The Cybersecurity Information Sharing Act of 2015 (CISA 2015), the legal foundation for public-private cybersecurity threat intelligence sharing in the United States, is set to expire on January 30, 2026. Despite broad bipartisan support for permanent reauthorization, political obstacles have left the law’s future uncertain.
Current status
| Attribute | Status |
|---|---|
| Current extension expires | January 30, 2026 |
| Bipartisan support | Yes (both chambers) |
| White House position | Supports 10-year reauthorization |
| Primary obstacle | Sen. Rand Paul (R-KY) |
| Reason for obstruction | Unrelated CISA agency concerns |
Timeline
| Date | Event |
|---|---|
| December 2015 | CISA 2015 enacted with 10-year authorization |
| September 30, 2025 | Original authorization expires |
| October 1, 2025 | Law lapses; sharing continues under legal uncertainty |
| October 1 - November 12, 2025 | Law lapsed (43-day gap) |
| November 12, 2025 | Temporary extension passed in government funding bill |
| January 30, 2026 | Current extension expires |
What CISA 2015 does
The law established a framework for voluntary cybersecurity information sharing between private companies, the federal government, and among private entities:
Core protections
| Protection | Purpose | Impact |
|---|---|---|
| Liability shield | Companies sharing threat data in good faith are protected from lawsuits | Removes legal risk for sharing |
| Antitrust exemption | Competitors can collaborate on defense without antitrust concerns | Enables industry cooperation |
| FOIA exemption | Shared threat indicators exempt from public disclosure requests | Protects sensitive information |
| Privacy safeguards | Requires scrubbing personal information from shared indicators | Balances privacy concerns |
| Bidirectional sharing | Enables government-to-private-sector threat intelligence flow | Complete information sharing |
How sharing works
| Direction | Mechanism | Benefit |
|---|---|---|
| Private → Government | Automated indicator sharing (AIS) | Government gets private sector visibility |
| Government → Private | Threat briefings, alerts | Private sector gets classified context |
| Private → Private | ISACs, direct sharing | Peer-to-peer defense collaboration |
Why it matters
CISA 2015’s protections underpin much of the US cybersecurity ecosystem:
Information Sharing and Analysis Centers (ISACs)
| ISAC | Sector |
|---|---|
| FS-ISAC | Financial Services |
| Health-ISAC | Healthcare |
| E-ISAC | Energy/Electricity |
| IT-ISAC | Information Technology |
| WaterISAC | Water and Wastewater |
| MS-ISAC | State/Local Government |
| Aviation ISAC | Aviation |
These organizations rely on CISA 2015’s framework to facilitate rapid threat intelligence sharing among members and with government agencies.
Incident response impact
CISA 2015’s mechanisms were cited as instrumental in responding to:
| Incident | CISA 2015 role |
|---|---|
| SolarWinds supply chain compromise | Cross-sector coordination |
| Ongoing Chinese APT campaigns | Indicator sharing |
| Critical infrastructure threats | Government-industry collaboration |
| Ransomware campaigns | Private sector intelligence pooling |
Reauthorization efforts
Both chambers of Congress have advanced bills for permanent reauthorization:
House bill
| Attribute | Details |
|---|---|
| Bill | H.R. 5079 |
| Name | WIMWIG Act (Widespread Information Management for the Welfare of Infrastructure and Government) |
| Sponsor | Rep. Andrew Garbarino (R-NY), House Homeland Security Committee |
| Duration | 10 years |
| Status | Passed committee September 2025 |
| AI provisions | Updates definitions to account for AI advances |
Senate bill
| Attribute | Details |
|---|---|
| Bill | S. 1337 |
| Sponsors | Sen. Gary Peters (D-MI), Sen. Mike Rounds (R-SD) |
| Duration | 10 years |
| Status | Introduced October 2025 |
| Bipartisan | Yes |
Both bills have bipartisan support. The White House also supports reauthorization.
Political obstacles
Sen. Rand Paul (R-KY) chairs the Senate committee with jurisdiction over CISA 2015 and has blocked consideration of clean reauthorization bills.
Paul’s concerns
| Concern | Target | Relationship to CISA 2015 |
|---|---|---|
| Misinformation work | CISA agency (not the law) | Unrelated |
| Free speech concerns | CISA agency programs | Unrelated |
| Government overreach | Agency activities | Unrelated |
Paul’s concerns relate to the CISA agency (Cybersecurity and Infrastructure Security Agency)—not CISA 2015 the law. He objects to CISA’s previous efforts to combat online misinformation and has demanded changes including:
| Demand | Impact on effectiveness |
|---|---|
| Remove FOIA protections | Reduces sharing incentives |
| Remove federal preemption | Creates state-by-state complexity |
| Change threat indicator definitions | Narrows scope |
| Limit to 2-year reauthorization | Creates ongoing uncertainty |
| Prohibit misinformation work | Unrelated to information sharing |
Critics argue these changes would undermine the law’s effectiveness by reducing incentives for private sector participation.
