The Cybersecurity Information Sharing Act of 2015 (“CISA 2015”), which provides liability protections and other safeguards for sharing certain cybersecurity information with the U.S. federal government and private entities, was reauthorized as part of the funding bill enacted on February 3, 2026. CISA 2015’s information‑sharing provisions, which had been scheduled to sunset on January 30, 2026, will now remain in effect through September 30, 2026.
As we have previously discussed, CISA 2015 establishes a framework for sharing cyber threat indicators and defensive measures, and it offers several important protections for organizations that participate. These protections include Freedom of Information Act (“FOIA”) disclosure exemptions, limits on liability related to sharing, and safeguards against waiver of legal privileges. See our earlier posts from 2015 and 2016 for more background. The Consolidated Appropriations Act, 2026 reauthorizes the statute without substantive changes by simply updating the sunset date in 6 U.S.C. § 1510(a) to “September 30, 2026.”
With this extension, organizations can continue benefiting from the protections afforded by CISA 2015 when sharing qualified cyber information. Although there is some congressional interest in a longer-term reauthorization, it is unclear if those efforts will make progress in the coming year. We recommend organizations monitor future legislative developments to know whether Congress will reauthorize and possibly modify CISA 2015 beyond the new sunset date. Also, consider assessing whether your current cyber information sharing practices should continue without the benefit of the current protections from CISA 2015.