Warner bill would require CISA to update 16 sector-specific cyber plans
The bill converts NSM-22's planning duty into a congressional calendar, while leaving the missed-deadline consequence undefined.
TL;DR
Sen. Mark Warner (D-VA) introduced the Combat Emerging Threats to Critical Infrastructure Act, which would give the Cybersecurity and Infrastructure Security Agency (CISA) nine months after enactment to update cybersecurity plans for all 16 critical infrastructure sectors and repeat the exercise every two years. Warner’s release, reported by Inside Cybersecurity, says some sector plans have gone more than a decade without updates. Sector Risk Management Agencies (SRMAs) would get the statutory clock; primes and state CISOs would get plans that must address AI-enhanced attacks, AI supply-chain vulnerabilities, deepfakes, robotics and quantum attacks on cryptography.
The first legislative attempt to operationalize National Security Memorandum 22 starts with a deadline. Inside Cybersecurity reports that the Combat Emerging Threats to Critical Infrastructure Act would require the Cybersecurity and Infrastructure Security Agency (CISA) to lead updates to cybersecurity plans for each of the 16 critical infrastructure sectors within nine months of enactment, then provide each plan to Congress within a month of completion. After that, CISA and the relevant Sector Risk Management Agencies (SRMAs) would have to repeat the update every two years.
The due date matters because NSM-22 already told the government to modernize critical infrastructure planning. The April 2024 memorandum made CISA the national coordinator for critical infrastructure security and resilience and reaffirmed the 16-sector model (https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/national-security-memorandum-critical-infrastructure-security-and-resilience). CISA has described the 2025 National Infrastructure Risk Management Plan as the successor to the 2013 National Infrastructure Protection Plan, with sector and cross-sector risk management at the center (https://www.cisa.gov/news-events/news/plan-protect-critical-infrastructure-21st-century-threats). Warner’s release says the sector-specific cadence has slipped for years, with some cybersecurity plans untouched for more than a decade.
That drift was visible before the AI language arrived. In 2023, the Government Accountability Office said CISA was updating guidance and templates for SRMAs, but had not set milestones and timelines to finish those efforts (https://www.gao.gov/assets/d23105806.pdf). Warner’s bill supplies the missing mechanics: dates, copies to Congress and a recurring plan cycle.
The threat list is deliberately current: AI-enhanced cyberattacks, AI supply-chain vulnerabilities, deepfakes, robotics and quantum-based attacks on cryptography. For practitioners, the useful output would be a plan that assigns dependencies, control priorities and escalation paths before sector failures cascade. That is where a planning mandate either becomes operational or becomes another binder with a newer date.
The hard gap is enforcement. Warner’s release describes a nine-month deadline, a biennial cadence and congressional notification, but it does not identify a penalty if CISA or an SRMA misses the deadline. The practical sanction is oversight, appropriations pressure and the political embarrassment of publicly aging plans the government has already said need updating.
Published ·Deep Fathom