HR 5079
Widespread Information Management for the Welfare of Infrastructure and Government Act
Take action
Record your position on this measure.
Sign in to record your position, submit testimony, or contact your legislator.
Sign in to take action- Introduced
- Passed House
- Passed Senate
- To President
- Became Law
Bill overview
This bill, the Widespread Information Management for the Welfare of Infrastructure and Government Act, reauthorizes the Cybersecurity Act of 2015. It updates definitions related to artificial intelligence, critical infrastructure, and Sector Risk Management Agencies, and clarifies the sharing of cyber threat indicators between the Federal Government and non-Federal entities. Specifically, it expands the scope of information sharing to include operational technology and edge devices, and addresses the use of artificial intelligence in cybersecurity activities.
Key provisions
- Reauthorizes the Cybersecurity Act of 2015 and updates its definitions.
- Defines ‘artificial intelligence’ and ‘critical infrastructure’ for the purposes of the Cybersecurity Act.
- Clarifies the process for sharing cyber threat indicators between the Federal Government and non-Federal entities.
- Expands the types of information shared to include operational technology, edge devices, and IoT devices.
- Addresses the use of artificial intelligence in cybersecurity activities, prohibiting its use for certain purposes.
- Requires the Department of Homeland Security to develop an outreach plan to encourage participation in cyber threat information sharing.
- Mandates annual reporting to Congress on cybersecurity threats and activities.
- Extends the effective period of the Cybersecurity Act to 2035.
Who is affected
- Federal Government agencies
- Non-Federal critical infrastructure owners and operators
- Cybersecurity professionals
Sponsors
Official sponsors from legislative records.
Primary sponsor
Cosponsor
Arguments in favor
Reasons to support this legislation.
No arguments in favor have been submitted.
Submit yoursArguments opposed
Reasons to oppose this legislation.
No arguments opposed have been submitted.
Submit yoursRead the latest version inline or switch to a previous version.
119th CONGRESS — 1st Session
H. R. 5079
IN THE HOUSE OF REPRESENTATIVES
A BILL
To reauthorize the Cybersecurity Act of 2015, and for other purposes.
This Act may be cited as the Widespread Information Management for the Welfare of Infrastructure and Government Act
.
in section 102 (6 U.S.C. 1501; relating to definitions)—
by redesignating paragraphs (4), (5), (6), (7), (8), (9), (10), (11), (12), (13), (14), (15), (16), (17), and (18) as paragraphs (6), (7), (8), (9), (10), (11), (12), (13), (14), (15), (16), (17), (19), (20), and (21), respectively;
by inserting after paragraph (3) the following new paragraphs:
artificial intelligencehas the meaning given such term in section 5002 of the National Artificial Intelligence Initiative Act of 2020 (15 U.S.C. 9401).
critical infrastructurehas the meaning given such term in section 1016(e) of Public Law 107–56 (42 U.S.C. 5195c(e)).
by inserting after paragraph (17), as so redesignated, the following new paragraph:
Sector Risk Management Agencyhas the meaning given such term in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650).
in section 103 (6 U.S.C. 1502; relating to sharing of information by the Federal Government)—
in subsection (a), in the matter preceding paragraph (1), by striking develop and issue
and inserting develop, issue, and, as appropriate, update
;
in subsection (b)—
in paragraph (1)—
in the matter preceding subparagraph (A), by inserting and, as appropriate, updated,
after developed
;
by amending subparagraph (A) to read as follows:
in subparagraph (E)(ii), by striking and
after the semicolon;
in subparagraph (F), by striking the period and inserting ; and
; and
by adding at the end the following new subparagraph:
in paragraph (2)—
by inserting and, as appropriate, updating,
after developing
; and
by inserting and defensive measures
after promote the sharing of cyber threat indicators
; and
in subsection (c)—
by inserting and not later than 60 days after any update, as appropriate, of procedures required by subsection (a),
after Act,
; and
by inserting (or update, as appropriate)
after procedures
;
in subsection (c)—
in paragraph (1), by inserting , including Sector Risk Management Agencies that are agencies and the majority of the systems of which are not covered under subsection (d) or (e) of section 3553 of title 44, United States Code,
after Federal Government
;
in paragraph (3)—
in the matter preceding subparagraph (A), by striking shall be
and inserting may be
;
in subparagraph (A), by striking or
after the semicolon;
in subparagraph (B), by striking the period and inserting ; or
; and
by adding at the end the following new subparagraph:
in subparagraph (B) of subsection (d)(2), by inserting , which may utilize artificial intelligence that is developed or strictly deployed for cybersecurity purposes,
after technical capability
;
in section 105 (6 U.S.C. 1504); relating to sharing of cyber threat indicators and defensive measures with the Federal Government—
in subsection (a)—
in paragraph (2), by adding at the end the following new sentences: As appropriate, the Attorney General and the Secretary of Homeland Security shall, in consultation with the heads of the appropriate Federal entities, jointly update such policies and procedures, and issue and make publicly available such updated policies and procedures. Such updates shall prioritize rapid dissemination to State, local, Tribal, and territorial governments and owners and operators of non-Federal critical infrastructure of relevant and actionable cyber threat indicators and defensive measures.
