The Cybersecurity Information Sharing Act of 2015 (“CISA 2015”), which provides protections for sharing cybersecurity threat information with the federal government and others, was reauthorized under the funding bill to reopen the federal government, which was enacted on November 12, 2025.  The information sharing mechanisms and protections under CISA 2015, which had previously sunset on September 30, 2025, will now extend through January 30, 2026.

As we have previously described, the law creates a cybersecurity information sharing framework and establishes certain protections – including exemptions from disclosure under FOIA, limits to liability, and limits to waiver of legal privilege – for sharing that information with private parties and the federal government.  See our prior blog posts in 2015 and 2016.  Prior to lapsing in September, multiple bills had been introduced to reauthorize CISA 2015, some of which would have adjusted or altered the substance of the law.  However, the Continuing Appropriations, Agriculture, Legislative Branch, Military Construction and Veterans Affairs, and Extensions Act, 2026 (“Continuing Resolution”), leaves the preexisting law intact by simply substituting the statutory sunset date (6 U.S.C. § 1510(a)) with “January 30, 2026.” 

While CISA 2015 is now reauthorized through the end of January 2026, it remains unclear whether Congress will reauthorize the law before the new sunset date.  For now, qualified cyber threat information can be shared with the protections afforded by CISA 2015.  However, organizations should continue to monitor for future legislative efforts to modify or simply reauthorize CISA 2015 beyond the new January 2026 sunset date.

Tags: CISA, Cybersecurity, Cybersecurity Information Sharing Act of 2015, Data Security
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ashden Fein Ashden Fein

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels…

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security and insider risks. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks. Ashden is a retired U.S. Army officer.

Read more about Ashden FeinEmail
Show more Show less
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.

Read more about Caleb SkeathEmail
Show more Show less
Photo of John Webster Leslie John Webster Leslie

Web Leslie advises clients on a broad range of challenges and opportunities at the intersection of technology and security, including investigations, regulatory, and transactional matters related to cybersecurity, national security, critical infrastructure, and data privacy.

In his white-collar practice, Web helps clients navigate…

Web Leslie advises clients on a broad range of challenges and opportunities at the intersection of technology and security, including investigations, regulatory, and transactional matters related to cybersecurity, national security, critical infrastructure, and data privacy.

In his white-collar practice, Web helps clients navigate both government and internal investigations. He specializes in complex civil and criminal investigations related to alleged government contracts fraud and other cybersecurity-related allegations under the False Claims Act, FTC Act, and equivalent state laws. Additionally, Web assists clients in responding to a variety of cyber incidents, ranging from intrusions and extortion by advanced persistent threats to business email compromises and large-scale data breaches. Web also helps clients investigate insider threat activity and potential noncompliance with regulatory and contractual cybersecurity requirements.

In his advisory and transactional practice, Web assists clients across a wide range of industries and critical infrastructure sectors manage risk in an evolving regulatory landscape. He regularly advises on cybersecurity compliance and best practices, information security program development, incident response preparedness, insider threat risks, third-party risk management, and international cyber regulations, among other areas. Web also advises clients on a variety of government and industry standards, including the NIST Cybersecurity Framework 2.0, NIST SP 800-53, NIST SP 800-171, FedRAMP and state equivalents (e.g., GovRAMP, TX-RAMP), CJIS, ISO/IEC standards (e.g., ISO 27001), SOC2 Type 2, and other sector-specific requirements (e.g., HIPAA Security Rule, PCI DSS, DFARS Clause 252.204-7012, NERC Critical Infrastructure Protection).

In addition to his regular practice, Web counsels pro bono clients on data breach, immigration, and criminal law matters.

Web previously served in government in different roles at the Department of Homeland Security (DHS), including at the National Protection and Programs Directorate—known today as the Cybersecurity and Infrastructure Security Agency (CISA)—where he specialized in cybersecurity and critical infrastructure protection, public-private partnerships, and interagency cyber operations. He also served as Special Assistant to the Secretary of Homeland Security.

Read more about John Webster LeslieEmail
Show more Show less