Executive Summary
The Cybersecurity Information Sharing Act of 2015 (CISA 2015) is a cornerstone of the U.S. public-private partnership structure needed for the digital age. It provides an extensive framework for companies and federal agencies to freely share information with one another on cyberthreats and indicators on a voluntary basis while protecting companies from legal action that could otherwise be taken against them for data sharing. This framework was law from 2015 to 2025 as the digital age evolved and new cyberthreats, amplified by ai, emerged. CISA 2015 first sunset in September of 2025 until two resolutions saw temporary extensions, now through September 2026. In the next few months, Congress must once again evaluate CISA’s fate, determining if and how it should be reauthorized for another 10-year period. The only difference now is that the framework the bill provides for this public-private partnership is invaluable with looming cybersecurity threats for the U.S. and its people. Current short term extensions have proven to be ineffective as they create uncertainty for industry by unraveling the long-term good faith created by the bill’s original 10-year pact. This means that private companies are more anxious to exchange information about cyber threats. Another 10-year reauthorization is the only solution that will provide all stakeholders and industry players with the framework needed to reinforce our frontline defenses against cyber attacks.
Background
Originally, the Cybersecurity Information Sharing Act of 2015 was designed to improve U.S. cybersecurity frameworks by fostering an innovative collaborative environment between private sector entities and federal agencies. CISA specifically allowed organizations to share information about indicators such as attack techniques and malware signatures with the Department of Homeland Security. The advantageous framework of CISA allowed private entities to do so without violating antitrust laws or breaching customer privacy as a result of acting in good faith. This same framework also protected personally identifiable information not related to cyber threats in the information sharing across entities. Over the last decade the CISA framework has become an unquestionably important asset in enabling responses to cyber threats like ransomware attacks, and threats to critical digital infrastructure. CISA first sunsetted on September 30th, 2025 until it was temporarily extended on November 12th, 2025 through January 30th, 2026. After a few days of lapse, it was again extended on February 3rd until September 30th, 2026.
Challenge
All of these lapses raise concern from industry about legal risks surrounding information sharing and protections with such an ephemeral extension pattern. Stakeholders share concerns about temporary measures failing to retain the trust which undermines the efficiency of the information sharing process. A temporary extension like the current one allows Congress to debate the implications of the law’s structure but it doesn't resolve the legal uncertainty fostering in the industry.
Solution
On the contrary, a 10-year renewal would give stability to the stakeholders and encourage participation and further investment in national cybersecurity infrastructure. This would ensure that the U.S. remains resilient towards emerging cyberthreats and help strategic planning of data security measures that mitigate risks to federal digital infrastructures and cohesively bind data protection efforts across the private and public sectors.
Policy Recommendations
Different 10-year extension efforts have been taken up. By Senators Gary Peters (D-MI) and Mike Rounds (R-SD) in the Senate, we’ve seen the introduction of the Extending Expired Cybersecurity Authorities Act S. 2983; and by Representatives Andrew Garbarino (R-NY) and Michael McCaul (R-TX) in the House we saw the Widespread Information Management for the Welfare of Infrastructure and Government Act H.R. 5079, gaining bipartisan support. ZETA reaffirms that a 10-year re-authorization provides certainty for private sector stakeholders and strengthens public-private collaboration necessary to encourage further cybersecurity development.
