Section 1. Short title
This Act may be cited as the Combat Emerging Threats to Critical Infrastructure Act of 2026.
Section 2. Definitions
In this Act:
(1) Artificial intelligence
The term artificial intelligence has the meaning given that term in section 5002 of the National Artificial Intelligence Initiative Act of 2020 (15 U.S.C. 9401).
(2) Digital asset
The term digital asset has the meaning given that term in section 2 of the GENIUS Act (12 U.S.C. 5901).
(3) Director
The term Director means the Director of the Cybersecurity and Infrastructure Security Agency.
(4) National Security Memorandum 22
The term National Security Memorandum 22 means the National Security Memorandum on Critical Infrastructure and Resilience (NSM–22), issued April 30, 2024.
(5) Sector Risk Management Agency
The term Sector Risk Management Agency has the meaning given that term in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650).
(a) Update of sector-Specific plans
Not later than 1 year after the date of enactment of this Act, the Director shall update the sector-specific plans for—
(1) the Chemical Sector, as that term is used in National Security Memorandum 22;
(2) the Commercial Facilities Sector, as that term is used in National Security Memorandum 22;
(3) the Communications Sector, as that term is used in National Security Memorandum 22;
(4) the Critical Manufacturing Sector, as that term is used in National Security Memorandum 22;
(5) the Dams Sector, as that term is used in National Security Memorandum 22;
(6) the Defense Industrial Base Sector, as that term is used in National Security Memorandum 22;
(7) the Emergency Services Sector, as that term is used in National Security Memorandum 22;
(8) the Energy Sector, as that term is used in National Security Memorandum 22;
(9) the Financial Services Sector, as that term is used in National Security Memorandum 22;
(10) the Food and Agriculture Sector, as that term is used in National Security Memorandum 22;
(11) the Government Services and Facilities Sector, as that term is used in National Security Memorandum 22;
(12) the Healthcare and Public Health Sector, as that term is used in National Security Memorandum 22;
(13) the Information Technology Sector, as that term is used in National Security Memorandum 22;
(14) the Nuclear Reactors, Materials, and Waste Sector, as that term is used in National Security Memorandum 22;
(15) the Transportation Systems Sector, as that term is used in National Security Memorandum 22; and
(16) the Water and Wastewater Sector, as that term is used in National Security Memorandum 22.
(b) Technology-Facilitated threats
In carrying out subsection (a)—
(1) each sector-specific plan shall incorporate sector-specific risk management practices to address risks exacerbated or facilitated by disruptive technologies, such as artificial intelligence, including—
(A) malicious activity, sabotage, or efforts to otherwise clandestinely degrade artificial intelligence systems or the supply chain of an artificial intelligence system, including training or test data, frameworks or software libraries, training or inference computing environments, or other components necessary for the training, management, or maintenance of an artificial intelligence system used by an owner or operator of critical infrastructure;
(B) malicious activity leveraging artificial intelligence capabilities for computer network exploitation campaigns directed at the networks of owners and operators of critical infrastructure;
(C) risks and mitigations associated with the deployment of cloud-based architecture, robotics, and zero trust principles (as defined in NIST Special Publication 800–207 or any successor publication);
(D) evolving risks associated with social engineering techniques and digitally manipulated or digitally generated images, audio, video, or text documents; and
(E) interagency and public-private information and threat intelligence sharing functions dependent on the organization, funding, and expertise of agencies (as defined in section 4101 of title 5, United States Code); and
(2) with respect to the sector-specific plan for the Financial Services Sector pursuant to subsection (a)(9), the Director shall coordinate with the Secretary of the Treasury to develop a process to determine digital asset vulnerabilities relating to cryptographic risks resulting from quantum computing.
(c) Interagency coordination
In carrying out subsection (a), the Director shall coordinate with each relevant designated Sector Risk Management Agency.
(d) Reports to Congress
Not later than 30 days after the date on which the Director completes the update of the sector-specific plans required under subsection (a), the Director shall—
(1) inform and provide a copy of each sector-specific plan to—
(A) the Committee on Homeland Security and Governmental Affairs of the Senate;
(B) the Select Committee on Intelligence of the Senate;
(C) the Committee on Homeland Security of the House of Representatives; and
(D) the Permanent Select Committee on Intelligence of the House of Representatives;
(2) inform and provide a copy of the sector-specific plan for the Defense Industrial Base Sector updated pursuant to subsection (a)(6) to—
(A) the Committee on Armed Services of the Senate; and
(B) the Committee on Armed Services of the House of Representatives;
(3) inform and provide a copy of the sector-specific plan for the Energy Sector updated pursuant to subsection (a)(8) to—
(A) the Committee on Energy and Natural Resources of the Senate; and
(B) the Committee on Energy and Commerce of the House of Representatives;
(4) inform and provide a copy of the sector-specific plan for the Financial Services Sector updated pursuant to subsection (a)(9) to—
(A) the Committee on Finance of the Senate; and
(B) the Committee on Financial Services of the House of Representatives;
(5) inform and provide a copy of the sector-specific plan for the Food and Agriculture Sector updated pursuant to subsection (a)(10) to—
(A) the Committee on Agriculture, Nutrition, and Forestry of the Senate;
(B) the Committee on Health, Education, Labor, and Pensions of the Senate;
(C) the Committee on Finance of the Senate;
(D) the Committee on Agriculture of the House of Representatives;
(E) the Committee on Energy and Commerce of the House of Representatives; and
(F) the Committee on Ways and Means of the House of Representatives;
(6) inform and provide a copy of the sector-specific plan for the Government Services and Facilities Sector updated pursuant to subsection (a)(11) to—
(A) the Committee on Environment and Public Works of the Senate;
(B) the Committee on Oversight and Government Reform of the House of Representatives; and
(C) the Committee on Transportation and Infrastructure of the House of Representatives;
(7) inform and provide a copy of the sector-specific plan for the Healthcare and Public Health Sector updated pursuant to subsection (a)(12) to—
(A) the Committee on Health, Education, Labor, and Pensions of the Senate;
(B) the Committee on Finance of the Senate;
(C) the Committee on Energy and Commerce of the House of Representatives; and
(D) the Committee on Ways and Means of the House of Representatives;
(8) inform and provide a copy of the sector-specific plan for the Transportation Systems Sector updated pursuant to subsection (a)(15) to—
(A) the Committee on Commerce, Science, and Transportation of the Senate; and
(B) the Committee on Transportation and Infrastructure of the House of Representatives; and
(9) inform and provide a copy of the sector-specific plan for the Water and Wastewater Sector updated pursuant to subsection (a)(16) to—
(A) the Committee on Environment and Public Works of the Senate; and
(B) the Committee on Transportation and Infrastructure of the House of Representatives.
(a) In general
Not later than 2 years after the date on which the Director completes the update of the sector-specific plans required under section 3(a), and not less frequently than once every 2 years thereafter, the Director shall—
(1) conduct a reassessment of each sector-specific plan; and
(2) issue revised sector-specific plans.
(b) Notification to Congress
Not later than 30 days after the date on which the Director completes each update of the sector-specific plans required under subsection (a), the Director shall inform and provide copies of each sector-specific plan to the relevant committees of Congress in the manner prescribed under section 3(d).