Strengthening Cyber Resilience Against State-Sponsored Threats Act
- Bill Number
- H.R. 2659
- Origin Chamber
- House
- Congress
- 119th Congress, Session 1
- Policy Area
- Science, Technology, Communications
- Status
- Passed House
- Latest Action
- 2025-11-18: Received in the Senate and Read twice and referred to the Committee on Homeland Security and Governmental Affairs.
- Last Updated
- 2026-06-17T15:14:54Z
AI-Generated Summary
Purpose
The legislation aims to protect United States critical infrastructure—essential systems like energy, transportation, and water supply—from cyber threats by China's state-sponsored actors, such as the group known as Volt Typhoon. It creates a coordinated federal response through an interagency task force and requires detailed reports to Congress on these risks, ultimately strengthening the nation's cyber defenses.
Key Provisions
- Establishment of Interagency Task Force: Within 120 days of enactment, the Secretary of Homeland Security, through the Director of the Cybersecurity and Infrastructure Security Agency (CISA), must form a task force. It includes representatives from CISA, the FBI, the Department of Justice, and other relevant federal agencies focused on critical infrastructure security (called Sector Risk Management Agencies). The CISA Director chairs it, with the FBI Director as vice chair.
- Task Force Composition and Role: Members must be experts in cybersecurity, digital forensics (investigating cyber incidents), or threat intelligence. The task force coordinates efforts to detect, analyze, and respond to cyber threats from China, aligning actions across agencies. It can collaborate with existing groups to avoid duplication.
- Reporting Requirements:
- An initial report due 540 days after establishment, followed by annual reports for five years.
- Reports assess sector-specific risks, trends in cyber incidents, tactics used by Chinese actors, resource needs, and potential disruptions to infrastructure during a crisis or conflict with China.
- Classified sections evaluate impacts on U.S. military operations (e.g., rail, aviation, ports), economic and social effects, and U.S. countermeasures.
- Recommendations for improving detection and mitigation, plus a one-time plan for an awareness campaign for infrastructure owners.
- Each report includes a classified briefing to Congress within 30 days; unclassified summaries are published on the Department of Homeland Security's website.
- Information Access and Operations: Agencies must share relevant data with the task force, handled securely with proper clearances. The task force is exempt from the Federal Advisory Committee Act (rules for federal advisory groups) and the Paperwork Reduction Act (rules limiting federal data collection) to enable efficient work.
- Termination: The task force ends 60 days after the final required briefing.
- Definitions: Key terms like "critical infrastructure" (vital assets for national security, economy, health, or safety), "cybersecurity threat" (actions harming information systems), and "Volt Typhoon" (a specific Chinese cyber group identified in a 2024 advisory) are defined for clarity.
Significant Changes to Existing Law
This act introduces new mandates without directly amending prior laws. It builds on existing frameworks like National Security Memorandum-22 (a 2024 policy on infrastructure security) by creating a dedicated task force focused on Chinese cyber actors. It also exempts the task force from procedural laws (FACA and Paperwork Reduction Act), allowing faster setup and operations than standard federal advisory bodies.
Potential Impacts
- On Government Agencies: Enhances coordination among DHS, FBI, DOJ, and sector agencies, potentially requiring more resources for analysis and reporting. It could improve threat response but add administrative burdens like briefings and data sharing.
- On Citizens: Indirectly benefits the public by bolstering defenses for everyday infrastructure (e.g., power grids, transportation), reducing risks of cyber disruptions that could affect daily life, economy, or safety. An awareness campaign may help private owners protect systems.
- On International Relations: Heightens U.S. focus on threats from China, potentially straining diplomatic ties by publicly addressing state-sponsored cyber activities. It may signal stronger U.S. resolve in cyber domains, influencing global norms on state cyber behavior.
Main Stakeholders Affected
- Federal Agencies: Primarily CISA (DHS), FBI, DOJ, and Sector Risk Management Agencies (e.g., those overseeing energy, finance, or transportation sectors).
- Congress: Receives reports and briefings, influencing oversight and future policy on cybersecurity.
- Critical Infrastructure Owners and Operators: Private companies and utilities managing essential systems; they gain from recommendations, awareness campaigns, and federal support.
- U.S. Military and Intelligence Community: Benefits from assessments on how cyber threats could hinder operations during conflicts.
- Broader Public and Economy: Affected by any prevented disruptions to vital services.
Notable Legal, Constitutional, or Political Implications
- Legal: Ensures secure handling of classified information under existing laws, with exemptions from FACA and Paperwork Reduction Act to prioritize speed over bureaucracy—potentially setting a precedent for urgent national security task forces. No new enforcement powers are granted, focusing instead on analysis and coordination.
- Constitutional: Aligns with Congress's authority over national security and commerce; no apparent conflicts with privacy or free speech rights, as it targets foreign state actors.
- Political: Underscores bipartisan concerns about Chinese cyber espionage, potentially fueling debates on U.S.-China relations and cyber policy. The public unclassified summaries promote transparency, while classified elements protect sensitive intelligence.
This summary was generated by AI and may contain inaccuracies. Refer to the official source document for the authoritative text.
Sponsor
Cosponsors (4)
Rep. Green, Mark E. [R-TN-7], Rep. Lee, Laurel M. [R-FL-15], Rep. Moolenaar, John R. [R-MI-2], Rep. Garbarino, Andrew R. [R-NY-2]
Recent Actions
- 2025-11-18: Received in the Senate and Read twice and referred to the Committee on Homeland Security and Governmental Affairs.
- 2025-11-17: Motion to reconsider laid on the table Agreed to without objection.
- 2025-11-17: On motion to suspend the rules and pass the bill Agreed to by the Yeas and Nays: (2/3 required): 402 - 8 (Roll no. 287). (text: CR H4682-4684) (Roll call 287)
- 2025-11-17: Passed/agreed to in House: On motion to suspend the rules and pass the bill Agreed to by the Yeas and Nays: (2/3 required): 402 - 8 (Roll no. 287). (text: CR H4682-4684) (Roll call 287)
- 2025-11-17: Considered as unfinished business. (consideration: CR H4692)
- 2025-11-17: At the conclusion of debate, the Yeas and Nays were demanded and ordered. Pursuant to the provisions of clause 8, rule XX, the Chair announced that further proceedings on the motion would be postponed.
- 2025-11-17: DEBATE - The House proceeded with forty minutes of debate on H.R. 2659.
- 2025-11-17: Considered under suspension of the rules. (consideration: CR H4682-4685)
- 2025-11-17: Mr. Garbarino moved to suspend the rules and pass the bill.
- 2025-08-15: Placed on the Union Calendar, Calendar No. 188.
- 2025-08-15: Reported by the Committee on Homeland Security. H. Rept. 119-230.
- 2025-08-15: Reported by the Committee on Homeland Security. H. Rept. 119-230.
- 2025-04-09: Ordered to be Reported by Voice Vote.
- 2025-04-09: Committee Consideration and Mark-up Session Held
- 2025-04-09: Subcommittee on Cybersecurity and Infrastructure Protection Discharged
Bill Versions
- Strengthening Cyber Resilience Against State-Sponsored Threats Act — issued 2025-11-17 — PDF (14 pages)
- Strengthening Cyber Resilience Against State-Sponsored Threats Act — issued 2025-04-07 — PDF (12 pages)
- Strengthening Cyber Resilience Against State-Sponsored Threats Act — issued 2025-11-18 — PDF (13 pages)
- Strengthening Cyber Resilience Against State-Sponsored Threats Act — issued 2025-08-15 — PDF (16 pages)