A U.S. Senator introduced a bill that would require the Cybersecurity and Infrastructure Security Agency (CISA) to update cybersecurity plans across all critical infrastructure sectors and assess emerging technology-driven risks. Titled ‘Combat Emerging Threats to Critical Infrastructure Act of 2026,’ the legislation comes amid growing concerns that advances in AI (artificial intelligence) could accelerate cyberattacks against essential services and critical infrastructure. Warner said the measure is intended to ensure that government, industry, regulators, and cybersecurity experts regularly refresh defensive plans to address increasingly sophisticated threats, including those enabled by AI.
Under legislation introduced by Sen. Mark Warner, a Virginia Democrat, CISA would update sector-specific cybersecurity plans within nine months, provide the revised plans to Congress, and conduct reviews every two years. The legislation would also require assessments of technology-facilitated risks across each critical infrastructure sector, including AI-enhanced cyberattacks, AI supply chain vulnerabilities, deepfakes, robotics-related threats, and quantum-enabled attacks on cryptography. Warner noted that many sector cybersecurity plans have not been updated for years, with some dating back more than a decade despite existing requirements for regular revisions.
“As AI continues to rapidly evolve, we must ensure our cybersecurity defenses keep up with the threats of the moment,” Warner said in a media statement this week. “It’s critical that government works closely with industry, regulators, and cybersecurity experts to develop and regularly update the plans we need to protect our critical infrastructure from increasingly sophisticated malicious actors, including those enabled by AI.”
The Combat Emerging Threats to Critical Infrastructure Act of 2026 would require CISA, in coordination with the appropriate Sector Risk Management Agencies (SRMAs), to update cybersecurity plans for all 16 critical infrastructure sectors within nine months of enactment. The agency would also be required to notify Congress and provide copies of the updated plans within one month of completing each sector review.
In addition, CISA would assess the risk profile of each critical infrastructure sector for technology-enabled threats, including AI-enhanced cyberattacks, AI supply chain vulnerabilities, deepfakes, robotics-related risks, and quantum-enabled attacks on cryptography. The legislation would further mandate that cybersecurity plans be reviewed and updated every two years, with corresponding congressional notifications.
The National Electrical Manufacturers Association supports Warner’s bill.
“Manufacturing is a critical pillar of America’s economy, and the electroindustry provides the essential technologies that every other critical infrastructure sector is built upon,” Brian Papp, managing director of government relations at NEMA, said. “As cyber and supply chain threats continue to evolve, the Combat Emerging Threats to Critical Infrastructure Act will help ensure security plans remain current, strengthen operational resilience, and equip manufacturers to address emerging risks, protect critical operations, and bolster American competitiveness.”
Not later than one year after enactment, the legislation would require CISA to update sector-specific cybersecurity plans for all 16 U.S. critical infrastructure sectors identified in National Security Memorandum 22. The review would cover the chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors and materials, transportation systems, and water and wastewater sectors.
The legislation would require each sector-specific cybersecurity plan to incorporate risk management measures addressing threats enabled or amplified by emerging technologies, particularly artificial intelligence. These measures would cover attempts to compromise AI systems and their supply chains, including training data, software frameworks, computing environments, and other components used to develop, operate, or maintain AI systems within critical infrastructure environments. The plans would also address AI-enabled cyberattacks targeting critical infrastructure networks, as well as risks associated with cloud architectures, robotics, and zero-trust deployments.
In addition, the updated plans would examine evolving social engineering threats, including the use of digitally manipulated or AI-generated images, audio, video, and text. They would also address the role of interagency and public-private threat intelligence sharing in strengthening cyber resilience. For the financial services sector, the legislation would require CISA to coordinate with the Treasury Department to establish a process for identifying digital asset vulnerabilities and cryptographic risks arising from advances in quantum computing.
The bill requires the director to coordinate with all relevant Sector Risk Management Agencies when updating sector-specific plans. Within 30 days of completing those updates, the Director must notify Congress and submit copies of each plan to key congressional oversight committees in both the Senate and House, including homeland security and intelligence committees. The director shall also inform Congress and provide a copy of the sector-specific plan for the defense industrial base sector to the Committee on Armed Services of the Senate and the Committee on Armed Services of the House of Representatives.
The bill laid down that the CISA director shall further inform Congress and provide a copy of the sector-specific plan for the Energy Sector to the Committee on Energy and Natural Resources of the Senate and the Committee on Energy and Commerce of the House of Representatives. The director shall inform Congress and provide a copy of the sector-specific plan for the Financial Services Sector to the Committee on Finance of the Senate and the Committee on Financial Services of the House of Representatives.
The director shall inform Congress and provide a copy of the sector-specific plan for the Food and Agriculture Sector to the Committee on Agriculture, Nutrition, and Forestry of the Senate, the Committee on Health, Education, Labor, and Pensions of the Senate, the Committee on Finance of the Senate, the Committee on Agriculture of the House of Representatives, the Committee on Energy and Commerce of the House of Representatives, and the Committee on Ways and Means of the House of Representatives.
The bill prescribed that the CISA director shall inform Congress and provide a copy of the sector-specific plan for the Government Services and Facilities Sector to the Committee on Environment and Public Works of the Senate, the Committee on Oversight and Government Reform of the House of Representatives, and the Committee on Transportation and Infrastructure of the House of Representatives.
Furthermore, the director shall also inform Congress and provide a copy of the sector-specific plan for the Healthcare and Public Health Sector to the Committee on Health, Education, Labor, and Pensions of the Senate, the Committee on Finance of the Senate, the Committee on Energy and Commerce of the House of Representatives, and the Committee on Ways and Means of the House of Representatives.
The director shall inform Congress and provide a copy of the sector-specific plan for the Transportation Systems Sector to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Transportation and Infrastructure of the House of Representatives. The CISA director shall inform Congress and provide a copy of the sector-specific plan for the Water and Wastewater Sector to the Committee on Environment and Public Works of the Senate and the Committee on Transportation and Infrastructure of the House of Representatives.
Earlier this week, Senator Warner moved to address growing concerns over weakening federal support for cybersecurity at the state and local level as cyber threats to critical infrastructure intensify and artificial intelligence lowers the barrier for more sophisticated attacks. His proposed legislation aims to restore and permanently fund the Multi-State Information Sharing and Analysis Center (MS-ISAC), a core cyber threat intelligence and incident response resource used by roughly 19,000 state, local, tribal, and territorial organizations.
