Congress extends cyber threat sharing law through September 2026
Law lets companies in 16 critical sectors report cyber attacks within 72 hours of breach
CISA 2015 is the Cybersecurity Information Sharing Act—a law, not an agency. It's easy to confuse with CISA the agency (Cybersecurity and Infrastructure Security Agency). The law allows companies to share cyber threat indicators and defensive measures with the government and with each other, protected from antitrust liability and civil lawsuits.
Key Concepts
Essential concepts and terms to understand this topic
State Action Requirement
Constitutional doctrine requiring a connection to government action for Fourteenth Amendment protections to apply.
Police Powers
A state's broad authority to regulate health, safety, welfare, and morals
Social Media Surveillance
Government monitoring of individuals' social media accounts and posts for enforcement purposes.
Key People
5
Ron Wyden
U.S. Senator (D-OR), persistent CISA 2015 opponent
Wyden has called CISA 2015 a 'surveillance bill' since 2015, arguing that liability shields allow companies to share personal data with the government that goes well beyond what cybersecurity purposes require. He voted against the 2015 law and continues to oppose clean extensions.
RP
Rand Paul
U.S. Senator (R-KY), Chair of Senate Homeland Security Committee (2025)
Paul blocked S. 1337, the standalone 10-year CISA 2015 extension, in his committee, demanding provisions restricting the government's use of shared data for surveillance and limiting CISA's authority to counter disinformation. His libertarian concerns about government surveillance overlap with Wyden's privacy concerns.
Gary Peters
Senate Homeland Security Committee Ranking Member (D-MI)
Peters co-sponsored S. 1337 with Republican Mike Rounds, advocating for a clean 10-year CISA 2015 extension. He represents the mainstream security community view that liability immunity is necessary for effective information sharing.
Mike Rounds
U.S. Senator (R-SD), Armed Services Committee Chair
Rounds co-sponsored S. 1337 with Peters, providing bipartisan sponsorship for the long-term extension. His support reflects mainstream Republican national security establishment support for the information sharing framework.
AC
American Civil Liberties Union
Civil liberties advocacy organization
The ACLU has consistently opposed CISA 2015, joining the American Library Association and digital rights organizations in arguing that the law's minimization requirements are too weak to prevent personal data from flowing into government surveillance systems.
Claims & Perspectives
False
False
CISA 2015 is the same thing as the Cybersecurity and Infrastructure Security Agency
CISA 2015 is a law—the Cybersecurity Information Sharing Act—passed in 2015. CISA the agency was created in 2018 by a different law. They share the same acronym, causing confusion, but are entirely different entities.
True
True
CISA 2015 protects companies from civil lawsuits when sharing cyber threat information
The law's core provision is civil liability immunity for companies that share cyber threat indicators and defensive measures with the government or with other private entities. Without this immunity, companies fear sharing information that might expose them to class actions.
Disputed
Disputed
Ron Wyden and Rand Paul have opposed CISA 2015 for the same reason
Both Wyden and Paul have opposed CISA 2015, but for overlapping rather than identical reasons. Wyden focuses on inadequate privacy protections and data minimization; Paul focuses on restricting CISA's authority to counter disinformation (which he frames as censorship). Their reasons align on surveillance concerns but diverge on the disinformation question.
What you can do
Contact your senators about the long-term CISA 2015 reauthorization
civic action
The September 2026 deadline is approaching. Congress must either pass S. 1337 or continue extending the law in short-term patches. Your senators can influence whether the long-term extension includes stronger privacy protections that Wyden and Paul are demanding.
Understand what your company shares under CISA 2015 and what protections you have
professional action
If you work in information technology, legal, or compliance at a company in a critical infrastructure sector, your company may be sharing data under CISA 2015. Understanding what your company shares, with whom, and what minimization occurs protects both your company and the privacy of people whose data may be included.
Track the S. 1337 standalone extension bill through Congress
civic action
S. 1337 would extend CISA 2015 through 2035—avoiding the repeated short-term patches. Following this bill's progress helps you understand both legislative process and the privacy-security tradeoffs at stake.