On September 3, 2025, just weeks before key cybersecurity authorities are set to lapse, the House Homeland Security Committee voted to advance two expiring measures aimed at keeping cyber threat information flowing between government and industry and supporting state and local cyber defenses. Both authorities expire on September 30, 2025. House action keeps them moving, but final passage will hinge on Senate dynamics and calendar realities. If agreement slips past September 30, 2025, lawmakers in both chambers are already discussing a short-term extension, potentially via a stopgap funding bill, to prevent any interruption in information-sharing protections.
The first bill reauthorizes the 2015 Cybersecurity Information Sharing Act (commonly called CISA 2015), which incentivizes businesses to share cyber threat information with the federal government and with each other. The new version introduced by Chairman Andrew Garbarino would rename the law and extend the authorization through 2035. H.R. 5079, the Widespread Information Management for the Welfare of Infrastructure and Government Act (WIMWIG), cleared committee unanimously, 25-0. The updated text keeps the core framework that encourages private-sector sharing of cyber threat indicators with the government and peers, while making targeted updates for today’s environment, including explicit references to the use of artificial intelligence tools and updated oversight responsibilities for the Department of Homeland Security and the Department of Justice. The bill requires the Attorney General and the Secretary of Homeland Security to jointly update and publish the policies and procedures for threat sharing, with priority on rapid dissemination to state, local, Tribal and territorial (SLTT) governments and critical-infrastructure owners and operators. Additionally, it requires DHS to develop and continuously implement an outreach plan, especially for small and rural infrastructure operators and to provide annual briefings to the House and Senate Homeland Security committees on that outreach.
One likely point of friction is what the bill does not include. It omits language restricting the Cybersecurity and Infrastructure Security Agency (CISA) from engaging in work related to countering online disinformation, a condition that Senate Homeland Security Chair Rand Paul has previously said he wants attached. In the Senate, one option already on file is a “clean” 10-year extension bill (S. 1337, the Cybersecurity Information Sharing Extension Act) from Sens. Gary Peters and Mike Rounds that avoids policy changes, though their bipartisan text has not moved in committee.
Cyber policy experts caution that a lapse would create uncertainty for companies that rely on the law’s liability protections, which in turn could chill real-time sharing.
The second bill addresses the State and Local Cybersecurity Grant Program (SLCGP). The committee advanced H.R. 5078, Rep. Andy Ogles’s Protecting Information by Local Leaders for Agency Resilience Act (PILLAR), by a vote of 21-1 to continue the program for ten years. Created by the 2021 Infrastructure Investment and Jobs Act, SLCGP has provided $1 billion over four years to help states, localities and tribal governments strengthen their networks; most funds must be passed through to local governments, with a dedicated share for rural communities. The House draft does not set an overall funding topline and it tightens cost-sharing: the federal share is generally capped at 60 percent for single-entity awards and 70 percent for multi-entity awards through fiscal year 2035, with a potential incentive bump (to 65 percent/75 percent) for states that implement certain identity and access-management controls by October 1, 2027. It further bars the use of grant dollars for software or hardware from “foreign entities of concern” and directs alignment with CISA “secure by design” guidance. The text also replaces specific references to the Multi-State Information Sharing and Analysis Center (MS-ISAC) with broader “Information Sharing and Analysis Organizations,” which could reduce MS-ISAC’s automatic role during plan development and require adjustments by program users.
Both measures drew broad industry and state support focused on avoiding any gap in authorities before the deadline. The House committee’s votes keep the bills on track, but Senate timing is still developing as Chair Paul has not announced a markup date. If the chambers cannot reconcile their approaches quickly, a short extension attached to a continuing resolution remains a plausible backstop strategy discussed by lawmakers and stakeholders.
