Congress·Passed House·H.R. 2659

Congress orders DHS and FBI task force to report on China-linked cyber threats to critical infrastructure

Strengthening Cyber Resilience Against State-Sponsored Threats Act

4 months ago·View on Congress.gov

⏸

Stalled

No legislative action in over 90 days.

Legislative Progress

✓ House

Senate

President

Law

Key Points

Creates a joint task force led by the Homeland Security Department’s cyber agency, with the FBI as vice chair, to coordinate against state-backed cyber threats from China.
Requires the task force to deliver its first report about 540 days after it’s set up, then yearly reports for five years, plus classified briefings to Congress after each report.
Reports must cover which critical infrastructure sectors are most at risk, how attacks are happening, and what extra tools or resources federal agencies may need to respond.
Requires classified assessments of how a major cyberattack could disrupt power, transportation, ports, and military movement, and the possible economic and social fallout.
Orders a one-time public awareness plan so critical infrastructure owners and operators know what federal security help and resources are available.

CybersecurityNational SecurityInfrastructure

Impact Analysis

Personal Impact

How this policy affects specific groups of people

Mixed Impacts(2)

Federal Employee

Neutral

Military Active

Neutral

Positive Impacts(1)

Housing Assistance

Helps

Milestones

6 milestones17 actions

Nov 18, 2025Senate

Received in the Senate and Read twice and referred to the Committee on Homeland Security and Governmental Affairs.

Nov 17, 2025House

Motion to reconsider laid on the table Agreed to without objection.

Nov 17, 2025House

On motion to suspend the rules and pass the bill Agreed to by the Yeas and Nays: (2/3 required): 402 - 8 (Roll no. 287). (text: CR H4682-4684)

Nov 17, 2025

Passed/agreed to in House: On motion to suspend the rules and pass the bill Agreed to by the Yeas and Nays: (2/3 required): 402 - 8 (Roll no. 287). (text: CR H4682-4684)

Nov 17, 2025House

Considered as unfinished business. (consideration: CR H4692)

What Happens Next

Projected impacts based on AI analysis

Within 120 days after the Act is signed into law

CISA (with the FBI and other agencies) sets up the interagency task force

Expect more coordinated federal focus on cyber threats to power, water, transportation, and other critical systems; outreach to operators may start after the task force begins work.

Within 540 days after the task force is established

Task force delivers its first report to Congress and posts an unclassified executive summary online

The public may get a clearer picture of which critical sectors are most at risk and what practical steps operators should take; some details will stay classified.

Within 30 days after the first report is submitted

Task force gives a classified briefing after the first report

Congress gets a deeper, non-public view of risks and needed capabilities; this can shape future funding or requirements even if the public summary is brief.

About 1 year after the initial report, then once a year for five years

Annual reports begin (with unclassified executive summaries posted)

Critical infrastructure operators may see updated guidance year to year as threats change; the public may get periodic updates on general risk trends.

Included with the task force reports (timing follows the initial/annual report schedule)

One-time plan for an awareness campaign is included in the reporting

Owners/operators (including some local utilities and hospitals) may be pointed to federal tools, alerts, and support options; you may see more trainings and shared resources.

60 days after the final required briefing (after the multi-year reporting cycle)

Task force sunsets after it finishes the final required briefing

The formal task force ends; any ongoing work would have to continue through existing agencies or new direction from Congress.