Key point: With the Cybersecurity Information Sharing Act of 2015 (CISA 2015) scheduled to sunset on September 30, 2025, Congress will need to act quickly to renew the law and maintain, if not improve, the liability protections for industry when sharing cyber threat indicators and defensive measures.
Supporters of reauthorization—including Sen. Gary Peters (D., Mich.), Rep. Eric Swalwell (D-Calif.), Rep. Bennie Thompson (D-Miss.) and Rep. Andrew Garbarino (R., N.Y.)—argue that CISA 2015 is essential for real-time cyber threat sharing, offering liability protections and privacy safeguards that encourage private sector participation, which is vital for national cyber defense. Letting the law lapse could disrupt these partnerships and reduce both government and industry access to timely threat intelligence, weakening the nation’s cyber posture. Industry leaders, including the Information Technology Industry Council, urge a swift, “clean” extension, warning that even well-intentioned reforms could bog down the process and risk a lapse in authority.
On the other hand, some in the industry note shortcomings, such as insufficient reciprocal information sharing from government agencies and outdated definitions that do not fully address modern threats like supply chain attacks. These critics suggest targeted updates, but most agree the reforms should come with or after renewal to avoid creating information coverage gaps. If the law is not reauthorized, government resources for threat sharing and response would be diminished, potentially leaving both the public and private sectors more vulnerable.
Sen. Rand Paul (R-KY) says the Senate Homeland Security and Governmental Affairs Committee will work to renew CISA. However, Sen. Paul insists that reauthorization must include explicit anti-censorship language to prevent CISA from being used to moderate political speech, citing concerns over its past role in addressing disinformation. An agreement on reauthorization has not yet been reached, but there appears to be some forward progress.
- On April 8, Sen. Peters introduced the Cybersecurity Information Sharing Extension Act (S 1337), which would provide for a clean reauthorization of CISA 2015 through 2035.
- In June, the Senate Committee on Commerce, Science and Transportation issued a report regarding Senate Bill 245, Insure Cybersecurity Act of 2025, that would create a working group on cyber insurance and the dissemination of informative resources to stakeholders.
- Last month, the Senate Select Committee on Intelligence passed a “clean” CISA 2015 reauthorization that extends the law for another 10 years without changes as part of its FY26 intelligence authorization bill.
The House Permanent Select Committee on Intelligence has yet to release details of its intelligence authorization bill markup, and the House of Representatives is in recess until September 2, 2025.
Key Takeaways
Congress will need to act quickly to renew CISA 2015 ahead of its September 30 deadline. While most stakeholders agree on the need for swift reauthorization to maintain strong national cybersecurity, some are calling for reforms to address the changing threat landscape and to improve information sharing between government and industry. Timely action is needed and we will continue to monitor the status of CISA 2015.
[View source.]
