Two instruments. Different legal weight. Different affected parties.
CISA BOD 26-04, issued June 10, is already binding law for federal civilian executive branch agencies, a directive requiring the highest-risk, AI-exploitable vulnerabilities to be patched within three days. Federal agency CISOs aren’t waiting for legislation. That obligation is live.
Senator Mark Warner introduced the Combat Emerging Threats to Critical Infrastructure Act of 2026 on June 12, according to Senate legislative records. As introduced, the bill would require CISA to update cybersecurity plans for all 16 critical infrastructure sectors within nine months of enactment, and to refresh those plans every two years. It would also mandate AI threat assessments specifically addressing AI-enhanced cyberattacks and AI model supply chain vulnerabilities.
That’s the scope expansion that matters. BOD 26-04 reaches federal agencies. The Warner bill, if enacted, reaches the 16 critical infrastructure sectors, energy, water, financial services, healthcare, transportation, and eleven others, that are largely privately operated. A federal directive can’t bind a private utility. A statute can.
What to Watch
The real question is whether the bill has a path through a divided Senate. Warner is the ranking member of the Senate Intelligence Committee, which gives the bill credibility and a likely referral track. But introduced bills targeting critical infrastructure cybersecurity face a crowded legislative calendar alongside appropriations negotiations and competing national security priorities. The bill’s bipartisan potential, CISA is a Trump administration agency and BOD 26-04 was issued under current leadership, gives it more crossover appeal than most technology bills. That’s not a guarantee of passage, but it’s a better starting position than most.
For federal agencies: BOD 26-04’s three-day patching requirement is the operative obligation now. The Warner bill doesn’t change what federal agencies must do, it would extend comparable obligations to critical infrastructure operators if enacted.
For critical infrastructure operators: this is a monitoring situation, not an immediate action item. The bill introduces a nine-month CISA update mandate from the point of enactment, and enactment is uncertain. Prudent operators will track committee scheduling and cosponsor additions as indicators of legislative momentum. An AI supply chain assessment, mapping which AI models and vendors sit in your operational technology stack, is useful regardless of legislative outcome and positions organizations ahead of whatever obligation eventually arrives.
Don’t expect a fast timeline. Even if the Warner bill clears committee, floor scheduling in the current Senate is unpredictable. The more likely near-term development is that BOD 26-04 forces the compliance conversation that the bill formalizes. Federal agency vendors already operating under BOD 26-04 requirements are building the documentation and patching infrastructure that critical infrastructure operators will eventually need.
The pattern worth watching: BOD 26-04 (executive), Warner bill (legislative), and the broader AI cybersecurity provisions in the Great American AI Act create overlapping pressure on AI security posture across both federal and critical infrastructure contexts. Three instruments. One direction. The catch is that only one of them, BOD 26-04, has teeth today.