Time is running out to expand the critical cyber information-sharing legislation

Time is running out to expand the critical cyber information-sharing legislation

Cybersecurity Information Sharing Act (CISA) 2015 Up for Reauthorization

The Cybersecurity Information Sharing Act (CISA) of 2015, a key piece of U.S. cybersecurity legislation, is currently undergoing reauthorization by the U.S. Congress before it expires on September 30, 2025 [1]. This act facilitates improved collaboration between private companies and the government to address and react quickly to cyber threats [1].

The reauthorization process is generating significant debate, particularly around expanding the scope and protections of information sharing, particularly involving supply chain risk information (SCRI) [3]. A recent report from a federal working group suggests amending CISA 2015 to explicitly add supply chain risk as a type of "Cyber Threat Indicator" to encourage broader and more effective sharing of threat intelligence related to supply chain vendors and vulnerabilities [3].

Key points of debate and consideration include:

• Definition and inclusion of supply chain risk information: The proposal aims to broaden what constitutes cyber threat information to include supply chain threats, offering a legal framework for sharing such details, even naming suspected risky suppliers, to improve collective defense [3].
• Liability protections: The ongoing discussion involves setting due diligence parameters to ensure entities sharing information under this expanded scope receive adequate liability protection, which is critical for encouraging voluntary sharing without fear of legal repercussions [3].
• Effectiveness versus privacy and regulatory concerns: While CISA 2015 has improved collaboration and imposed costs on malicious actors, critics remain concerned about privacy protections and regulatory overlap. Some lawmakers have urged the Office of Management and Budget (OMB) to review fragmented cybersecurity regulations, arguing that overlapping laws could raise industry compliance costs and complicate national cyber resilience efforts [4].
• Adapting to new cyber threats: With evolving technologies like AI driving new cyber risks and vulnerabilities, some advocate that legislation like CISA must modernize to address complex threats such as AI-driven attacks and deepfake fraud, while balancing compliance burdens across sectors including healthcare and legal [2].

As of mid-July 2025, no final legislative changes or reauthorization have been completed. However, active proposals and discussions are shaping potential amendments. The House Homeland Security Committee, led by Andrew Garbarino (R-N.Y.), is committed to reauthorizing CISA 2015 [5]. Schimmeck has urged the committee to reauthorize CISA 2015 and then consider potential tweaks afterward [6]. Miller has suggested codifying other authorities related to CISA 2015, such as public-private collaborations like the Critical Infrastructure Partnership Advisory Council [6].

Alexandra Seymour, the majority staff director for the cybersecurity and infrastructure protection subcommittee, has emphasized the importance of ensuring CISA 2015 does not lapse, while also exploring potential tweaks to the law [2]. Seymour encourages industry to reach out to the committee with any recommendations on changes to the law, but emphasizes not allowing it to lapse as the top priority [2].

Rinaldo has stated that privacy concerns around CISA 2015 have not come to fruition, citing a recent Homeland Security inspector general report that found no personal information violations under CISA 2015 [7]. The information-sharing regime under CISA 2015 is considered critical to identifying and preventing cyber threats [7]. However, industry has criticized government agencies for not sharing enough cyber data back with the private sector [7].

Industry experts urge lawmakers to prioritize extending CISA 2015 above any potential improvements [8]. Ranking Member Bennie Thompson (D-Miss.) is concerned that opening up the House's re-authorization to potential changes will bog down the process [8].

In conclusion, the reauthorization of CISA 2015 is a top priority for the House Homeland Security Committee, with significant interest in expanding it to include supply chain risk sharing and liability protections. The debate weighs enhanced multi-directional threat sharing against concerns over regulatory complexity, privacy, and the need to keep pace with emerging cyber threats fueled by technologies like AI [1][3][4].

[1] - Cybersecurity Information Sharing Act of 2015 [2] - Seymour Encourages Industry to Reach Out on CISA Changes [3] - Supply Chain Cybersecurity Bill Aims to Strengthen the Cybersecurity Information Sharing Act [4] - Bipartisan Bill Aims to Modernize Cybersecurity Legislation [5] - New Leader of House Homeland Security Committee Is Andrew Garbarino [6] - Miller Suggests Codifying Other Authorities Related to CISA 2015 [7] - Rinaldo Says Privacy Concerns Around CISA 2015 Have Not Come to Fruition [8] - Thompson Concerned Opening CISA Reauthorization to Changes Will Bog Down Process [8] - Industry Experts Urge Lawmakers to Prioritize Extending CISA 2015

1. The federal workforce and the private sector's workforce have been engaged in ongoing discussions regarding the reauthorization of the Cybersecurity Information Sharing Act (CISA) 2015, with a focus on expanding the scope of information sharing, particularly involving supply chain risk information (SCRI).
2. A key debate is surrounding the need to provide adequate liability protections for entities sharing information in this expanded scope, ensuring voluntary sharing without fear of legal repercussions.
3. The reimagined CISA 2015, if reauthorized, may encompass a broader definition of cyber threat information, including supply chain threats, and may offer a legal framework for sharing risky supplier details to improve collective defense against cyber threats.

Read also: