CNAS Insights | The Case for Long-Term CISA 2015 Reauthorization

Last fall, one of the United States’ most important cyber defense laws expired. For six weeks, the private sector no longer had legal protections to share critical cyber threat information with its peers and the federal government. The law was later restored, only to lapse again at the end of January 2026 before being reauthorized in early February 2026. Unless Congress acts, the law will expire once more in September.

That law, the Cybersecurity Information Sharing Act of 2015 (CISA 2015), is a foundation of public-private cyber defense that has longstanding, broad bipartisan support in Congress, industry, and across presidential administrations. The law encourages the private sector to share cyber threat information with the U.S. government and among other private companies by providing protections from antitrust liability, lawsuits, and disclosures under the Freedom of Information Act. These protections help promote rapid information sharing—raising the cost for malicious cyber actors to carry out large-scale attacks.

Lawmakers included a sunset provision in CISA 2015 to spur congressional debate surrounding liability protections and to ensure it keeps pace with changing threats and technologies while protecting civil liberties. But the downsides of the sunset increasingly outweigh its benefits. Over the past 10 years, the sunset requirement has not produced reliable reform, only uncertainty. The substantive debates about CISA 2015 taking place in Congress are being overshadowed by the legislative deadline itself and political brinksmanship that jeopardizes the existence of the bipartisan law in the first place.

Lawmakers should either substantially extend the authorization cycle or, better yet, make the law’s core authorities permanent. If Congress permanently authorizes the law, it should continue to monitor its effectiveness through oversight and legislative amendment when needed. No legislative structure can guarantee reform, but the status quo has given the United States the worst of both worlds: no productive reform and repeated lapses that jeopardize cyber defense operations in the United States.

When CISA 2015 lapsed in 2025, the impacts were immediate. Information sharing did not collapse, but uncertainty slowed it. The Health-ISAC Chief Security Officer reported less willingness from the private sector to share critical threat information with the federal government, while less information appeared to be coming from government partners, including the FBI, Department of Homeland Security, and Cybersecurity and Infrastructure Security Agency. Industry members, including the senior director at the Business Software Alliance, reported involving lawyers more in discussions before sharing threat intelligence. The result was a country less prepared to defend against cyber threats.

The cost of another lapse in September 2026 would be higher still. The importance of public-private information sharing is only growing as AI reshapes the cyber threat landscape. Historically, the most sophisticated cyber operations required the resources of nation-states. This is changing. Advanced cyber capabilities are now emerging from private sector frontier AI labs. Last month, Anthropic announced its new model, Claude Mythos Preview, which the company claims found thousands of vulnerabilities across every major operating system and web browser, including many previously undiscovered vulnerabilities. While the U.S. government is a highly capable cyber actor, it must be able to stay abreast of these developments. This requires robust public-private information sharing, which will not be sufficiently protected without CISA 2015.

Unfortunately, CISA 2015 is part of a broader trend of frequent authorization lapses that threaten to undermine national security. Section 702 of the Foreign Intelligence Surveillance Act (FISA) is one of the U.S. government’s most important foreign intelligence collection tools. The April 2026 U.S. Privacy and Civil Liberties Board public report says that 63 percent of the Presidential Daily Brief’s intelligence was collected under the Section 702 authority in 2025. On April 17, Congress passed just a 10-day reauthorization of the legislation, and then passed a 45-day extension on April 30, placing the intelligence community under prolonged uncertainty even as it supports military operations in the Middle East and Western Hemisphere. While existing certifications under Section 702 may continue even under a lapse, the government would not be able to seek new certifications if the law expires. Operating under a lapsed law is also less comfortable ground for companies to operate on. The Defense Production Act (DPA) has similarly been a legal pinball in the past year—placing at risk the government’s ability to compel industries to support national defense objectives while the country is engaged in ongoing military operations this year.

A common theme across the CISA 2015, FISA Section 702, and DPA legislative frameworks is that they all include important provisions regarding cooperation with and compliance by the private sector. Absent these legislative frameworks, demands by the executive branch on private sector partners to comply with national security objectives could be thrust into the realm of executive authority. That would mean that, in the absence of renewed legislation, the private sector might still be subject to demands by the executive branch to provide information in response to a request, but the legal footing for that compliance would be far less clear. The better option for CISA 2015 is a solid, permanent legislative framework while pursuing substantive oversight and reform through the amendment process.

Supporters of sunsets have a fair concern—national security legal authorities should be subject to substantial oversight and review. But these deliberations can take place under the normal legislative review process. Congress continues to update and strengthen laws through hearings and amendments. Given emerging threats in cyberspace, information sharing under CISA 2015 should be treated as equally critical for cyber defense as laws like the Cyber Incident Reporting for Critical Infrastructure Act, which does not have a sunset clause. Congress can continue to conduct oversight of CISA 2015 to ensure civil liberties are protected and the legislation is modernized if permanently authorized.

Over a decade ago, Congress began years of bipartisan debate on how to counter sophisticated cyber attacks that had caused significant national security harm. CISA 2015 emerged as a hard-won compromise, built on the recognition that private-public information sharing is essential to enable collective defense against emerging cyber threats. The United States is now facing a new generation of threats in cyberspace, including rapidly advancing AI-enabled cyber capabilities that are being developed outside the purview of the federal government. Strong public-private information sharing will be just as essential to defend against these threats, which pose risks to critical infrastructure, government networks, and private businesses. By permanently authorizing, or substantially extending the authorization cycle for CISA 2015, the United States can allow this critical law to be modernized and reformed without repeatedly jeopardizing the foundational infrastructure of America’s cyber defense.

Carrie Cordero is the Robert M. Gates senior fellow and director of the National Security Law Program at the Center for a New American Security.

Morgan Peirce is a research assistant with the Technology and National Security Program at the Center for a New American Security.