This bill reauthorizes the Cybersecurity Act of 2015 through 2035 and rewrites several core definitions and authorities to reflect current threats: it adds an AI definition, adopts explicit references to operational technology and internet-of-things devices, and names Sector Risk Management Agencies (SRMAs) in the Act. The measure directs agencies to update and publish information-sharing policies, prioritize rapid dissemination to State, local, Tribal, territorial (SLTT) governments and non‑Federal critical infrastructure, and requires DHS and DOJ to carry out targeted outreach and regular briefings.
Practically, the bill broadens who can receive technical assistance and classified “read‑ins,” tightens language around supply‑chain and ransomware threats, and creates a series of deadlines and deliverables (published updates, a 90‑day outreach plan, annual briefings, and 60‑day committee notifications). It also introduces conflicting language on whether AI tools may be used in executing information‑sharing authorizations—an implementation issue that will matter to agencies and private-sector partners alike.
At a Glance
What It Does
Reauthorizes the Cybersecurity Act of 2015 until 2035 and amends definitions and sharing authorities to include artificial intelligence, operational technology, IoT, and SRMAs. It requires DHS and DOJ to update and publish policies, provide voluntary technical assistance and one‑time read‑ins to select critical‑infrastructure personnel, and conduct directed outreach to small or rural infrastructure owners.
Who It Affects
Federal agencies (DHS, DOJ, Sector Risk Management Agencies), SLTT governments, owners/operators of critical infrastructure (including small/rural utilities and industrial control systems), cybersecurity vendors and managed service providers, and congressional oversight committees that will receive new briefings and notifications.
Why It Matters
The bill modernizes statutory language to cover AI, supply‑chain compromise, ransomware, OT and IoT—areas where the original 2015 statute is thin. It shifts emphasis from optional sharing to proactive dissemination to critical infrastructure and imposes concrete outreach and transparency tasks on DHS and DOJ, changing how threat indicators and defensive measures move between government and non‑Federal entities.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill is structured around updating the 2015 statute so it reads like a 2025 cybersecurity law. At the top, it inserts an explicit definition of “artificial intelligence” by cross‑reference to the National AI Initiative Act and adds the statutory term “critical infrastructure” and “Sector Risk Management Agency” so downstream authorities expressly apply to those actors.
That creates a legal hook to share information with SRMAs and to frame outreach to infrastructure owners.
On information sharing, the bill changes the duty from merely developing guidance to updating it as threats evolve, and it directs agencies to publish those updates. It requires the Federal Government to maintain the capability to provide voluntary, technical assistance on using threat indicators and defensive measures and explicitly authorizes one‑time ‘‘read‑ins’’—briefings that can grant selected non‑Federal infrastructure personnel access to classified threat information under Homeland Security Act read‑in authorities.
The text also strengthens language forcing DHS and DOJ to prioritize rapid dissemination of actionable indicators to SLTT governments and non‑Federal critical infrastructure.The bill adds operational and operational‑technology specificity: definitions and reporting provisions now call out industrial control systems, edge devices, and IoT devices and tie supply‑chain vulnerabilities (including those affecting AI components) to the statutory risk frame. Reporting obligations are broadened to require a biennial threat report—due to Congress not later than September 30 every two years—that explicitly discusses ransomware and prepositioning activities (i.e., adversary actions to stage capabilities inside networks before an attack).On outreach and governance, DHS must produce and continuously execute an outreach plan (with a 90‑day development clock in the statute) targeted at smaller and rural infrastructure owners that often lack dedicated cybersecurity staff.
DHS must also brief relevant congressional committees annually about that outreach. Finally, the bill extends the effective authorization period in section 111(a) to 2035, keeping the statute in force for another decade.A key drafting tension runs through several provisions: one clause permissively allows use of AI for defensive technical capabilities, while other new clauses explicitly state that the statute’s authorized activities should not be carried out using AI that is “developed or strictly deployed for cybersecurity purposes.” That internal inconsistency will be a focal point in rulemaking and interagency guidance.
The Five Things You Need to Know
The bill mandates that DHS and DOJ jointly update and publicly post relevant information‑sharing policies and prioritize rapid dissemination of actionable indicators to SLTT governments and non‑Federal critical infrastructure.
DHS must develop and continuously implement an outreach plan within 90 days of enactment aimed at small and rural critical infrastructure owners and include specific educational and feedback components.
The statute authorizes one‑time classified read‑ins to select critical‑infrastructure individuals under section 2212 of the Homeland Security Act to facilitate faster sharing of sensitive threat information.
The bill adds explicit statutory language bringing operational technology, edge devices, and internet‑of‑things devices (including those impacted by ransomware) into the Act’s risk and sharing framework.
Several provisions create conflicting AI rules: one amendment allows technical capabilities that may utilize AI, while two separate inserts expressly preclude use of AI developed or strictly deployed for cybersecurity in carrying out authorized activities.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Adds AI, critical infrastructure, and SRMA definitions
This section inserts a cross‑reference definition for “artificial intelligence” (pointing to the National AI Initiative Act) and adds a statutory definition of “critical infrastructure” and “Sector Risk Management Agency.” Practically, those insertions make it explicit that later sharing authorities and protections apply to AI‑related incidents, supply‑chain compromises involving AI components, and SRMAs—opening a route for SRMAs to receive threat information that previously sat ambiguously outside the 2015 text.
