- with Senior Company Executives, HR and Finance and Tax Executives
- with readers working within the Aerospace & Defence, Healthcare and Technology industries
Congress included in the appropriations bill of November 12, 2025, an extension of the Cybersecurity Information Sharing Act of 2015 (CISA 2015), 6 U.S.C. §§ 1501–10, through January 30, 2026.
The law does not amend any of the provisions of CISA 2015, which expired on October 1 of this year, but rather restores legal protections and clarifies the legal landscape for companies sharing "cyber threat indicators" and "defensive measures" with the federal government. In turn, the law resolves ambiguities regarding such companies' participation in information sharing and analysis centers.
CISA 2015 remains a subject of legislative interest, so modifications to the law may be forthcoming. For now, the certainty and clarity that CISA 2015 provided have been restored.
* * *
In December 2015, Congress enacted CISA 2015 to enable the sharing of cybersecurity information among private, federal, state, local, territorial, and tribal entities. In doing so, Congress took several steps, including:
- Exempting entities engaging in such sharing from antitrust liability for disclosing cybersecurity information among private entities; liability for monitoring internal systems for cybersecurity purposes; liability for disclosing personal information related to a cybersecurity threat; and disclosure under federal, state, tribal, or local freedom of information laws, open government laws, open meetings laws, open records laws, or sunshine laws related to shared information;
- Preventing entities from waiving privilege and trade secret protection for shared information; and
- Limiting federal agencies' use of shared information to cybersecurity purposes.
The extension of CISA 2015 restores certainty that entities sharing cyber threat information will be protected and that their designations of disclosed information as commercial, financial, and proprietary will be honored. But that extension may be short-lived; the renewal is part of legislation that reopened the U.S. federal government, and that renewal extends CISA 2015 only until January 30 of next year. Unless Congress reauthorizes CISA 2015 for a longer term before then, entities engaged in this type of sharing will again face uncertainty about their potential liability.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
