PolicySoupstir the potALPHA

H.R. 4579 (119th)Bill Overview
Full Analysis

FEMA Cybersecurity Improvement Act

Emergency Management|Emergency Management
Sponsor
Bennie G. ThompsonD
Cosponsors
Support
Democratic
Introduced
Jul 21, 2025
Discussions
0
Bill Text
View ↗
Current stageCommittee

Referred to the Subcommittee on Economic Development, Public Buildings, and Emergency Management.

Introduced
Committee
Floor
President
Law
Congressional Activities
01 · The brief
Plain-English summaryWhat this bill actually does

This bill amends section 523(a) of the Homeland Security Act of 2002 to add “mitigating cybersecurity risks” to FEMA’s statutory responsibilities. It inserts a new paragraph requiring FEMA to mitigate cybersecurity risks that could impede Agency operations, with the term referenced to section 2200.

Why people may split

Scope: liberals and centrists treat the change as necessary for resilience; conservatives worry it could signal mission creep beyond internal FEMA systems.

Watch point

Relative to its intended legislative type, this bill clearly effects a substantive policy change by amending FEMA’s statutory duties and establishes a short-term reporting requirement, but it provides limited operational detail, no funding or resourcing provisions, and minimal attention to edge cases or performance metrics.

This bill amends section 523(a) of the Homeland Security Act of 2002 to add “mitigating cybersecurity risks” to FEMA’s statutory responsibilities.

It inserts a new paragraph requiring FEMA to mitigate cybersecurity risks that could impede Agency operations, with the term referenced to section 2200.

The bill also requires the FEMA Administrator, in consultation with the Director of CISA, to submit a report to relevant House and Senate committees within one year describing progress on mitigating those cybersecurity risks.

Passage60/100

On content alone this is a low‑risk, narrowly tailored technical fix and report requirement that aligns with routine congressional oversight of federal agency cybersecurity. Such measures often clear committees and receive bipartisan support, but many simple bills still fail to advance due to competing priorities, timing, or lack of sponsor leverage; absence of funding authorization and the possibility of being subsumed into larger legislative vehicles are key limiting factors.

CredibilityPartially aligned

Relative to its intended legislative type, this bill clearly effects a substantive policy change by amending FEMA’s statutory duties and establishes a short-term reporting requirement, but it provides limited operational detail, no funding or resourcing provisions, and minimal attention to edge cases or performance metrics.

Contention45/100

Scope: liberals and centrists treat the change as necessary for resilience; conservatives worry it could signal mission creep beyond internal FEMA systems.

02 · What it does
Full Analysis

Who stands to gain, and who may push back.

Likely benefits vs burdens50% / 50%
Likely helpedFederal agencies

These are examples from the analysis, not a ranked list of the most-affected groups.

Likely helped
  • Potential benefitClarifies and formalizes FEMA's responsibility for addressing cybersecurity risks to its own operations, which could st…
  • Potential benefitPromotes coordination between FEMA and CISA through the required consultation on the report, potentially improving info…
  • Potential benefitMay lead to targeted investments in cybersecurity tools, training, and personnel within FEMA to reduce vulnerability to…
Likely burdened
  • Potential burdenImposes additional administrative and reporting requirements on FEMA that could divert staff time from other programs u…
  • Potential burdenCould require increased spending on cybersecurity improvements; because the bill does not authorize specific funding, t…
  • Federal agenciesRisks duplicative roles or coordination challenges with CISA or other federal cyber programs if responsibilities and au…
03 · Why people split
Full Analysis

Why the argument around this bill splits.

Scope: liberals and centrists treat the change as necessary for resilience; conservatives worry it could signal mission creep beyond internal FEMA systems.
Progressive90%

A mainstream liberal would likely view the bill positively as a modest but necessary step to strengthen the resilience of a key federal emergency response agency against cyber threats.

They would see it as protecting public safety and continuity of disaster services, and as aligning FEMA with modern risk priorities by explicitly adding cybersecurity to its mission.

They would be concerned that the bill is light on funding, implementation details, workforce development, and civil liberties safeguards, so they would want to ensure resources and oversight are attached.

Leans supportive
Centrist75%

A centrist/moderate would likely see this bill as a pragmatic, narrowly tailored update clarifying FEMA’s responsibilities for cyber risk mitigation.

They would appreciate the coordination with CISA and the requirement for a one-year report, but would seek clarity on costs, overlap with existing DHS/CISA roles, and how success will be measured.

They would favor small, well-defined edits and expect further legislative or appropriations steps to fund and implement changes.

Leans supportive
Conservative45%

A mainstream conservative would view this bill with guarded skepticism: they might accept strengthening cybersecurity for a federal agency tied to national resilience, but will be concerned about expansion of federal authority, potential mission creep, and unfunded mandates.

They would want assurances the change does not create new regulatory reach over state/local governments or private sector actors without Congressional approval.

Costs, duplication with CISA, and increased bureaucracy would be central worries.

Split reaction
04 · Can it pass?
Full Analysis

The path through Congress.

Introduced

Reached or meaningfully advanced

Committee

Reached or meaningfully advanced

Floor

Still ahead

President

Still ahead

Law

Still ahead

Passage likelihood60/100

On content alone this is a low‑risk, narrowly tailored technical fix and report requirement that aligns with routine congressional oversight of federal agency cybersecurity. Such measures often clear committees and receive bipartisan support, but many simple bills still fail to advance due to competing priorities, timing, or lack of sponsor leverage; absence of funding authorization and the possibility of being subsumed into larger legislative vehicles are key limiting factors.

Scope and complexity
24%
Scopenarrow
24%
Complexitylow
Why this could stall
  • The bill contains no authorization of appropriations or cost estimate; it is unclear whether FEMA has funds or will need additional resources to carry out expanded mitigation activities, which could affect support.
  • Legislative outcome depends on committee prioritization and the congressional calendar—many narrow bills do not reach floor votes and may be folded into larger packages.
05 · Recent votes

Recent votes on the bill.

No vote history yet

The bill has not accumulated any surfaced votes yet.

06 · Go deeper

Go deeper than the headline read.

Included on this page

Scope: liberals and centrists treat the change as necessary for resilience; conservatives worry it could signal mission creep beyond intern…

On content alone this is a low‑risk, narrowly tailored technical fix and report requirement that aligns with routine congressional oversigh…

Unlocked analysis

Relative to its intended legislative type, this bill clearly effects a substantive policy change by amending FEMA’s statutory duties and establishes a short-term reporting requirement, but it provides limited operationa…

Go beyond the headline summary with full stakeholder mapping, legislative design analysis, passage barriers, and lens-by-lens tradeoff breakdowns.

Perspective breakdownsPassage barriersLegislative design reviewStakeholder impact map
Open full analysis