body and the FBI Director is vice‑chair; relevant SRMAs, DOJ, and other agencies provide representatives. The statute expects those representatives to be technical subject‑matter experts (cybersecurity, digital forensics, threat intelligence, or knowledge of PRC TTPs), which raises the bar for staffing: agencies must send operationally experienced personnel able to handle classified threat analysis and translate findings into mitigation guidance for sectors.
Coordination with preexisting efforts to limit duplication
Rather than creating an isolated committee, the text authorizes the task force to coordinate with existing Homeland Security Enterprise or intelligence‑community bodies that have examined the PRC threat. That lets the task force inherit work products and access stakeholder networks, but it also requires deliberate deconfliction to avoid repeating classified reporting or creating inconsistent guidance across agencies.
Report cadence, classification handling, and public summaries
The statute prescribes a two‑tier deliverable model: classified core reports and unclassified executive summaries for public publication. The initial report deadline is fixed relative to the task force stand‑up, followed by annual reports for five years. Each report must balance detailed classified analyses (e.g., operational impact on military mobility, national economic effects) with an executive summary suitable for publication and industry awareness. The bill also mandates a classified briefing to the appropriate congressional committees within 30 days of each report.
Access to information and security requirements
Agencies named in the statute must furnish documents, assessments, audits, and other analyses to the task force, but only task force members holding appropriate clearances may receive classified materials. The bill therefore forces participating agencies to prioritize clearance adjudications and to establish handling protocols to move sensitive material into a cross‑agency analytic environment while complying with statutory protections for intelligence sources and methods.
Sunset and procedural exemptions
The task force terminates 60 days after its final congressional briefing, creating a finite window for sustained action unless Congress authorizes extension. The law exempts the group from FACA and the Paperwork Reduction Act, reducing administrative friction but also narrowing procedural transparency and external stakeholder participation that those statutes usually create.
Definitions and focus on ‘Volt Typhoon’
The statute codifies a range of operational definitions (assets, systems, SRMAs, etc.) and explicitly adopts CISA’s February 7, 2024 advisory label ‘Volt Typhoon’ as a statutory reference point. Naming a specific actor in statute is notable: it focuses analytic attention and reporting requirements on the tactics associated with that actor and any successor advisories called out in law.
This bill is one of many.
Codify tracks hundreds of bills on Infrastructure across all five countries.
Explore Infrastructure in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- CISA and SRMAs — gain statutory leadership, formal access to cross‑agency classified inputs, and a mandate to shape sector guidance and awareness campaigns, strengthening their convening and analytic role.
- Congressional defense and homeland committees — receive structured classified briefings and recurring analytic products that improve oversight and contingency planning for infrastructure threats.
- Department of Defense planners — obtain mandated assessments of how cyber operations could impair mobility across rail, aviation, and ports, useful for logistics and force‑projection planning.
- Critical infrastructure owners and operators (electric, transportation, telecom, water) — benefit from an unclassified executive summary and a one‑time federal awareness campaign plan linking them to DHS and SRMA resources and recommended mitigation steps.
- Intelligence and threat‑analysis units — the requirement to centralize TTP analysis creates opportunities to standardize indicators and operational playbooks that reduce analytic fragmentation.
Who Bears the Cost
- Federal agencies and SRMAs — must allocate staff with specialized clearances and devote classified analytic resources to support the task force, creating personnel and funding pressure without a designated appropriation in the text.
- Critical infrastructure operators — may receive outreach and recommended actions that they must implement, potentially incurring remediation and compliance costs, especially for smaller utilities and transit providers.
- State and local authorities — expected to coordinate with Federal efforts and may need to handle sensitive briefings or adopt federally recommended mitigations without added federal assistance.
- Congressional staff and oversight teams — must process recurring classified briefings and integrate findings into oversight, requiring security infrastructure and analytic capacity.
- DHS/CISA — operational burden to publish unclassified summaries while protecting classified sources and to run an industry awareness campaign, tasks that demand communications, legal, and technical resources.
Key Issues
The Core Tension
The bill pits the need for candid, classified assessments and rapid interagency action against the competing need to equip civilian infrastructure owners with usable, non‑classified guidance; safeguarding intelligence sources will limit what the private sector can learn, while releasing too much risks degrading intelligence—there is no single technical or policy fix that fully satisfies both imperatives.
The statute centralizes analysis and mandates the production of classified contingency reports, but it does so without specifying funding lines or new statutory authorities to compel private sector action. That creates an implementation gap: agencies may identify resource and authority shortfalls in their reports, but the statute does not itself grant new regulatory powers or appropriation authority to close those gaps.
Practically, the task force will depend on agency goodwill, interagency agreements, and reallocation of existing personnel and intelligence reporting streams.
Another practical tension arises from the bill’s classification posture. Major sections of required analysis are to remain classified (operational effects on military mobility; U.S. ability to counter threats in crisis).
That protects sources and methods but constrains what private‑sector operators can act on. The law attempts to mitigate this with unclassified executive summaries and a one‑time awareness plan, yet the utility of those public products will depend on how deftly the task force translates classified findings into actionable, declassified guidance without revealing sensitive details.
Finally, the exemptions from FACA and the PRA accelerate operations but reduce formal external stakeholder participation and paperwork constraints that sometimes enforce transparency and public input—shifting power inward to agencies and shrinking formal avenues for industry or civil society review.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.