Congress extended the Cybersecurity Information Sharing Act (CISA 2015) until January 30, 2026, as part of legislation that reopened the US government following a prolonged shutdown. The law, which lapsed in September 2025, protects companies from legal liability when sharing cyber threat intelligence.
What happened
The US Senate adopted the Continuing Appropriations, Agriculture, Legislative Branch, Military Construction and Veterans Affairs and Extensions Act, 2026 on November 9, temporarily ending the government shutdown. The legislation included a clause extending CISA 2015 for three months. The law shields businesses from lawsuits when exchanging cyber threat data through the voluntary Automated Indicator Sharing Program (AIS). CISA 2015 provides clarity on what companies can share with partners and government agencies securely. Congress has not clarified whether it will reauthorize the law before the new sunset date of January 30, 2026.
The backstory
CISA 2015 expired on September 30, 2025. The law has been fundamental in supporting cyber information sharing in the US and internationally by protecting businesses from legal liability when participating in threat intelligence exchange. The legislation brought much-needed clarity to the cybersecurity environment, allowing organizations to share threat data without fear of lawsuits. When the law lapsed, concerns emerged about its potential disappearance amid broader budget negotiations.
What was said
Errol Weiss, CSO of the Health Information-Sharing Analysis Center (Health-ISAC), called the extension "a good sign" and said it proved "there is definitely support for the law." However, he also described the move as "a temporary patch" and urged the US Congress to "look at extending CISA 2015 permanently or at least for another 10 years."
Weiss explained that the Act's lapse had almost no effect on information sharing within Health-ISAC members, which he characterized as "in steady growth for years." However, he noted, "The real hit we have seen has been with organizations' willingness to share cyber threat information with the federal government."
Regarding government sharing, Weiss said, "I feel that we are seeing less coming from government partners, such as the FBI, the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA). This is due to several factors, which include the lapse of CISA 2015."
In the know
The Cybersecurity Information Sharing Act (CISA 2015) operates through the Automated Indicator Sharing Program (AIS), a voluntary program that allows businesses to exchange cyber threat data with partners and government agencies. The law's primary function is to provide legal protection, shielding companies from lawsuits when they share threat intelligence. Without this protection, organizations face uncertainty about potential legal consequences when sharing information about cyber threats they've encountered. This uncertainty can create barriers to collaboration, which is needed for identifying and responding to widespread cyber threats. The law aims to encourage more open communication about cyber threats across sectors by removing legal obstacles to information sharing.
Why it matters
The temporary nature of this extension creates ongoing uncertainty for healthcare organizations. The lapse between September 30 and November 9 already reduced information sharing between organizations and federal agencies like the FBI, DHS, and CISA, the very partnerships healthcare entities rely on for threat intelligence. With CISOs able to respond to only 36% of cyber-attacks and 70% struggling to remediate incidents, the loss of clear legal protections for sharing threat data compounds an already difficult situation. For healthcare organizations handling protected health information, the unclear sharing guidelines can lead to inaccurate breach reporting (affecting 68% of CISOs) and reduced insurance claims. The January 30, 2026 deadline means healthcare organizations may face another period of uncertainty in just two months unless Congress acts to extend or permanently reauthorize the law.
The bottom line
Healthcare organizations should prepare for potential disruption in threat intelligence sharing if Congress fails to reauthorize CISA 2015 before January 30, 2026. Healthcare organizations should document their current information-sharing practices and relationships with federal partners. Also consider how they would maintain threat intelligence capabilities if legal protections lapse again.
FAQs
What happens if CISA 2015 is not reauthorized after January 30, 2026?
Organizations could lose legal liability protection for sharing cyber threat intelligence, potentially reducing collaboration.
Does the temporary extension affect non-healthcare sectors?
Yes, all industries participating in the Automated Indicator Sharing (AIS) program are impacted by the uncertainty.
Can organizations continue sharing threat intelligence without legal protection?
They can, but doing so carries potential legal risks if data leads to damages or litigation.
How does this affect international cybersecurity partnerships?
Uncertainty in US law may make international partners hesitant to exchange sensitive threat intelligence.
Are there penalties for sharing threat data incorrectly under CISA?
Under the current law, CISA protects against liability for good-faith sharing, but without reauthorization, this protection could lapse.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
