Congress Reauthorizes CISA 2015 Through September – But Then What?

The landmark Cybersecurity Information Sharing Act of 2015 (CISA 2015)^[1] has been reauthorized retroactively from its original September 30, 2025 expiration for a limited one-year period. This development was the result of the House of Representatives and Senate passing H.R. 7148, the Consolidated Appropriations Act of 2026, which included the CISA 2015 extension in legislation to fund certain parts of the federal government through the end of Fiscal Year 2026, which ends September 30, 2026. President Trump signed the bill into law on February 3, 2026.

CISA 2015 was originally enacted with overwhelming bipartisan support over 10 years ago to provide much-needed clarity about the lawfulness of cybersecurity information sharing, deployment of defensive measures, and network monitoring. The law provides privacy protections; an antitrust exemption; protection of attorney-client privilege; confidential treatment for commercial, financial, and proprietary information shared with the government; and federal preemption. 

Over the past decade, organizations have increased their cybersecurity information sharing across the public and private sectors, improved cybersecurity collaboration and operations, and enhanced their cyber defenses, often relying upon the authorizations and protections provided by CISA 2015. The law’s federal preemption provisions and “notwithstanding any other provisions of law” language were critical to providing organizations with the assurances they needed that a variety of other risks, including especially potential litigation risks, were addressed, allowing them to share cybersecurity information among themselves and with the government without fear of costly, crippling litigation. 

Today, maintaining these protections and the flow of information sharing – at a time when nation-state and ransomware attacks are growing – is increasingly important. CISA 2015 enabled a stronger response to Salt Typhoon, a China state-sponsored advanced persistent threat actor targeting U.S. telecommunications networks. Collaboration between the private sector, the Federal Bureau of Investigation (FBI), and other government agencies on the response to Salt Typhoon has been praised by the FBI.^[2] This collaboration led to the containment of threat actors domestically and the sharing of information with 80 other countries where networks were also targeted.

With CISA 2015 extended to September 30, 2026, industry has a brief reprieve and can refocus for now on important cybersecurity collaboration and information sharing activities with the knowledge that they have the law’s protections. However, long-term reauthorization of this popular law, whether in its current form or enhanced with some amendments, is going to require more work from Congress, the Administration, and industry. Cyber advocacy, either directly or through industry associations or law firms, can be an important way for industry to continue to urge Congress and the Administration to reauthorize this important piece of information sharing.

[1] CISA 2015 was enacted at Title I of the Cybersecurity Act of 2015, and is codified at 6 U.S.C. § 1501-1510.

[2] “Without the support of the telecommunications industry inviting FBI technical teams in to help them with their incident response, we would not be where we are in containing the actors today.” Brett Leatherman, Assistant Director, Cyber Division, FBI, Keynote Address at the 9th Annual Boston Cybersecurity Conference (Oct. 16, 2025).