Congress extends cyber threat sharing law through September 2026
🔒Digital Rights🏢Legislative Process
CISA 2015 is the Cybersecurity Information Sharing Act—a law, not an agency. It's easy to confuse with CISA the agency (Cybersecurity and Infrastructure Security Agency). The law allows companies to share cyber threat indicators and defensive measures with the government and with each other, protected from antitrust liability and civil lawsuits.
The law's core bargain: companies get liability immunity for sharing, in exchange for sharing threat data that helps the government (and other companies) defend against the same attacks. Without immunity, companies fear sharing information that reveals their own security failures or could expose them to class action lawsuits.
Congress extended CISA 2015 through September 30, 2026 as part of the omnibus Consolidated Appropriations Act of 2026
The Senate voted 71-29 to advance the bill on January 30, 2026
Trump signed it February 3, 2026 The law's substance was unchanged—only the sunset date moved.
The original CISA 2015 had a 10-year sunset that expired September 30, 2025. Before the omnibus extension, Congress passed a short-term extension keeping the law alive through January 30, 2026. The pattern of short-term patches reflects the political difficulty of passing a clean long-term extension.
Sen. Rand Paul (R-KY) blocked the standalone S. 1337 extension through 2035 in the Senate Homeland Security Committee, demanding provisions restricting the government from using shared threat data for surveillance and limiting CISA's authority to counter what Paul called government-sanctioned censorship of online speech.
Sen. 
Ron Wyden (D-OR) has opposed CISA 2015 since its passage, calling it 'a surveillance bill by another name.' His critique: the liability shield encourages companies to share vast amounts of personal data with the government with weak minimization requirements, expanding government surveillance databases beyond cybersecurity uses.
The debate over CISA 2015 splits across an unusual coalition: national security hawks who want maximum information sharing; privacy advocates like Wyden who worry about surveillance expansion; and libertarians like Paul who oppose government involvement in online speech. These cross-cutting coalitions make long-term reauthorization politically difficult.
CISA 2015 information sharing happens through portals that allow companies to submit threat indicators—IP addresses, malware signatures, attack patterns—that the government then scrubs of personally identifiable information (theoretically) and redistributes to other companies and agencies.
🔒Digital Rights🏢Legislative Process
People, bills, and sources
Ron Wyden
U.S. Senator (D-OR), persistent CISA 2015 opponent
Rand Paul
U.S. Senator (R-KY), Chair of Senate Homeland Security Committee (2025)
Gary Peters
Senate Homeland Security Committee Ranking Member (D-MI)
Mike Rounds
U.S. Senator (R-SD), Armed Services Committee Chair
American Civil Liberties Union
Civil liberties advocacy organization
What you can do
1
civic action
Contact your senators about the long-term CISA 2015 reauthorization
The September 2026 deadline is approaching. Congress must either pass S. 1337 or continue extending the law in short-term patches. Your senators can influence whether the long-term extension includes stronger privacy protections that Wyden and Paul are demanding.
My name is [name], a constituent from [city]. I'm calling about CISA 2015 reauthorization. The current extension expires September 2026. I want Senator [name] to support reauthorization with stronger privacy protections—specifically requiring that shared data be actually minimized before government redistribution and that the law include robust oversight of how threat data is used beyond cybersecurity purposes.
2
professional action
Understand what your company shares under CISA 2015 and what protections you have
If you work in information technology, legal, or compliance at a company in a critical infrastructure sector, your company may be sharing data under CISA 2015. Understanding what your company shares, with whom, and what minimization occurs protects both your company and the privacy of people whose data may be included.
Review your organization's participation in CISA's Automated Indicator Sharing (AIS) portal. Ask your legal team what information your company shares, whether it has been properly minimized before submission, and what contractual protections govern how the government uses your shared data.
3
civic action
Track the S. 1337 standalone extension bill through Congress
S. 1337 would extend CISA 2015 through 2035—avoiding the repeated short-term patches. Following this bill's progress helps you understand both legislative process and the privacy-security tradeoffs at stake.
Search 'S. 1337' on Congress.gov to track the bill's status, who co-sponsors it, and whether it has been scheduled for committee hearings. Sign up for alerts from digital rights organizations like EFF or ACLU to receive analysis of any amendments.