Two cybersecurity laws that lapsed during the government shutdown moved closer to restoration on Monday after the Senate voted 60-40 to advance legislation extending them through January 2026.
The continuing resolution would restore the Cybersecurity Information Sharing Act of 2015 and the Federal Cybersecurity Enhancement Act, which expired on October 1 when Congress failed to pass a spending bill before the fiscal year deadline. The measure required additional procedural votes in the Senate this week before moving to the House for approval and then to President Trump’s desk.
The lapse stripped companies of the legal protections that had encouraged voluntary sharing of cyber-threat indicators with federal agencies and other organizations.
Without liability shields, antitrust exemptions, or Freedom of Information Act protections, many firms faced new legal exposure and slowed information exchange. Security experts warned the interruption risked slowing threat-intelligence flows at a time of rising nation-state and ransomware activity.
“After a record-breaking shutdown, we can now see the light at the end of the tunnel,” Senator Kevin Cramer said in a statement following Sunday’s procedural vote.
What the bill restores
The continuing resolution temporarily extended both cybersecurity statutes. Section 141 of the bill extends CISA 2015’s sunset date through January 2026, stating: “Section 111(a) of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1510(a)) shall be applied by substituting the date specified in section 106 of this Act for ‘September 30, 2025.”
The legislation reinstated the legal and procedural safeguards that allow companies to share threat data with the government, and it renews authorization for CISA to provide network-security services, including the EINSTEIN intrusion-detection system, to civilian agencies under the Federal Cybersecurity Enhancement Act.
The short-term extension, however, sets up another expiration in two months, leaving open whether Congress will pursue a full reauthorization or opt for another stopgap.
Kevin Kirkwood, CISO at Exabeam, said the brief lapse presents an opportunity to reconsider how the threat-sharing framework operates. “At its core, CISA aimed to foster collaboration between the private sector and government by encouraging voluntary sharing of threat intelligence—something that absolutely matters in today’s threat landscape,” he said.
“The problem isn’t with the sharing, it’s with the inevitable bloat that comes when federal agencies expand their footprint under the banner of cybersecurity coordination,” Kirkwood added. “This is the moment to rethink what version 2.0 should look like. We need a leaner, more focused model that preserves the flow of intelligence but resists the gravitational pull of centralized bureaucracy.”
What the lapse meant for enterprises
The expiration of CISA 2015 eliminated legal protections for sharing threat information, disrupting the real-time intelligence exchanges that had become routine over the past decade. Without its statutory shields, organizations faced potential liability for monitoring networks, sharing defensive measures, and coordinating responses with peers and federal agencies.
The law had explicitly authorized private entities to take defensive measures against cyberattacks, monitor their own and customers’ networks with consent, and exchange indicators to strengthen detection and response. It also protected shared data from public disclosure under FOIA and shielded participating companies from antitrust claims tied to joint defense activities.
Companies that previously shared threat data automatically needed lawyers to review each exchange, determining what laws might be violated and whether existing agreements covered the information transfer.
The expiration of the Federal Cybersecurity Enhancement Act also ended statutory authority for CISA to operate the EINSTEIN program and other network-security services for civilian agencies, adding operational strain across government networks.
Broader provisions and workforce impact
Beyond restoring the cybersecurity laws, the continuing resolution included measures to protect federal employees affected by the shutdown. The bill will “protect federal workers from baseless firings, reinstate those who have been wrongfully terminated during the shutdown, and ensure federal workers receive back pay,” Senator Tim Kaine said in a statement, adding that the provisions were critical for earning his support.
CISA’s workforce shrank by nearly a third during the shutdown through buyouts, deferred resignations, and layoffs, falling from roughly 3,300 to about 2,200 employees. Divisions, including Stakeholder Engagement and Infrastructure Security, were hit hardest. The new workforce protections could reverse some of those losses once the bill becomes law.
The continuing resolution extended current government funding levels through January 2026, according to Cramer’s office. Eight Democrats joined Republicans to advance the bill.
Suppose the resolution clears both chambers as expected. In that case, Congress will face another funding deadline early next year — and with it, another test of how well Washington can balance political gridlock with national cyber resilience.