Stakeholders Urge Cyber Info Sharing Act Renewal

CISA Executive Director Brandon Wales told Congress in May 2025 that allowing the Cybersecurity Information Sharing Act of 2015 to expire "would be a huge step back." | U.S. House of Representatives

Sep 16, 2025 | Holden Mann

Government and industry stakeholders have urged Congress to reauthorize a key cybersecurity bill before it expires at the end of September.

A key cybersecurity law is to expire at the end of September, and industry stakeholders say the security of the electric grid could be seriously hampered if lawmakers do not act soon to renew it.

The Cybersecurity Information Sharing Act of 2015 set requirements for the Departments of Homeland Security, Defense and Justice, along with the Director of National Intelligence, to share information on cybersecurity threats with private entities; state, local and tribal governments; and the general public. It also provides liability protections for entities that voluntarily share and receive cyber threat indicators and defensive measures with other entities or with the government.

The law has mostly succeeded in these goals, according to government studies. In a 2023 report, staff of the Office of the Inspector General of the Intelligence Community found that all of the departments named in the law had met its information sharing requirements and that the private sector was using the information sharing tools that agencies had put in place since its passage.

Similarly, authors of an analysis from the Government Accountability Office the same year observed that agencies had identified barriers to information sharing across the government as required by the act and were developing strategies for removing those barriers.

But cybersecurity professionals in multiple industries have expressed concern that the information sharing environment fostered by the law will decay quickly if the act is allowed to expire Sept. 30. Several electric industry stakeholder organizations joined a letter from the U.S. Chamber of Commerce to Congress in May 2025 urging reauthorization, including the Edison Electric Institute, Electric Power Supply Association, GridWise Alliance, Large Public Power Council and National Electrical Manufacturers Association (NEMA).

“It’s important to ensure that you know what are the common threats that industry is seeing, what are tactics that bad actors are implementing, what’s the chatter in the dark web around these actions?” Peter Ferrell, director of government relations at NEMA, told ERO Insider. “If those [electrical] systems go down … they don’t easily come back up. And so ensuring that those systems are as secure as possible, and sharing information among industry members [and] government partners is super critical.”

Ferrell couldn’t share details on the electric industry’s use of the law because of confidentiality concerns but did suggest that “the fact that you haven’t heard about it more is probably proof that it does work.”

“No one reports things when they don’t happen; they only report things when they do happen. So, while there have been major exploits over the past 10 years, and they are significant, you don’t see a lot of attacks happening on the manufacturing side of things.”

Members of the government have shared similar sentiments. Testifying before Congress in May 2025, Brandon Wales, former executive director of DHS’s Cybersecurity and Infrastructure Security Agency, called the act “an important tool to facilitate the flow of critical cyber intelligence” and said “letting it expire would be a huge step back.” At the same hearing, former acting National Cyber Director Kemba Walden not only pushed for reauthorization but urged Congress to update the act to clarify authorized defensive measures.

Efforts are under way to extend the act before it expires. Rep. Andrew Garbarino (R-N.Y.) introduced a bill Sept. 2 that would reauthorize the law through 2035 while updating definitions of “artificial intelligence” and “critical infrastructure,” and requirements on industry outreach. The bill has not yet been assigned to a committee.

Ferrell acknowledged the introduction of the bill and said NEMA would welcome updates to modernize the act but emphasized that the most important thing for the organization and other stakeholders is to ensure there is no gap in its information sharing protections.

“There are many pathways that it could possibly go in terms of being reauthorized. But [we hope] that there is no lapse, even a short one,” Ferrell said. “Trust takes a long time … to develop, but it’s very easily eroded. And so we hope that Congress and the powers that be come together and provide a long-term runway. … The sector needs this in order to make sure that [we can hit] those other, bigger policy and economic goals that America is trying to achieve.”

FERC & Federal