A key piece of U.S. cybersecurity legislation, the Cybersecurity Details Sharing Act of 2015 (CISA 2015), narrowly avoided expiration and is now poised for extension through September 2026 as part of a broader Department of Homeland Security (DHS) funding package.
Lawmakers Secure extension of Vital cyber Threat Sharing
The extension ensures continued information exchange between the public and private sectors to bolster national security.
- The DHS Appropriations Act passed the House on January 22, despite objections regarding funding for immigration and Customs Enforcement (ICE).
- CISA 2015 allows organizations to share cybersecurity threat data without fear of legal repercussions.
- The law, initially enacted during the Obama administration, included a 10-year sunset clause.
- Industry experts emphasize the need for a long-term solution to ensure consistent data sharing.
- The Act allocates $2.6 billion to fund the Cybersecurity and Infrastructure Security Agency (CISA) this year.
The DHS Appropriations Act cleared the house of representatives on Thursday, January 22, overcoming Democratic resistance tied to funding for the controversial Immigration and Customs Enforcement (ICE) agency, which operates under the DHS umbrella.The bill is expected to be considered by the Senate before the end of the month.
What does CISA 2015 actually do? The law enables organizations to report and share information about cybersecurity threats and incidents without facing legal challenges as a result. First enacted during the obama years,it included a 10-year sunset clause,prompting a review and potential revision.
Legislators were making headway on a replacement by autumn 2025, but the federal government shutdown that began at midnight on October 1 caused a brief lapse in the law’s protections-tho the real-world impact on data sharing appeared limited. CISA 2015 was temporarily extended to the end of January 2026 as part of the agreement to reopen the government, and this latest extension aims to provide Congress with more time to formulate a long-term strategy.
Cynthia Kaiser, senior vice president of the Ransomware Research Center at Halcyon, stated, “Any step forward in putting formal protections in place for information sharing between the private and public sectors should be seen as a positive. If this legislation is passed, industry will get renewed, but temporary safe harbour to share critical threat information.”
She added, “However, as 2025’s lapse in those protections made clear, we need a long-term solution. It’s critical that protecting cyber security information sharing is considered it’s own priority in Congress in order to maintain a strong national security posture.”
Marc van Zadelhoff, CEO of mimecast, noted that the extension comes amid increasing cyber threats originating from China.
The Act also suggests a potential restructuring of how CISA interacts with international partners, directing the agency to collaborate with other federal departments to “assess ongoing and recently completed cyber security engagement activities with international partners.” This includes support requests, technical assistance, and expertise provided to foreign governments and critical infrastructure operators.
Toward the end of 2026-depending on when the funding package is approved-the Act mandates that CISA submit a report detailing the processes, barriers, and costs associated with providing thes services.
