US punts renewal of threat data sharing law to September
US lawmakers have extended the Cybersecurity Information Sharing Act of 2015 for another nine months, buying time to enact a replacement for the legislation.
The United States’ Cybersecurity Information Sharing Act of 2015 – CISA 2015 – which came within a hair’s breadth of lapsing for good at the end of 2025, will now likely be extended through to the end of September as part of a Department of Homeland Security (DHS) funding package for 2026.
The DHS Appropriations Act narrowly passed the House of Representatives on Thursday 22 January, overcoming Democrat objections to funding the controversial Immigration and Customs Enforcement (ICE) agency, which falls under the department’s remit. It will head to the Senate where it is expected to be taken up before the end of the month.
CISA 2015 enables organisations to report and share information on cyber security threats and incidents without fear of being on the receiving end of legal action as a result. The law was first enacted during the Obama years and contained a 10-year sunset clause allowing it to be revisited and revised.
By the autumn of 2025, legislators were making progress on a replacement but the federal government shutdown beginning at midnight on 1 October caused it to lapse briefly – although the true impact to real-world data-sharing appears to have been limited.
CISA 2015 was extended to the end of January 2026 as part of the agreement to reopen the government, and the latest extension should in theory buy time for Congress to figure out next steps.
Cynthia Kaiser, senior vice president of the Ransomware Research Center at Halcyon, said: “Any step forward in putting formal protections in place for information sharing between the private and public sectors should be seen as a positive. If this legislation is passed, industry will get renewed, but temporary safe harbour to share critical threat information.
“However, as 2025’s lapse in those protections made clear, we need a long-term solution. It’s critical that protecting cyber security information sharing is considered its own priority in Congress in order to maintain a strong national security posture,” she told Computer Weekly.
Mimecast CEO Marc van Zadelhoff said the extension was more than just legislative housekeeping but an acknowledgement that collaboration is one of the strongest cyber defence strategies there is.
“After its brief but concerning lapse during October’s government shutdown, CISA’s renewal reinforces a critical principle: transparency isn’t a liability, but an operational advantage,” he said.
“The extension provides what security leaders need most: legal protection to share threat intelligence without fear of becoming scapegoats. This protection is foundational. Without it, organisations operate in isolation, creating exploitable gaps that adversaries are quick to leverage. Just as cyber security risk is shared across the ecosystem, accountability must be distributed accordingly.
He added: “More importantly, this extension creates an opportunity to evolve our approach, moving from reactive disclosure toward structured, proactive intelligence sharing. Every incident, regardless of scale, becomes a learning opportunity that strengthens not just individual organisations, but entire industries and national security infrastructure.”
Zadelhoff advised cyber leaders to use the nine-month window strategically, describing it as a golden opportunity to embed accountability into operational processes, strengthen cross-sector collaboration, and improve how threat intelligence flows through the ecosystem. This means establishing clear protocols for what gets shared, when, and with whom, turning compliance activities into genuine security advantages.
“CISA 2015 represents more than regulatory obligation. It’s about building a culture where shared responsibility, proactive defense, and collective insight become the foundation of how we approach cyber security. The extension gives us time to get this right,” he said.
Cyber agency funding
Besides the work of multiple other agencies sitting under its umbrella, the DHS Appropriations Act also sets out annual funding and strategic missions for the US’ Cybersecurity and Infrastructure Security Agency (CISA) – which performs a similar function to the UK’s National Cyber Security Centre (NCSC) and was the subject of deep cuts last year.
All told, the Act provides a total of $2.6bn (£1.9bn) to fund CISA this year, down on previous years, of which $763m will be directed towards cyber operations, including vulnerability management, capacity building, and threat hunting. It also includes some reductions to redundant, unauthorised or duplicate programmes at CISA.
It also provides an additional $20m to fund “critical” at CISA to counter unspecified cyber threats from China.
The Act furthermore points to a potential shake-up of how the agency engages with other organisations and partners on the global stage, instructing it to coordinate with other federal government departments to “assess ongoing and recently completed cyber security engagement activities with international partners.”
These activities include requests for support, technical assistance, and expertise given to other governments and critical infrastructure owners and operators outside the US.
Towards the end of 2026 – depending on when the funding package gets the go-ahead – the Act directs CISA to provide a report on processes for and barriers to providing these services, and the time and cost of such engagement.