What expiration means
If CISA 2015 fully lapses:
| Impact | Consequence |
|---|---|
| Liability uncertainty | Corporate counsel may advise against sharing |
| Reduced sharing volume | Fewer threat indicators flow to government |
| ISAC disruption | Framework supporting ISACs undermined |
| Slower incident response | Cross-sector coordination becomes legally uncertain |
| Competitive concerns | Antitrust exemption loss affects collaborative defense |
| FOIA exposure | Shared indicators could be subject to disclosure |
Legal uncertainty
Many companies would likely continue sharing under other legal frameworks, but explicit protections matter for corporate decision-making and legal risk management.
| Without CISA 2015 | Risk |
|---|---|
| Sharing threat indicators | Potential liability exposure |
| Coordinating with competitors | Antitrust concerns |
| Responding to government requests | Legal uncertainty |
| Operating ISACs | Framework gaps |
Industry response
Cybersecurity industry groups and ISACs have urged immediate action:
Industry coalition statements
“The law’s expiration comes at a particularly dangerous time given the escalating frequency and sophistication of state-sponsored cyber operations targeting US critical infrastructure.”
Organizations lobbying for reauthorization include:
| Organization | Sector |
|---|---|
| IT-ISAC | Information Technology |
| FS-ISAC | Financial Services |
| US Chamber of Commerce | Business |
| Major technology companies | Technology |
| Critical infrastructure operators | Multiple |
What happens next
Possible outcomes
| Outcome | Likelihood | Impact |
|---|---|---|
| Another short-term extension | High | Kicked to next continuing resolution |
| Compromise bill | Medium | Negotiated changes to address Paul’s concerns |
| Full expiration | Low | Law lapses; sharing under legal uncertainty |
| Clean 10-year reauthorization | Low | Requires overcoming Senate obstruction |
Recommendations
For organizations sharing threat intelligence
| Priority | Action |
|---|---|
| High | Continue sharing under existing frameworks |
| High | Document good-faith basis for sharing activities |
| High | Consult legal counsel on risk posture during uncertainty |
| Medium | Monitor legislative developments |
| Ongoing | Engage with ISACs on policy advocacy |
For policy makers
| Priority | Action |
|---|---|
| Critical | Separate CISA 2015 from CISA agency disputes |
| High | Pass clean reauthorization |
| Medium | Consider bipartisan compromise path |
| Ongoing | Recognize information sharing as critical infrastructure |
Context
The legislative dysfunction around CISA 2015 illustrates how cybersecurity policy can become entangled with broader political conflicts. The law itself has bipartisan support; the obstacle is unrelated grievances about the CISA agency’s non-cybersecurity activities.
CISA 2015 is widely regarded as one of the most effective cybersecurity laws of the past decade. Allowing political disputes over an unrelated agency to undermine critical infrastructure protection creates unnecessary risk at a time when state-sponsored cyber threats are escalating.
The October 2025 lapse
The 43-day gap between September 30 and November 12, 2025 created significant legal uncertainty:
| Impact during lapse | Assessment |
|---|---|
| Sharing continued | Most organizations continued sharing |
| Legal exposure | Theoretical liability risk increased |
| Industry anxiety | Corporate counsel raised concerns |
| ISACs | Operated under existing frameworks |
| Government sharing | Continued via other authorities |
While no enforcement actions or lawsuits resulted from the lapse, the legal ambiguity caused concern among risk-averse organizations.
Legal guidance during uncertainty
Morrison Foerster and other law firms advised that cyber threat intelligence sharing could continue during the lapse:
| Framework | Availability |
|---|---|
| CISA 2015 protections | Lapsed/restored |
| Common law defenses | Available |
| Other federal sharing programs | Continued |
| Private-to-private sharing | Generally permitted |
| ISAC frameworks | Contractual protections |
Organizations should consult legal counsel on their specific risk posture as the January 30, 2026 deadline approaches.
Industry advocacy
Multiple industry groups have actively lobbied for permanent reauthorization:
| Organization | Advocacy position |
|---|---|
| IT-ISAC | Permanent reauthorization |
| FS-ISAC | 10-year extension |
| US Chamber of Commerce | Clean reauthorization |
| Critical Infrastructure Operators | Bipartisan support |
| Major Technology Companies | Remove uncertainty |
The unified industry position underscores the law’s importance to the cybersecurity ecosystem.
Organizations should prepare for continued uncertainty while hoping Congress finds a path to permanent reauthorization. The threat landscape doesn’t pause for political disputes.