US punts renewal of threat data sharing law to September

The United States’ Cybersecurity Information Sharing Act of 2015 – CISA 2015 – which came within a hair’s breadth of lapsing for good at the end of 2025, will now likely be extended through to the end of September as part of a Department of Homeland Security (DHS) funding package for 2026.

The DHS Appropriations Act narrowly passed the House of Representatives on Thursday 22 January, overcoming Democrat objections to funding the controversial Immigration and Customs Enforcement (ICE) agency, which falls under the department’s remit. It will head to the Senate where it is expected to be taken up before the end of the month.

CISA 2015 enables organisations to report and share information on cyber security threats and incidents without fear of being on the receiving end of legal action as a result. The law was first enacted during the Obama years and contained a 10-year sunset clause allowing it to be revisited and revised.

By the autumn of 2025, legislators were making progress on a replacement but the federal government shutdown beginning at midnight on 1 October caused it to lapse briefly – although the true impact to real-world data-sharing appears to have been limited.

CISA 2015 was extended to the end of January 2026 as part of the agreement to reopen the government, and the latest extension should in theory buy time for Congress to figure out next steps.

Cynthia Kaiser, senior vice president of the Ransomware Research Center at Halcyon, said: “Any step forward in putting formal protections in place for information sharing between the private and public sectors should be seen as a positive. If this legislation is passed, industry will get renewed, but temporary safe harbour to share critical threat information.

“However, as 2025's lapse in those protections made clear, we need a long-term solution. It’s critical that protecting cyber security information sharing is considered its own priority in Congress in order to maintain a strong national security posture,” she told Computer Weekly.

Mimecast CEO Marc van Zadelhoff said the extension was more than just legislative housekeeping but an acknowledgement that collaboration is one of the strongest cyber defence strategies there is.

“After its brief but concerning lapse during October's government shutdown, CISA's renewal reinforces a critical principle: transparency isn't a liability, but an operational advantage,” he said. 

“The extension provides what security leaders need most: legal protection to share threat intelligence without fear of becoming scapegoats. This protection is foundational. Without it, organisations operate in isolation, creating exploitable gaps that adversaries are quick to leverage. Just as cyber security risk is shared across the ecosystem, accountability must be distributed accordingly.

He added: “More importantly, this extension creates an opportunity to evolve our approach, moving from reactive disclosure toward structured, proactive intelligence sharing. Every incident, regardless of scale, becomes a learning opportunity that strengthens not just individual organisations, but entire industries and national security infrastructure.”

 Zadelhoff advised cyber leaders to use the nine-month window strategically, describing it as a golden opportunity to embed accountability into operational processes, strengthen cross-sector collaboration, and improve how threat intelligence flows through the ecosystem. This means establishing clear protocols for what gets shared, when, and with whom, turning compliance activities into genuine security advantages.

“CISA 2015 represents more than regulatory obligation. It's about building a culture where shared responsibility, proactive defense, and collective insight become the foundation of how we approach cyber security. The extension gives us time to get this right,” he said.