Requires updated procedures, technical assistance, and committee notifications
The bill changes the plain duty of agencies from issuing guidance to developing, issuing, and updating procedures as threats evolve. It adds an affirmative Federal capability: agencies must be able to provide voluntary technical assistance to non‑Federal entities using threat indicators and defensive measures. It also requires a notification window—committee notification not later than 60 days after any procedural update—so Congress is specifically kept abreast of changes to how sharing will occur.
Expands who may receive assistance but inserts contradictory AI limits
Amendments allow Sector Risk Management Agencies to be treated as recipients of authorized assistance and clarify that authorizations can cover entities whose systems are not otherwise governed by certain Federal information‑security standards. However, the text inserts a new paragraph that both permits technical capabilities that ‘may utilize’ AI and separately adds a prohibition that precludes use of AI ‘developed or strictly deployed for cybersecurity purposes’ in carrying out authorized activities—creating an internal tension about whether AI tools can be used for detection, analysis, or mitigation under these authorities.
Joint DOJ/DHS updates, prioritization, outreach, and briefings
This section requires the Attorney General and the Secretary of Homeland Security to jointly update and publish policies for sharing indicators and defensive measures, with a statutory instruction to prioritize rapid dissemination to SLTT governments and critical infrastructure operators. It also mandates a 90‑day outreach plan targeted at small and rural infrastructure owners, spells out outreach content (how to share, privacy protections, PII removal, how indicators are used), and requires annual briefings to specified congressional committees on outreach implementation.
Limits on preemption and explicit SRMA sharing carve‑outs
The bill narrows the preemption sweep by making certain preclusion decisions discretionary and adding language that could be read to forbid AI use under some authorized activities. It also amends the preemption clause to explicitly allow sharing relationships that include SRMAs, while later adding an exception allowing limits on sharing with SRMAs notwithstanding other laws—introducing a possible patchwork where SRMAs may receive different access depending on later policy choices.
Expanded reporting and a long‑term reauthorization; supply chain and OT/IoT clarity
The bill expands the cybersecurity threat report to cover ransomware and adversary prepositioning activities and requires the report on a biennial cadence (not later than September 30 every two years). It extends the Cybersecurity Act’s effective period to 2035. Conforming edits to the Homeland Security Act add supply‑chain compromise language and explicitly name industrial control systems, edge devices, and IoT devices in the risk framework—bringing operational technology and IoT into the statutory core for reporting and sharing.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Small and rural critical‑infrastructure operators — the outreach plan and prioritized, rapid dissemination aim to give utilities and local operators actionable indicators and guidance tailored to organizations that lack dedicated cybersecurity staff.
- Sector Risk Management Agencies (SRMAs) — the bill explicitly names SRMAs in the statute and creates mechanisms (sharing, awareness) for them to receive threat information and situational awareness.
- State, local, Tribal, and territorial (SLTT) governments — statutory prioritization and publication duties increase the chance SLTT partners get timely, actionable threat information and technical assistance.
- DHS and DOJ — clearer statutory duties to publish guidance, perform outreach, and provide technical assistance centralize roles and increase authority to coordinate threat dissemination and briefings to Congress.
Who Bears the Cost
- Small critical‑infrastructure owners and operators — while outreach focuses on them, they will bear operational costs to ingest, act on, and protect received indicators, and may need to invest in basic security hygiene to utilize shared defensive measures.
- Private companies and cybersecurity vendors — expectations around PII removal, processing, and potential read‑ins increase handling complexity and may raise legal and compliance costs for organizations sharing or receiving indicators.
- DHS (and to some degree DOJ) — new statutory deadlines, continuous outreach, annual briefings, and enhanced assistance duties create programmatic and personnel costs; the statute does not appropriate funds, so implementation may strain existing budgets.
- Sector Risk Management Agencies — SRMAs receiving additional data will need resources and technical capacity to consume, analyze, and act on indicators, or risk becoming bottlenecks or single points of failure.
Key Issues
The Core Tension
The central dilemma is speed versus control: the bill pushes for faster, broader dissemination of threat indicators to protect fragile critical infrastructure, but it simultaneously adds constraints and ambiguous limits—especially around AI use, privacy protections, and discretionary limits on SRMA sharing—forcing agencies to choose between rapid, potentially automated responses and cautious, controlled sharing that reduces risk but may slow defensive action.
The bill tightens and modernizes statutory language in useful ways but leaves key implementation questions unresolved. Most obviously, the text simultaneously permits technical capabilities that “may utilize artificial intelligence” and inserts explicit prohibitions against using AI “developed or strictly deployed for cybersecurity purposes” to carry out authorized activities.
That drafting creates legal uncertainty: agencies and private partners will need to reconcile whether AI‑assisted detection/analysis is permissible, and how that use interacts with classified read‑ins and privacy protections. The statute punts that reconciliation to subsequent policy and implementation guidance, where it could produce either narrow interpretations that limit useful automation or permissive guidance that triggers privacy and reliability concerns.
Another tension arises from expanding sharing to SRMAs and prioritizing rapid dissemination while also preserving trade‑secret and privacy protections and enabling agencies to limit or modify sharing “notwithstanding any other provision of law.” The result could be a two‑track system: rapid push to some non‑Federal operators accompanied by ad hoc limits or withheld flows to others, increasing fragmentation and uncertainty about who receives what and when. Finally, the bill requires significant outreach and continuous engagement with small/rural stakeholders without providing funding language; execution will depend on agency prioritization and appropriations, and absent resources the statutory outreach risks being an unfunded mandate with inconsistent reach.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.