SB2983 reauthorizes the Cybersecurity Information Sharing Act of 2015 by extending the period during which agencies and private sector partners can exchange cyber threat indicators and defensive information. The bill also provides a retroactive effective date and renames the core statute and related references to reflect a broader framing of cyber threats.
Specifically, the amendment moves the operative expiration date for Section 111(a) authorities from September 30, 2025 to September 30, 2035, and it takes effect as if enacted on October 1, 2025. In addition, Section 101 and related provisions of the Homeland Security Act are amended to rename the act to Protecting America from Cyber Threats Act, with conforming edits throughout the statute text.
The package signals continuity of information sharing programs without introducing new authorities or substantive policy shifts beyond the extension and rename.
At a Glance
What It Does
Extends the expiration of Section 111(a) Cybersecurity Information Sharing Act authorities to 2035 and establishes a retroactive effective date of October 1, 2025. Also renames the primary statute to reflect broader threat protection.
Who It Affects
Federal agencies implementing CISA authorities, private sector partners participating in threat indicator sharing, ISACs and information-sharing platforms, and critical infrastructure operators involved in cyber defense.
Why It Matters
Ensures ongoing, stable information sharing between government and industry for a decade, reducing disruption to threat intel workflows while aligning nomenclature with a broader security framing.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The Extending Expired Cybersecurity Authorities Act reauthorizes the information-sharing framework established by the Cybersecurity Information Sharing Act of 2015. It preserves the core mechanism that enables federal agencies to share cyber threat indicators and defensive information with private sector partners and other stakeholders.
The key operational change is a ten-year extension of the authorities—moving the expiration from 2025 to 2035. In addition, the bill creates a retroactive trigger, making the extension effective as of October 1, 2025.
Beyond extending the authorities, SB2983 renames the primary statute and relevant provisions to reflect a broader mission of protecting the nation from cyber threats. This includes renaming Section 101 provisions and conforming changes within Title XXII of the Homeland Security Act to use the new title Protecting America from Cyber Threats Act.
The bill does not appear to add new authorities or alter the mechanics of information sharing; rather, it preserves the existing framework and ensures continuity while updating nomenclature to match contemporary framing of cyber risk.For practitioners, the bill signals that the baseline CISA information-sharing program will remain in place with the same general governance, privacy, and oversight contours, but with a standardized, modern name and a longer lifecycle before renewal would be considered. Stakeholders should anticipate implementing agencies and private partners maintaining current sharing arrangements without interruption, subject to any future rulemaking or guidance that accompanies the renaming.
The Five Things You Need to Know
The expiration of Section 111(a) information-sharing authorities is extended from 2025 to 2035.
The amendment includes a retroactive effective date of October 1, 2025.
The short title and related references are renamed to Protecting America from Cyber Threats Act.
Conforming amendments update Title XXII of the Homeland Security Act to reflect the new act name.
No new authorities or substantive policy changes are introduced beyond extension and renaming.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Extend expiration of information-sharing authorities
The core mechanism—information sharing of cyber threat indicators and defensive information—remains as established in the Cybersecurity Information Sharing Act of 2015. SB2983 extends the operative expiration date from September 30, 2025 to September 30, 2035, ensuring continuity of the program for another decade. This section also sets the stage for the retroactive effective date linked to the amendment, reinforcing immediate alignment with ongoing information-sharing activities.
Retroactive effectiveness
The amendment provides that its changes take effect as if enacted on October 1, 2025. This retroactive timing is intended to minimize disruption to ongoing information-sharing operations and to align the statutory framework with existing operational practices that began prior to the formal enactment date.
Renaming and nomenclature updates
Section 101, and related provisions, are amended to rename Cybersecurity Information Sharing Act of 2015 to Protecting America from Cyber Threats Act. This renaming affects the core title and notes, signaling a broader framing of cyber threat protection across the statute.
Conforming changes to Title XXII
Title XXII of the Homeland Security Act of 2002 is amended to replace references to the old act name with Protecting America from Cyber Threats Act. These conforming edits ensure consistency across cross-referenced provisions without altering the substantive authorities.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Federal agencies (such as DHS components and other intel-sharing bodies) benefit from continued, predictable authorities to share cyber threat indicators and defensive information.
- Private-sector participants in threat-sharing ecosystems (critical infrastructure operators, security vendors, ISACs) gain stability and certainty for ongoing collaboration with government partners.
- Information-sharing platforms and coordination bodies see reduced governance risk and clearer statutory framing for their operations.
- State and local governments involved in cyber defense programs benefit from uninterrupted access to threat intelligence and collaboration with federal partners.
Who Bears the Cost
- Public and private entities that participate in information sharing may incur ongoing compliance costs associated with maintaining interoperable sharing arrangements and protecting shared data.
- Federal agencies must maintain operational and administrative capacity to administer the extended authorities and ensure ongoing privacy and civil liberties safeguards.
- Implementation costs for agencies to align with the renamed statute and conforming references across regulations, guidance, and internal policies.
Key Issues
The Core Tension
The central dilemma is balancing the continuity and effectiveness of cyber threat information sharing with the need for ongoing privacy protections and adaptable governance, all while extending the authorization horizon by a full decade without adding new authorities.
The extension preserves the status quo for information sharing between government and the private sector, which means privacy and civil liberties considerations remain central to ongoing operations. While the bill does not introduce new authorities or substantive policy shifts, the retroactive effect and renaming may prompt transitional governance questions—such as the need for updated guidance, training, or oversight measures to reflect the new nomenclature and the extended horizon.
Practitioners should watch for accompanying regulatory or interagency guidance that clarifies any procedural changes tied to the renaming and the longer authorization period.
A key tension is maintaining robust information-sharing capabilities while ensuring privacy protections and data handling standards keep pace with evolving threats. The central dilemma is whether extending an established framework for a decade suffices to address emerging risks or whether targeted enhancements to governance, oversight, or privacy safeguards should accompany a longer reauthorization.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.