H.R. 5079, Widespread Information Management for the Welfare of Infrastructure and Government Act

H.R. 5079 would extend until 2035 the requirement for the federal government to share technical information on cyber threats with nonfederal entities. In addition, the bill would authorize the government to accept information on cyber threats identified by artificial intelligence systems. H.R. 5079 also would extend civil and criminal liability protection to cybersecurity providers. The provisions that would be extended were established by the Cybersecurity Act of 2015 and currently expire on September 30, 2025.

On the basis of information from the Cybersecurity and Infrastructure Security Agency about the costs to share cyber threat information with nonfederal entities, CBO estimates that extending the authority to perform those activities under H.R. 5079 would cost $37 million over the 2025-2030 period. Costs would include employing five cybersecurity analysts and maintaining online platforms to collect and share cyber threat indicators. Such spending would be subject to the availability of appropriated funds.

The costs of the legislation, detailed in Table 1, fall within budget function 050 (national defense). This estimate is based on the assumption that H.R. 5079 will be enacted near the start of fiscal year 2026 and that outlays will follow historical spending patterns for the affected programs.

Enacting H.R. 5079 would affect direct spending and revenues because the bill would allow information shared with the government to be used in investigations and prosecutions of federal crimes. Criminal fines are recorded as revenues, deposited in the Crime Victims Fund, and later spent without further appropriation. Civil penalties are deposited into the general fund of the Treasury and recorded as revenues. CBO estimates that very few additional prosecutions would arise from the information sharing authorized under the bill. Thus, enacting H.R. 5079 would have insignificant effects on revenues and direct spending and would, on net, reduce deficits by insignificant amounts over the 2025-2035 period.

Extending the Cybersecurity Act of 2015 would impose intergovernmental and private-sector mandates as defined in the Unfunded Mandates Reform Act (UMRA). The bill would extend protections from civil and criminal liability for covered entities that monitor, share, or use cyber threat information. Those protections from liability are considered a mandate because they would prevent public and private entities from seeking compensation for damages.

Because of uncertainty about the number of cases that would be limited and any foregone compensation that would result from compensatory damages that might otherwise be awarded to private-sector entities, CBO cannot determine whether the costs of the mandate would exceed annual thresholds established in UMRA for private-sector mandates ($206 million in 2025, adjusted annually for inflation).

The bill also would impose intergovernmental mandates by extending a preemption of state and local laws on disclosure, liability, and restrictions on cybersecurity monitoring, sharing, and countermeasure activities. Because the amount of cybersecurity information shared by state, local, and tribal governments is much smaller than that shared by the private sector, and public entities are much less likely to bring lawsuits as plaintiffs in such cases, CBO estimates that the aggregate costs of the mandates on public entities would fall below the threshold for intergovernmental mandates ($103 million in 2025, adjusted annually for inflation).

The CBO staff contacts for this estimate are Aldo Prosperi (for federal costs) and Brandon Lever (for mandates). The estimate was reviewed by Christina Hawley Anthony, Deputy Director of Budget Analysis.

Phillip L. Swagel

Director, Congressional Budget Office