CISA 2015 Deadline Extended: What You Need to Know
▼ Summary
– The US government temporarily extended the Cybersecurity Information Sharing Act (CISA 2015) until January 30, 2026, as part of legislation ending a government shutdown.
– CISA 2015 provides legal liability protection for companies sharing cyber threat intelligence through the voluntary Automated Indicator Sharing Program.
– A survey revealed that just one hour of cyber incident response delays costs organizations an average of $114,000, highlighting the importance of timely information sharing.
– Cybersecurity professionals welcomed the extension but urged Congress to make it permanent, as the temporary nature creates uncertainty.
– CISOs report being understaffed and ill-prepared, with 84% believing a successful cyber-attack is inevitable and only able to respond to 36% of attacks on average.
The Cybersecurity Information Sharing Act of 2015 (CISA 2015), a foundational U.S. law for cyber threat intelligence exchange, has received a temporary extension following a government shutdown. This legislation, which had expired in September 2025, was revived through the Continuing Appropriations, Agriculture, Legislative Branch, Military Construction and Veterans Affairs and Extensions Act, 2026, passed by the Senate on November 9. The renewal ensures CISA 2015 remains active until January 30, 2026, though its long-term status remains uncertain.
At the heart of CISA 2015 is a provision that protects companies from legal liability when they voluntarily share cyber threat data. This occurs primarily through the Automated Indicator Sharing Program (AIS), offering clear guidelines for secure information exchange with partners and government bodies. Such clarity is vital, especially considering recent findings from Binalyze’s CISO survey, which revealed that just one hour of delay in responding to a cyber incident costs victim organizations an average of $114,000.
While cybersecurity professionals have welcomed the three-month reauthorization, many view it as a stopgap measure. Errol Weiss, Chief Security Officer for the Health Information-Sharing Analysis Center (Health-ISAC), described the extension as “a good sign” demonstrating continued support for the law. He noted, however, that it serves as “a temporary patch” and urged Congress to consider a longer-term solution, either a permanent extension or one lasting another decade.
Weiss observed that the law’s expiration in late September had little impact on information sharing among Health-ISAC members, which has shown “steady growth for years.” The more significant effect, he pointed out, has been on organizations’ willingness to share cyber threat intelligence with federal agencies. “We are seeing less coming from government partners, such as the FBI, the Department of Homeland Security, and CISA,” Weiss explained, attributing this partly to the law’s lapse and other contributing issues.
Staff reductions within federal agencies have also played a role, disrupting established relationships between cybersecurity professionals and their government contacts. This comes at a time when Chief Information Security Officers are already grappling with understaffing, escalating cyber threats, and internal organizational challenges. Adding ambiguity around data-sharing protocols only compounds these difficulties.
According to Binalyze’s State of Cybersecurity Investigations 2025 report, published on November 18, a striking 84% of CISOs now believe a successful cyber-attack targeting their organization is inevitable. The same survey, which polled 200 U.S.-based CISOs, found that many feel ill-prepared, with respondents stating they can effectively respond to just 36% of cyber-attacks on average.
(Source: InfoSecurity Magazine)