The Cybersecurity Information Sharing Act of 2015 was recently extended by Congress until September 30, 2026. The change was made as part of the Consolidated Appropriations Act, which was passed by Congress in early February 2026.
The law's original 10-year authorization ran out on September 30, 2025, and this change moves the sunset date forward. This will start a number of short-term measures to keep the framework in place. A short-term extension passed in late 2025 only made the law legal until January 30, 2026. That's when Congress passed the latest extension, which keeps the rights in place for another nine months.
The law sets up a legal framework for private companies and federal agencies to share cyber threat indicators and defensive measures voluntarily. This sharing is paired with legal protections that include limits on liability, disclosure, privilege, and regulatory use when certain legal conditions are met. Additionally, the law gives permissions and guarantees for cybersecurity tracking and the use of defense mechanisms.
The most recent act only changes the end date; it doesn't change the standards or definitions that are based on it. The information-sharing system will end again on September 30, 2026, if nothing else is done.
The Consolidated Appropriations Act is a large, must-pass federal funding law that bundles multiple appropriations measures into one package so the U.S. government stays funded for the fiscal year, often while also extending a handful of expiring programs.
The recent updates include:
According to a press release by Appropriations Chairman Tom Cole, “This legislation, which enacts five full-year FY26 appropriations bills previously passed by this chamber, is now on its way to President Trump's desk for signature. The American people deserve a functioning government, and Republicans are continuing to lead responsibly to deliver it. The House previously completed months of bipartisan, bicameral negotiations and passed a final FY26 appropriations agreement, but the Senate subsequently altered that deal, triggering a partial shutdown of the federal government.”
Hospitals, health systems, and vendors sit in a threat environment where speed matters, ransomware crews and phishing operators reuse the same infrastructure across targets, so sharing indicators (malicious domains, IPs, hashes, tactics) with federal partners and peer networks can help others block the same campaign sooner.
A study on the topic titled Relational Framework of Cyberattacks: Empirical Evidence from Multistage Incidents states, “Interorganisational coordination through platforms such as MISP has also proven effective in reducing response times.”
CISA 2015 matters because it pairs sharing with defined legal protections when the organization shares qualifying “cyber threat indicators” or “defensive measures” through approved channels and conditions, reducing the chilling effect that can appear when lawyers worry about downstream lawsuits or regulatory consequences tied to disclosure.
Examples include the HHS Office for Civil Rights for HIPAA security enforcement, the U.S. Securities and Exchange Commission for public-company cyber disclosures, and the New York State Department of Financial Services for covered financial entities under 23 NYCRR 500.
OCR expects procedures to review information system activity (logs/audit records) and to keep security controls under regular watch, not only during an audit season.
Security incident procedures must exist, and response/reporting must include identifying and responding, mitigating harmful effects where practicable, and documenting incidents and outcomes.