Lawmaker proposes overhaul of critical infrastructure cyber plans as AI threats rise
Vice Chairman of the Senate Intelligence Committee Sen. Mark Warner (D-VA) speaks to members of the media after participating in a hearing on worldwide threats in the Hart Senate Office Building on March 18, 2026 in Washington, DC. Kevin Dietsch/Getty Images
The measure would require CISA to refresh long-outdated sector cybersecurity plans as lawmakers warn that advanced AI tools could accelerate the discovery and exploitation of software flaws.
Senate Intelligence Committee Vice Chairman Mark Warner, D-Va., is introducing legislation Wednesday requiring the Cybersecurity and Infrastructure Security Agency to update cybersecurity plans for each of the nation’s 16 critical infrastructure sectors, citing concerns that fast-evolving artificial intelligence tools will accelerate threats to essential services.
The Combat Emerging Threats to Critical Infrastructure Act, first shared with Nextgov/FCW, would direct CISA to work with federal sector risk management agencies to update sector-specific plans within one year of enactment. It would also require CISA to reassess those plans every two years, issue revised versions and send copies to Congress after completion.
“As AI continues to rapidly evolve, we must ensure our cybersecurity defenses keep up with the threats of the moment,” Warner said in a prepared statement. “It’s critical that government works closely with industry, regulators and cybersecurity experts to develop and regularly update the plans we need to protect our critical infrastructure from increasingly sophisticated malicious actors, including those enabled by AI.”
The sector plans serve as the government’s basic playbook for managing cyber and physical risks across major parts of the economy.
In 2024, National Security Memorandum 22 reaffirmed CISA’s role as the national coordinator for critical infrastructure security and resilience, and it called for sector-specific plans to be updated on a biennial basis. But that cadence hasn’t been consistently maintained, and some sector cybersecurity plans have not been updated in more than a decade, Warner’s office said.
CISA did not immediately respond to a request for comment about the legislation.
The measure comes as officials grapple with how advanced AI systems could reshape cyber defense and offense. Anthropic’s Claude Mythos, a powerful cybersecurity-focused AI model, has become a leading example in Washington of how such tools could change the threat landscape.
The bill would also require the updated plans to account for threats like AI-enabled hacking and deepfakes. Another provision focused on financial services would require CISA to work with the Treasury Department on a process for assessing whether future quantum computers could undermine encryption used to protect digital assets.
The legislation covers key sectors like energy, communications, transportation and the defense industrial base. CISA would have to send the updated plans to relevant congressional committees within 30 days of completing them.
The measure is backed by the National Electrical Manufacturers Association.
“Manufacturing is a critical pillar of America’s economy, and the electroindustry provides the essential technologies that every other critical infrastructure sector is built upon,” said Brian Papp, managing director of government relations at NEMA. “As cyber and supply chain threats continue to evolve, the Combat Emerging Threats to Critical Infrastructure Act will help ensure security plans remain current, strengthen operational resilience, and equip manufacturers to address emerging risks, protect critical operations, and bolster American competitiveness.”
CISA is expected to release a binding operational directive Wednesday that would task agencies with rethinking how they manage risks to federal networks by prioritizing vulnerabilities that demand the most urgent attention, a shift informed in part by AI-enabled cyber threats.