As fractious as Congress has been for the better part of a decade, it did manage to pass the Cybersecurity Information Sharing Act in 2015. And now that it’s up for renewal, it seems prudent—no, necessary—that Congress unite to okay it once again. 

“CISA has been instrumental in streamlining information flows that strengthen national cybersecurity defenses,” says April Lenhard, principal product manager at Qualys. By renewing it for another decade, Congress “will preserve the continuity of critical threat intelligence exchanges within the private sector and between private entities and the federal government.”  

But the bill shouldn’t just be rubberstamped. Reauthorization “isn’t just a bureaucratic box-check, it’s about keeping the digital lines of communication open between the private sector and government,” Lenhard says.  

Senators Gary Peters, D-Mich., Ranking Member of the Homeland Security and Governmental Affairs Committee, and Mike Rounds, R-S.D., recently unveiled their stab at extending the law before a Congress that is more divided than ever. Both senators point to the crucial role the act has played in addressing cyberthreats as they evolve—think, SolarWinds, for one. Peters urged his colleagues in Congress to renew CISA so the collaborative partnership between the private sector and government can continue. “As cyberthreats grow increasingly sophisticated, information sharing is not just valuable—it remains essential for our national security,” Peters said in a statement. 

And Rounds contends that if the legislation lapses, it would “significantly weaken” the country’s cybersecurity ecosystem. 

Their updated bill comes at a time when cybersecurity is on shakier ground under the current administration—the U.S. cybersecurity posture of late has been rocked by firings at the CISA, hints that Russia would be released from Obama-era sanctions imposed in the wake of 2016 election interference, and an ongoing Signalgate scandal that found Secretary Defense Pete Hegseth and other high-level security and defense officials tossing around sensitive info via a commercial app and using personal devices.  

Not only do those things erode our cyber infrastructure, but the scuttlebutt in diplomatic circles has allies considering withholding intel from the U.S. at a time when threats are at their highest. Against this backdrop, collaboration between government and the private sector may be even more important, though perhaps a harder ask. 

Just how “the complex interdependence between public and private sectors in both network defense and intelligence contribution” is, Lenhard notes, was on full display recently when MITRE’s CVE program very nearly was allowed to expire. “The entire threat intelligence ecosystem feels the ripple,” she says. 

If CISA 2015 “is allowed to lapse, it reintroduces hesitation at the wrong time,” says Chad Cragle, CISO at Deepwatch. “Threat actors aren’t slowing down—and we can’t afford to, either.” 

Among the law’s benefits is that it provided the legal clarity the industry needed to “share threat intel share threat intel quickly, directly, and without second-guessing the lawyers,” he says, explain that the JCDC programs, among others “have only amplified that value, allowing [defenders] to work shoulder-to-shoulder with the government in an operational, rather than just performative, way.” 

But, as Cagle points out, renewal of the law presents the opportunity “to fine-tune the law, preserving its core strength while ensuring it reflects today’s privacy expectations, supply chain realities, and operational complexity” to accommodate a threat landscape that “has evolved significantly over the past decade, as have the risks associated with data handling and cross-sector coordination.”  

To get it right, Congress must build “on what works while adapting to what has changed,” he says. That means putting aside the heat of the moment and coming together in bipartisan fashion. 

Bugcrowd founder Casey Ellis is right when he calls cybersecurity a team sport. “And the truth of this idea is only becoming more obvious in a progressively more hostile global environment,” he says. “The Cybersecurity Information Sharing Act provides a safe framework for information sharing, and underpins both public/private partnership sharing and the ‘in community’ sharing that powers US-based ISACs.” 

Let’s hope Congress feels the same. 

The bill, which will extend provisions that were originally signed into law through the Cybersecurity Information Sharing Act of 2015, incentivizes companies to voluntarily share cybersecurity threat indicators, such as software vulnerabilities, malware, or malicious IP addresses, with the Department of Homeland Security (DHS) to protect Americans’ personal information and ensure that both the federal government and companies can take collaborative steps to prevent data breaches or attacks from cybercriminals and foreign adversaries. Peters and Rounds’ Cybersecurity Information Sharing Extension Act would extend these critical protections for an additional ten years. 

“As cybersecurity threats grow increasingly sophisticated, information sharing is not just valuable—it remains essential for our national security,” said Senator Peters. “For the past ten years, these critical protections have helped to address rapidly evolving cybersecurity threats, and this bipartisan bill will renew them so we can continue this collaborative partnership between the private sector and government to bolster our nation’s cybersecurity defenses against a wide range of adversaries.” 

“The Cybersecurity Information Sharing Act of 2015 has been instrumental in strengthening our nation’s cyber defenses by enabling critical information sharing between the private sector and government,” said Senator Rounds. “Allowing this legislation to lapse would significantly weaken our cybersecurity ecosystem, removing vital liability protections and hampering defensive operations across both the defense industrial base and critical infrastructure sectors.” 

 A bipartisan pair of senators is kicking off the race Wednesday to renew the bill, a move that industry groups and cyber experts are eager to see happen before it’s set to expire in September. 

