US lawmakers have extended the Cybersecurity Information Sharing Act of 2015 for another nine months, buying time to enact a replacement for the legislation.
US lawmakers have extended the Cybersecurity Information Sharing Act of 2015 for another nine months, buying time to enact a replacement for the legislation.
The United States’ Cybersecurity Information Sharing Act of 2015 – CISA 2015 – which came within a hair’s breadth of lapsing for good at the end of 2025, will now likely be extended through to the end of September as part of a Department of Homeland Security (DHS) funding package for 2026.
The DHS Appropriations Act narrowly passed the House of Representatives on Thursday 22 January, overcoming Democrat objections to funding the controversial Immigration and Customs Enforcement (ICE) agency, which falls under the department’s remit. It will head to the Senate where it is expected to be taken up before the end of the month.
CISA 2015 enables organisations to report and share information on cyber security threats and incidents without fear of being on the receiving end of legal action as a result. The law was first enacted during the Obama years and contained a 10-year sunset clause allowing it to be revisited and revised.
By the autumn of 2025, legislators were making progress on a replacement but the federal government shutdown beginning at midnight on 1 October caused it to lapse briefly – although the true impact to real-world data-sharing appears to have been limited.
CISA 2015 was extended to the end of January 2026 as part of the agreement to reopen the government, and the latest extension should in theory buy time for Congress to figure out next steps.
Cynthia Kaiser, senior vice president of the Ransomware Research Center at Halcyon, said: “Any step forward in putting formal protections in place for information sharing between the private and public sectors should be seen as a positive.