*Sector cybersecurity plans are the upstream documents that shape what contractors eventually have to do. A new bill would force them to be rewritten for AI, deepfakes, and quantum — starting with a nine-month clock.*
On June 12, 2026, Sen. Mark Warner (D-Va.) introduced the Combat Emerging Threats to Critical Infrastructure Act of 2026, which would require CISA to refresh the cybersecurity plans for all 16 critical infrastructure sectors — defense industrial base included — and to assess a new generation of technology-driven risks. For government contractors, this is not yet a compliance obligation. It is a legislative signal worth tracking, because sector-specific plans are where federal agencies articulate the threats and expectations that later harden into contract clauses, agency guidance, and flow-downs. Warner's framing is that many of these plans are stale — some untouched for more than a decade despite requirements to revise them regularly.
What the Bill Would Require
The legislation would direct CISA, coordinating with the relevant Sector Risk Management Agencies, to update sector-specific cybersecurity plans for all 16 sectors identified under National Security Memorandum 22 within nine months of enactment, notify Congress within 30 days of each sector review, and refresh the plans every two years thereafter. Critically for this audience, the bill calls out the defense industrial base sector by name and would route its updated plan to the Senate and House Armed Services Committees.
The substance is where the bill earns its title. Each plan would have to incorporate risk-management measures for threats "enabled or amplified by emerging technologies" — explicitly: AI-enhanced cyberattacks, compromise of AI systems and their supply chains (training data, software frameworks, computing environments), deepfakes and AI-generated social-engineering content, robotics-related risks, and quantum-enabled attacks on cryptography. For the financial services sector, it would have CISA coordinate with Treasury on digital-asset and post-quantum cryptographic risks.
Why Contractors Should Care About a Sector Plan
It is tempting to treat sector plans as Washington paperwork. That underrates how the federal cyber pipeline works. Sector-specific plans define the risk picture an agency is trying to manage; that picture drives agency guidance and acquisition policy; and acquisition policy is what ultimately appears in your solicitations and your subcontracts. A defense-industrial-base plan rewritten around AI supply-chain integrity and post-quantum readiness is a reasonable leading indicator of the cyber requirements DoD will expect of its suppliers in the next contracting cycle.
There is also an industry tell here: the National Electrical Manufacturers Association has endorsed the bill, arguing current plans need to stay aligned with evolving cyber and supply-chain threats. When manufacturers who sit inside the defense and critical-manufacturing base back a measure like this, it suggests the direction of travel is broadly accepted, not contested.
Keep It in Perspective
This is a newly introduced bill, not a law. It has not passed either chamber, the nine-month and two-year clocks would run only from enactment, and its scope could change significantly in committee. Nothing in it changes a contractor's obligations today. The right posture is awareness, not action: do not stand up an "AI supply chain" compliance program because a senator filed a bill. But do read the bill as a map of where federal cyber expectations are pointed — toward AI assurance, cryptographic agility, and supply-chain provenance — and let that inform the questions you ask about your own roadmap.
What to Watch
Track whether the bill picks up co-sponsors or gets folded into a larger vehicle such as the NDAA, where defense-industrial-base provisions often ride. Watch for any companion House measure and for committee markups. And if your work touches AI systems, robotics, or cryptography-dependent products, note that the themes in this bill echo across other 2026 federal cyber activity — from CISA directives to acquisition guidance — described on our federal requirements and enforcement pages.
Key Takeaways
- The Combat Emerging Threats to Critical Infrastructure Act of 2026 (introduced June 12) would require CISA to update all 16 sector cybersecurity plans within nine months and every two years after, with the defense-industrial-base plan reported to the Armed Services Committees.
- The plans would have to address AI-enabled attacks, AI supply-chain compromise, deepfakes, robotics, and quantum threats to cryptography — a clear signal of where contractor-facing requirements are heading.
- It is a proposed bill, not current law: treat it as a planning indicator, not an obligation, and watch whether it advances or attaches to the NDAA.
Want to understand the obligations that actually apply to you today? Start with Find My Requirements or the defense industry page.