April Lenhard, Principal Product Manager at Qualys: 

Reauthorizing the Cybersecurity Information Sharing Act (CISA) isn’t just a bureaucratic box-check—it’s about keeping the digital lines of communication open between the private sector and government. CISA has been instrumental in streamlining information flows that strengthen national cybersecurity defenses. Renewing CISA for another decade will preserve the continuity of critical threat intelligence exchanges within the private sector and between private entities and the federal government. CISA’s bipartisan support underscores how a voluntary and collaborative information-sharing framework remains a robust tool for collectively defending against evolving cyber threats. Recent developments—such as the near-expiration of MITRE’s CVE program—highlight the complex interdependence between public and private sectors in both network defense and intelligence contribution: The entire threat intelligence ecosystem feels the ripple. 

Casey Ellis, Founder at Bugcrowd, a San Francisco, Calif.-Based Leader in Crowdsourced Cybersecurity: 

“Cybersecurity is a team sport, and the truth of this idea is only becoming more obvious in a progressively more hostile global environment,” says Bugcrowd founder Casey Ellis. “The Cybersecurity Information Sharing Act provides a safe framework for information sharing, and underpins both public/private partnership sharing and the “in community” sharing that powers US-based ISACs.” 

Let’s hope Congress feels the same. 

 I’m very glad to see Senator Rounds and Senator Peters moving this along. 

Chad Cragle, CISO at Deepwatch, a San Francisco, Calif.-based AI+Human Cyber Resilience Platform: 

From a defender’s standpoint, the Cybersecurity Information Sharing Act has been one of the few legislative tools that truly moved the needle. It gave the industry the legal clarity to share threat intel quickly, directly, and without second-guessing the lawyers. Programs like JCDC have only amplified that value, allowing us to work shoulder-to-shoulder with the government in an operational, rather than just performative, way. If the law is allowed to lapse, it reintroduces hesitation at the wrong time. Threat actors aren’t slowing down—and we can’t afford to either. 

At the same time, a renewal shouldn’t simply be a rubber stamp. The threat landscape has evolved significantly over the past decade, as have the risks associated with data handling and cross-sector coordination. This is an opportunity to fine-tune the law, preserving its core strength while ensuring it reflects today’s privacy expectations, supply chain realities, and operational complexity. Getting this right means building on what works while adapting to what has changed. 

Peters and Rounds Introduce Bipartisan Bill to Extend Information-Sharing Provisions that Help Address Cybersecurity Threats 

WASHINGTON, DC — U.S. Senators Gary Peters (D-MI), Ranking Member of the Homeland Security and Governmental Affairs Committee and Mike Rounds (R-SD), introduced a bipartisan bill to extend provisions that encourage businesses to share information about ongoing cybersecurity threats with the federal government to strengthen our nation’s cybersecurity defenses. The bill, which will extend provisions that were originally signed into law through the Cybersecurity Information Sharing Act of 2015, incentivizes companies to voluntarily share cybersecurity threat indicators, such as software vulnerabilities, malware, or malicious IP addresses, with the Department of Homeland Security (DHS) to protect Americans’ personal information and ensure that both the federal government and companies can take collaborative steps to prevent data breaches or attacks from cybercriminals and foreign adversaries. Peters and Rounds’ Cybersecurity Information Sharing Extension Act would extend these critical protections for an additional ten years. 

“As cybersecurity threats grow increasingly sophisticated, information sharing is not just valuable—it remains essential for our national security,” said Senator Peters. “For the past ten years, these critical protections have helped to address rapidly evolving cybersecurity threats, and this bipartisan bill will renew them so we can continue this collaborative partnership between the private sector and government to bolster our nation’s cybersecurity defenses against a wide range of adversaries.” 

“The Cybersecurity Information Sharing Act of 2015 has been instrumental in strengthening our nation’s cyber defenses by enabling critical information sharing between the private sector and government,” said Senator Rounds. “Allowing this legislation to lapse would significantly weaken our cybersecurity ecosystem, removing vital liability protections and hampering defensive operations across both the defense industrial base and critical infrastructure sectors.” 

Since it was first enacted ten years ago, the Cybersecurity Information Sharing Act of 2015 has been instrumental in fostering collaboration between industry leaders and federal agencies, enabling the identification and mitigation of cybersecurity threats. Protection from legal or regulatory punishment in the legislation has encouraged private sector organizations to voluntarily share information about cybersecurity threats, providing valuable insights into malicious cyber activities and strengthening our nation’s ability to respond to cyberattacks. Information sharing about security flaws also helps prevent significant breaches and helps CISA support victims of attacks as they recover. The legislation also established comprehensive privacy protection to prevent individuals’ personally identifiable information (PII) from being included in threat information reports. 

In recent years, these information sharing protections have been used to help address the SolarWinds cyberattack, operations like Volt Typhoon and Salt Typhoon, and to alert federal agencies to ongoing attacks from Russia, China, Iran, North Korea, and other attackers. This threat information is also often shared widely with state and local governments, and critical infrastructure sectors through the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Joint Cyber Defense Collaborative and various Information Sharing and Analysis Centers, or ISACs – ensuring communities across throughout the nation and businesses across a range of industries are informed of ongoing cybersecurity threats. 

In his role on the Homeland Security and Governmental Affairs Committee, Peters has led efforts to ensure our nation is better prepared to defend against cyberattacks. His historic, bipartisan provision to require critical infrastructure owners and operators to report to CISA if they experience a substantial cyberattack or if they make a ransomware payment was signed into law. Peters’ bipartisan bills to enhance cybersecurity assistance to K-12 educational institutions, bolster cybersecurity for state and local governments, strengthen the federal cybersecurity workforce, and help secure federal information technology supply chains have also been signed into law.