;
in paragraph (3), in the matter preceding subparagraph (A), by striking developed or issued
and inserting developed, issued, or, as appropriate, updated,
; and
in paragraph (4)—
in subparagraph (A), by adding at the end the following new sentence: As appropriate, the Attorney General and the Secretary of Homeland Security shall jointly update and make publicly available such guidance to so assist entities and promote such sharing of cyber threat indicators and defensive measures with such Federal entities under this title.
; and
in subparagraph (B), in the matter preceding clause (i), by inserting and, as appropriate, updated,
after developed
;
in subsection (b)—
in paragraph (2)(B), by inserting , and, as appropriate, update,
after review
; and
in paragraph (3), in the matter preceding subparagraph (A), by inserting and, as appropriate, updated,
after required
;
in paragraph (1)(D), by inserting , including if such capability and process employs artificial intelligence
before the semicolon;
in paragraph (2), by adding at the end the following new subparagraph:
are aware of the capability and process required by paragraph (1) to share cyber threat indicators and defensive measures, including the benefits real-time information sharing provides;
understand how to share cyber threat indicators and defensive measures;
understand how cyber threat indicators and defensive measures are received, processed, used, and protected;
understand the protections they are afforded in sharing any cyber threat indicators and defensive measures; and
can provide feedback to the Secretary when policies, procedures, and guidelines that are unclear or unintentionally prohibitive to sharing cyber threat indicators and defensive measures.
by adding at the end the following new subparagraph:
in subsection (d)—
in paragraph (1), by inserting copyright or
before trade secret protection
; and
in paragraph (5)(A),
in clause (iv), by striking or
after the semicolon;
in clause (v)(III), by striking the period and inserting ; or
; and
by adding at the end the following new clause:
in subsection (c)—
in the matter preceding paragraph (1), by striking shall be
and inserting may be
;
in paragraph (2), by striking or
after the semicolon;
in paragraph (3), by striking the period and inserting ; or
; and
by adding at the end the following new paragraph:
in subsection (f)—
in paragraph (3)—
by inserting to share cyber threat indicators or defensive measures
after relationship
; and
by striking or
after the semicolon;
in paragraph (4), by striking the period and inserting ; or
; and
by adding at the end the following new paragraph:
in section 109 (6 U.S.C. 1508; relating to report on cybersecurity threats)—
in subsection (a)—
by inserting and not later than September 30 of every two years thereafter,
after Act,
;
by inserting the Secretary of Homeland Security and
after in coordination with
;
by inserting and the Committee on Homeland Security and Governmental Affairs
before of the Senate
;
by inserting and the Committee on Homeland Security
before of the House
; and
by inserting prepositioning activities, ransomware,
after attacks,
; and
in subsection (b)—
in paragraph (1), by inserting prepositioning activities, ransomware,
after attacks,
;
in paragraph (2), by inserting prepositioning activity, ransomware,
after attack,
;
in paragraph (3), by inserting prepositioning activities, ransomware,
after attacks,
each place it appears; and
in paragraph (4), by inserting prepositioning activities, ransomware,
after attacks,
; and
in section 111(a) (6 U.S.C. 1510(a), relating to effective period), by striking 2025
and inserting 2035
.
Section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650; relating to definitions) is amended—
in paragraph (5)—
in subparagraph (B), by inserting or compromising
after defeating
;
in subparagraph (C), by inserting including a security vulnerability affecting an information system or a technology included in the critical and emerging technologies list of the Office of Science and Technology Policy or successor list, such as artificial intelligence (as such term is defined in section 5002 of the National Artificial Intelligence Initiative Act of 2020 (15 U.S.C. 9401)), which may be in a Federal entity’s or non-Federal entity’s software or hardware supply chain,
after security vulnerability,
;
in subparagraph (D), by inserting or compromise
after defeat
; and
in subparagraph (F), by inserting or compromised
after exfiltrated
;
in paragraph (25), by inserting or compromise
after defeat
.