A key pillar of the nation’s cyber defense is on the clock. The Cybersecurity Information Sharing Act (CISA) of 2015 is set to expire in September, and lawmakers are scrambling to renew it before the deadline hits. U.S. Senators Gary Peters (D-MI) and Mike Rounds (R-SD) have introduced a bipartisan bill to extend the law for another ten years, warning that any lapse could slow the fast-moving flow of threat data between government and the private sector.
What the 2015 Cybersecurity Information Sharing Act Does
The Cybersecurity Information Sharing Act was designed to break down barriers between organizations trying to defend against cyber threats. The law provides legal protections for companies that voluntarily share threat data with each other and with the federal government. That protection removes a major sticking point: fear of lawsuits or regulatory blowback.
CISA laid the groundwork for threat information to flow more freely across sectors. It supports public-private sharing, private-to-private exchanges, and coordination through programs like the Department of Homeland Security’s Automated Indicator Sharing initiative. It also underpins broader efforts like the Joint Cyber Defense Collaborative (JCDC), which brings together government agencies and private firms to respond to threats in real time.
By giving organizations legal clarity, the law makes it easier to act quickly and cooperatively, something defenders say is essential when every second counts.
The Bipartisan Effort to Extend the Law
The bipartisan nature of the bill reflects a shared understanding across party lines of the necessity to maintain and enhance the nation's cybersecurity posture through continued collaboration between the public and private sectors.
“As cybersecurity threats grow increasingly sophisticated, information sharing is not just valuable—it remains essential for our national security,” said Senator Peters, ranking member of the Homeland Security and Governmental Affairs Committee. “For the past ten years, these critical protections have helped to address rapidly evolving cybersecurity threats, and this bipartisan bill will renew them so we can continue this collaborative partnership between the private sector and government to bolster our nation’s cybersecurity defenses against a wide range of adversaries.”
Senator Rounds emphasized the importance of the legislation. “The Cybersecurity Information Sharing Act of 2015 has been instrumental in strengthening our nation’s cyber defenses by enabling critical information sharing between the private sector and government,” he said. “Allowing this legislation to lapse would significantly weaken our cybersecurity ecosystem, removing vital liability protections and hampering defensive operations across both the defense industrial base and critical infrastructure sectors.”
Why It Matters Now
The push to renew CISA comes at a time when cyber threats are evolving faster than ever. Ransomware groups, nation-state hackers, and cybercriminals are using more advanced tools, including AI, to find vulnerabilities and launch attacks. At the same time, the complexity of global supply chains has made it harder to track where risks are coming from and easier for attackers to exploit blind spots.
In this environment, it’s a necessity to share threat intelligence in real time. From hospitals to power grids, critical infrastructure depends on a fast, coordinated response when an attack hits. Without the legal protections CISA provides, that collaboration could slow down or stall altogether, leaving defenders second-guessing legal risks when they should be focusing on stopping threats.
Industry and Expert Response
Industry leaders say renewing CISA is essential to keeping defenders aligned and effective. The law’s liability protections have helped build trust between companies and the government, making it possible to share threat intelligence quickly and without hesitation.
“If the law is allowed to lapse, it reintroduces hesitation at the wrong time,” said Chad Cragle, CISO at Deepwatch. “Threat actors aren’t slowing down—and we can’t afford to either.” He credits CISA with removing the legal guesswork that used to slow down sharing, and says programs like the Joint Cyber Defense Collaborative have made that cooperation more direct and operational.
“Cybersecurity is a team sport, and the truth of this idea is only becoming more obvious in a progressively more hostile global environment,” said Casey Ellis, founder of Bugcrowd. “The Cybersecurity Information Sharing Act provides a safe framework for information sharing, and underpins both public/private partnership sharing and the ‘in community’ sharing that powers US-based ISACs. I'm very glad to see Senator Rounds and Senator Peters moving this along.”
The Broader Cybersecurity Legislative Landscape
The push to renew the Cybersecurity Information Sharing Act comes as another key program, the State and Local Cybersecurity Grant Program (SLCGP), faces its own expiration. Funded through the 2021 infrastructure law, the SLCGP has provided $1 billion over four years to help state and local governments improve their cybersecurity defenses. The program is set to expire on September 30, 2025, unless Congress acts to reauthorize it.
State and local officials have praised the SLCGP for enabling them to implement essential cybersecurity measures, such as endpoint detection, employee training, and incident response planning. For example, Utah's CIO, Alan Fuller, testified that the program helped the state block seven major cyberattacks in six months and provided cybersecurity training to 31,000 local government employees.
However, the uncertainty surrounding the program's future has caused concern among local governments. Connecticut CIO Mark Raymond noted that the fear of the program's expiration impedes localities from applying for future funding, as they are reluctant to invest in new cybersecurity initiatives without assurance of continued federal support.
The potential lapse of both CISA and the SLCGP could disrupt the collaborative framework that has been established between federal, state, and local entities. Without these programs, smaller communities may struggle to maintain their cybersecurity posture, leaving critical infrastructure vulnerable to cyber threats.
Staying Ahead of the Threat
With cyber threats growing more aggressive and complex, the stakes of reauthorizing the Cybersecurity Information Sharing Act are clear. Letting the law lapse would disrupt years of progress, reintroduce legal uncertainty, and slow down the threat-sharing partnerships that defenders rely on.
Attackers are adapting quickly, and defenders need the tools, trust, and legal cover to respond just as fast. That means Congress can’t afford to drag its feet. Renewing CISA—and keeping momentum behind programs like the State and Local Cybersecurity Grant Program—will help the country stay ahead of threats instead of scrambling to catch up.
