Unless Congress can come to a bipartisan consensus, the important role of the cyber info-sharing authorities expires on September 30, 2025, endangering the collective cyber defense of America. The House Homeland Security Committee has gone ahead in advancing significant legislation to further expand these programs, although the Senate politics and political differences are working against the initiative to beat the deadline.
House improves the security under time pressure
On September 3, 2025, two expiring measures to continue information flow of cyber threats between government and industry were voted on by the House Homeland Security Committee. First is a reauthorization of the 2015 Cybersecurity Information Sharing Act (CISA 2015), which provides businesses with incentives to disseminate information about cyber threats to the Federal Government and among themselves.
Andrew Garbarino, chairman, submitted H.R. 5079, the Widespread Information Management to the Welfare of Infrastructure and Government (WIMWIG) bill, under which he parted with the committee by a margin of 25-0. The new law authorizes until 2035 with specific changes in relation to the current setting, including specific allusions to artificial intelligence tools and revised oversight duties.
In his opening statement, Garbarino commented that: I stand in support of all the bills that are being discussed during the markup today, and I would expect all my colleagues to do the same. The bill obliges the Attorney General and Secretary of Homeland Security to jointly revise the policies of sharing the threats, with the emphasis on expeditious communication to the state, local, tribal, and territorial governments and critical-infrastructure operators.
Business supports a framework for sharing information
The reauthorization efforts have been supported very strongly by industry leaders. The reauthorization of CISA 2015 maintains and improves a successful legal foundation allowing reliable, prompt, and efficient cyber threat information exchange between citizens and the corporate sector, said Jonathan Spalter, president and CEO of USTelecom.
Experts in cyber policies warn that a lapse would raise uncertainty among firms that depend on the liability safeguards laid out in the law, which would also have the effect of thawing real-time sharing. Barry Mainz, the CEO of Forescout Technologies, made his point more urgent: Advanced persistent threat actors are ruthlessly seeking entry to U.S. critical infrastructure, including hospitals, energy grids, water systems, schools, and financial institutions, with an attractive array of vulnerable IoT and OT targets.
However, even though the House has made progress, there are still major challenges in the Senate. A possible area of disagreement is what is not in the text of the House bill, i.e., a language limiting the work of CISA on combating online misinformation: another provision that Senate Homeland Security Committee Chair Rand Paul has already insisted on.
Stakeholder state and local grants on cybersecurity
S. 1337, by Senators Gary Peters and Mike Rounds, is a clean 10-year extension bill (sometimes known as a legacy bill) that does not include policy changes, but no longer has a bipartisan text that has moved through committee. Due to Senate uncertainty over time, markup has not been announced by Chair Paul.
The committee also advanced H.R. 5078, the Protecting Information by Local Leaders for Agency Resilience Act (PILLAR), by a 21-yeas-to-1-nay vote. Ten-year renewal of the State and Local Cybersecurity Grant Program: This bill builds upon the State and Local Cybersecurity Grant Program (enacted under the Bush tax reform) that has offered states, localities, and tribal governments more than a billion dollars in the past four years to enhance their networks further.
Provided that the chambers will be unable to reconcile the approaches within a short period, the lawmakers are already considering a temporary extension in the form of a continuing resolution. Nonetheless, the lack of coordination between authorities can compromise the trusted framework that allows for identifying and responding to cyber threats across the networks of critical infrastructure in America quickly.