Two senators have introduced a bipartisan bill to extend key cybersecurity protections that encourage businesses to share threat information with the federal government.
The bill would renew provisions first signed into law under the Cybersecurity Information Sharing Act of 2015. Introduced by U.S. Senators Gary Peters (D-MI), Ranking Member of the Homeland Security and Governmental Affairs Committee, and Mike Rounds (R-SD), the bill incentivizes companies to voluntarily share cybersecurity threat indicators—like software vulnerabilities, malware, and malicious IP addresses—with the Department of Homeland Security (DHS).
Protecting Americans’ Personal Data
The goal is to better protect Americans’ personal data and strengthen collaboration between the government and private sector to prevent cyberattacks. The Cybersecurity Information Sharing Extension Act would keep these protections in place for another ten years.
“As cybersecurity threats grow increasingly sophisticated, information sharing is not just valuable—it remains essential for our national security,” said Peters. “For the past ten years, these critical protections have helped to address rapidly evolving cybersecurity threats, and this bipartisan bill will renew them so we can continue this collaborative partnership between the private sector and government to bolster our nation’s cybersecurity defenses against a wide range of adversaries.”
“The Cybersecurity Information Sharing Act of 2015 has been instrumental in strengthening our nation’s cyber defenses by enabling critical information sharing between the private sector and government,” added Rounds. “Allowing this legislation to lapse would significantly weaken our cybersecurity ecosystem, removing vital liability protections and hampering defensive operations across both the defense industrial base and critical infrastructure sectors.”
Since it first passed ten years ago, the Cybersecurity Information Sharing Act has helped build partnerships between businesses and federal agencies. It offered liability protections that encouraged companies to share threat information, giving the government and private sector better visibility into cyber threats. It also put strong privacy protections in place to ensure PII is not shared in the process.
Major Threat Response
Over the years, these protections have helped with response to major threats, including the SolarWinds attack and operations like Volt Typhoon and Salt Typhoon. Shared threat intelligence has also helped federal, state, and local governments—and critical industries—stay ahead of cyberattacks from adversaries like Russia, China, Iran, and North Korea.
Groups like CISA’s Joint Cyber Defense Collaborative and various Information Sharing and Analysis Centers (ISACs) have played key roles in spreading this information nationwide
As a leader on the Homeland Security and Governmental Affairs Committee, Peters has pushed a number of cybersecurity initiatives. His bipartisan provision requiring critical infrastructure owners to report major cyberattacks or ransomware payments to CISA has been signed into law, along with his bills to boost cybersecurity for K-12 schools, state and local governments, the federal workforce, and federal IT supply chains.
Keeping Digital Lines of Communication Open
Reauthorizing the Cybersecurity Information Sharing Act (CISA) isn’t just a bureaucratic box-check—it’s about keeping the digital lines of communication open between the private sector and government, says April Lenhard, Principal Product Manager at Qualys.
“CISA has been instrumental in streamlining information flows that strengthen national cybersecurity defenses. Renewing CISA for another decade will preserve the continuity of critical threat intelligence exchanges within the private sector and between private entities and the federal government. CISA’s bipartisan support underscores how a voluntary and collaborative information sharing framework remains a robust tool for collectively defending against evolving cyber threats. Recent developments—such as the near-expiration of MITRE’s CVE program—highlight the complex interdependence between public and private sectors in both network defense and intelligence contribution: the entire threat intelligence ecosystem feels the ripple.”
A Team Sport
Cybersecurity is a team sport, adds Casey Ellis, Founder at Bugcrowd. “The truth of this idea is only becoming more obvious in a progressively more hostile global environment. The Cybersecurity Information Sharing Act provides a safe framework for information sharing, and underpins both public/private partnership sharing and the “in community” sharing that powers US-based ISACs. I’m very glad to see Senator Rounds and Senator Peters moving this along.”
Truly Moving the Needle
From a defender’s standpoint, the Cybersecurity Information Sharing Act has been one of the few legislative tools that truly moved the needle, comments Chad Cragle, CISO at Deepwatch. “It gave the industry the legal clarity to share threat intel quickly, directly, and without second-guessing the lawyers. Programs like JCDC have only amplified that value, allowing us to work shoulder-to-shoulder with the government in an operational, rather than just performative, way. If the law is allowed to lapse, it reintroduces hesitation at the wrong time. Threat actors aren’t slowing down—and we can’t afford to either.”
At the same time, Cragle stresses that a renewal shouldn’t simply be a rubber stamp. “The threat landscape has evolved significantly over the past decade, as have the risks associated with data handling and cross-sector coordination. This is an opportunity to fine-tune the law, preserving its core strength while ensuring it reflects today’s privacy expectations, supply chain realities, and operational complexity. Getting this right means building on what works while adapting to what has changed.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.