SB 1337 makes a single, targeted change to the Cybersecurity Act of 2015: it amends Section 111(a) to replace the statutory expiration year “2025” with “2035.” That one‑line change extends the Act’s information‑sharing authorities and whatever legal effects are tied to that effective period for ten more years.
The extension preserves the status quo for public–private cybersecurity information flows and the legal environment participants have built around them. For compliance officers and security teams, the bill removes an immediate deadline for legislative action but does not update definitions, privacy safeguards, or oversight mechanisms that stakeholders have identified as needing modernization.
At a Glance
What It Does
The bill amends 6 U.S.C. 1510(a) (Section 111(a) of the Cybersecurity Act of 2015) by striking “2025” and inserting “2035,” extending the Act’s effective period by ten years. It is a textual, single‑line amendment and does not add new reporting, funding, or substantive statutory language.
Who It Affects
Organizations that share cyber threat indicators with federal agencies (including technology firms, security vendors, and critical‑infrastructure operators), the Department of Homeland Security and CISA, and civil‑liberties groups monitoring information‑sharing practices. Legal and procurement teams that manage incident‑response contracts will also be directly impacted.
Why It Matters
The Act’s expiration date underpins legal certainty for ongoing information‑sharing programs, liability considerations, and administrative practices. Extending the date preserves operational continuity but also postpones legislative consideration of updates to privacy, oversight, and technical standards used in sharing.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
SB 1337 is narrowly written and narrowly focused: it changes a single digit in the United States Code. Where Section 111(a) of the Cybersecurity Act of 2015 currently lists an effective period ending in 2025, the bill replaces that year with 2035.
On its face the amendment is mechanical, but its practical effect is to keep the Act’s authorities alive for an additional ten years.
Because the Cybersecurity Act established the legal framework many companies and federal bodies use to exchange cyber indicators and defensive measures, extending the effective period maintains the rules under which that exchange occurs. That includes the continued availability of whatever legal protections, procedural pathways, and administrative structures the 2015 law created or enabled.
Importantly, SB 1337 does not change the scope of those authorities or introduce new privacy or oversight requirements — it preserves the status quo.For practitioners, the bill changes the planning horizon. Security teams, legal counsels, and contracting officers can rely on the existing statutory background for another decade when evaluating risk, drafting sharing agreements, and designing incident response processes.
Conversely, policymakers lose a near‑term legislative lever: rather than forcing a reconsideration of definitions, data‑handling limits, or accountability mechanisms by letting the authority lapse, Congress would be signaling willingness to let current arrangements persist without substantive reform.Operational consequences will depend on complementary actions by agencies and the private sector. Agencies will still need funding, governance documents, and technical standards to run sharing programs; the bill does not address those implementation levers.
Likewise, civil‑liberties and privacy concerns tied to how indicators are collected, used, or retained remain unresolved by this extension and will continue to be litigated or addressed through policy and agency rulemaking rather than statutory change.
The Five Things You Need to Know
The bill amends Section 111(a) of the Cybersecurity Act of 2015 by striking “2025” and inserting “2035” (codified at 6 U.S.C. 1510(a)).
The extension period created by the amendment is ten years—moving the Act’s effective end date forward by a decade.
SB 1337 contains no other substantive changes: it does not add new obligations, reporting duties, funding authorizations, or definitions.
Because the change is purely temporal, existing statutory effects linked to the Act’s effective period (such as the legal framework enabling voluntary information sharing) remain in place unchanged.
Senator Gary Peters introduced S.1337 (with Senator Rounds listed in the sponsorship line) on April 8, 2025; the bill was referred to the Senate Committee on Homeland Security and Governmental Affairs.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
This section names the measure the “Cybersecurity Information Sharing Extension Act.” It is a conventional short‑title clause with no legal effect beyond identifying the bill.
Extends the Cybersecurity Act’s effective period from 2025 to 2035
This is the operative provision. It instructs an amendment to Section 111(a) of the Cybersecurity Act of 2015 (6 U.S.C. 1510(a)) by replacing the year “2025” with “2035.” Practically, that keeps in force the Act’s information‑sharing authorities and the statutory framework that governs interactions between private parties and federal cyber defenders for ten more years. The amendment is textual and does not change substantive provisions, definitions, or oversight language elsewhere in the statute.
No additional programmatic or oversight changes included
The remainder of the bill contains standard enactment language. Because SB 1337 only amends the effective date, it does not create new reporting duties, appropriations, or review triggers. That means any perceived gaps in privacy protections, data‑minimization standards, or coordination mechanisms must be addressed through future legislation, agency rulemaking, or policy rather than by this bill.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Private cybersecurity teams and large technology firms — they retain the legal certainty that underpins voluntary indicator sharing and operational collaboration with federal partners, reducing near‑term legal and contractual risk.
- CISA and DHS — the extension preserves the statutory authority those agencies rely on to collect, analyze, and disseminate cyber threat information without interruption.
- Managed security service providers and incident‑response vendors — continued framework stability makes it easier to design services that assume ongoing inter‑organizational sharing and federal engagement.
- Critical infrastructure operators (energy, finance, healthcare) — they keep access to government‑fed threat intelligence streams that many rely on for situational awareness and response.
Who Bears the Cost
- Civil‑liberties and privacy advocacy organizations — extending the current framework delays statutory reform, potentially prolonging data‑handling practices they view as insufficiently protective.
- Small and mid‑sized vendors — while benefiting from continuity, they still must absorb compliance and integration costs to participate in sharing programs without receiving any new statutory assistance.
- Federal agencies responsible for administering sharing programs — DHS and CISA retain operational responsibilities for another decade and may need additional budgetary and personnel resources to manage program continuity and standards.
- Congressional oversight bodies — by deferring substantive reauthorization debates, Congress foregoes an immediate opportunity to reevaluate, update, or tighten statutory safeguards and reporting requirements.
Key Issues
The Core Tension
The central dilemma is between operational continuity and the need for statutory modernization: extending the Act preserves a working framework that defenders use daily, but it postpones a deliberate legislative reckoning over privacy safeguards, oversight, and technical standards that many observers argue are overdue.
The bill’s strength is also its limitation: by changing only the expiration year, SB 1337 guarantees continuity but does nothing to address the most debated aspects of the Cybersecurity Act of 2015. Privacy advocates, technologists, and some lawmakers have called for clearer limits on data retention, stronger privacy protections, explicit data‑minimization rules, and improved oversight and transparency around how shared indicators are used.
This bill buys time for defenders and agencies, but it leaves those unresolved substantive questions on the policy table.
Implementation poses practical questions. Agencies need budgets, technical standards, and interagency processes to operationalize the law; a date change does not supply those resources.
The extension may encourage reliance on existing administrative practices that courts and regulators will continue to test, and it could reduce the political urgency for comprehensive legislative reform. Finally, because the amendment is silent on cross‑border data flows and modern machine‑to‑machine sharing practices, stakeholders will need to rely on agency guidance or separate legislation to resolve conflicts between operational needs and privacy or international‑law constraints.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.