CISA 2015 set to expire Sept 30

The big correction here is simple: this law did not just suddenly become set to expire in a few months. Congress already pushed the Cybersecurity Information Sharing Act of 2015 out to September 30, 2026 in a funding bill passed in early February. So the story now is not “an immediate cliff.” It’s that the U.S. has bought itself a short runway, and everyone who relies on the law still has a real sunset date staring at them. ### What law are we actually talking about? This is the 2015 federal framework that lets companies and government agencies voluntarily share cyber threat indicators and defensive measures. Think malware signatures, suspicious IPs, exploit patterns, and technical details that help others block the same attack. The law sits in 6 U.S.C. Chapter 6, Subchapter I, and it is not just a permission slip — it is a package of legal protections meant to make sharing less risky. (hunton.com) ### Why do companies care so much about the legal protections? Because the useful part of this statute is not the idea of sharing. Companies can often share information in other ways. The useful part is the shield around that sharing. The law protects qualifying participants from certain liability, shields shared material from some disclosure rules, limits some regulatory uses, preserves privilege in key cases, and removes antitrust exposure for authorized sharing activity. Without that wrapper, the same act of sharing can look much more expensive to a legal team. (law.cornell.edu) ### What changed in February? Congress did not rewrite the system. It just extended the sunset date. The February 2026 appropriations package kept the existing framework in place through September 30, 2026 after earlier short-term patches had only carried it into late January. So the definitions, conditions, and basic mechanics stayed the same. The clock just got reset for nine more months. (hunton.com) ### What does this law power in practice? One visible piece is Automated Indicator Sharing, or AIS. That is CISA’s service for machine-speed exchange of cyber threat indicators and defensive measures between government and private-sector participants. It is voluntary and free, and it is built for real-time sharing. If you want the concrete version of this law, AIS is basically it. (hunton.com) ### Has the system actually been working? Broadly, yes — at least on the core compliance pieces. GAO said the agencies implementing the act had policies and procedures in place, and that the framework positively contributed to sharing between federal and nonfederal entities. GAO also said agencies met requirements around privacy and civil-liberties protections, including removing personally identifiable information before sharing. That matters because privacy was one of the big objections when the law was first passed. (cisa.gov) ### So what is the real risk now? The risk is not that cyber threat sharing vanishes overnight today. The risk is that companies treat this as someone else’s policy problem until the next deadline gets close. If Congress lets the law lapse again, the operational plumbing may still exist, but the legal comfort around participation gets shakier. That can slow sharing exactly when ransomware, infrastructure attacks, and sector-wide campaigns reward speed. (gao.gov) ### Why does this spill into finance and governance? Because cyber controls are no longer just an IT hygiene issue. If a company’s threat-sharing, logging, evidence retention, and response workflows break down, that can hit disclosure decisions, internal control testing, and the integrity of financial systems. A compromised ERP, treasury platform, or close process is not just a security event — it can become a reporting problem. That is the catch boards and audit committees need to hear now. This last extension bought time, but not certainty. (hunton.com) ### Bottom line? The clean version is this: the law is alive, but temporary. Congress fixed the immediate deadline in February 2026, not forever. Between now and September 30, 2026, companies need to decide whether their cyber-sharing processes are sturdy enough to survive with or without this specific legal shield. (hunton.com)