Congress revives—and renames—cyber law as expiration looms

Nearly a decade after Congress first passed the Cybersecurity Information Sharing Act (CISA 2015), lawmakers have voted to renew it under a new name, with updates to reflect today’s digital threat landscape.

The Widespread Information Management for the Welfare of Infrastructure and Government Act (WIMWIG Act), approved unanimously this week by the House Committee on Homeland Security, extends the original law’s core authorities—chiefly, liability protections for companies that share cyber threat information with federal agencies and one another. 

It also introduces reforms tailored to the rise of artificial intelligence and modernized cyber defense practices. The new legislation:

• Incorporates AI tools into threat detection and sharing, endorsing “secure AI” systems that can accelerate recognition of evolving threats.
• Updates legal definitions to explicitly encompass advanced tactics—zero-day exploits, deepfakes, AI-enabled spear phishing—that simply didn’t exist in 2015.
• Retains privacy and civil-liberties guardrails, ensuring that the revamped law doesn’t swing the pendulum too far toward a surveillance state.
• Mandates clearer feedback loops—federal agencies, particularly CISA, must deliver actionable threat intelligence back to private sector partners promptly and consistently.

The move signals that lawmakers, despite partisan divides elsewhere, see continuity and evolution in cyber policy as urgent priorities. Without reauthorization, the framework underpinning much of America’s cyber threat-sharing infrastructure would expire at the end of September.

“Over the last decade, the law has provided a framework for voluntary information sharing across the public and private sectors, and between private sector entities, regarding cyber threats facing our networks,” said Chairman Andrew Garbarino (R-NY), who sponsored the reauthorization in a statement. “Reauthorizing this law and ensuring the relevance of this framework before it expires is essential for maintaining our cyber resilience.”

Adding state and local protections

Alongside WIMWIG, the committee advanced the PILLAR Act, which would reauthorize the State and Local Cybersecurity Grant Program for 10 more years. First launched in 2021 with $1 billion in funding, the program has already supported hundreds of projects across the country, from implementing multi-factor authentication to drafting local incident response plans.

The reauthorization proposal raises the federal share of costs for applicants, prioritizes rural and under-resourced jurisdictions, and mandates adherence to CISA’s “Secure by Design” principles. It also nods to artificial intelligence, ensuring local governments can adopt AI tools without introducing new vulnerabilities.

Rep. Andy Ogles (R-TN), who introduced the bill, described local governments as “prime targets” for ransomware gangs due to chronic underinvestment in digital defenses. The bill, he argued, gives them a fighting chance.

From CISA 2015 to WIMWIG

When CISA 2015 was enacted, it capped years of bitter debates over surveillance and privacy. Early iterations, such as the CISPA and PCNA bills, met resistance from civil liberties groups concerned about unchecked government access to personal data. The compromise version that became law struck a balance: incentivizing companies to share attack signatures and tactics without fear of lawsuits, while placing limits on how shared data could be used.

Nearly 10 years on, industry leaders say it has been one of the most effective cyber statutes in U.S. history. Its renewal under the WIMWIG banner reflects an effort to adapt, not discard, the program. Updates include stronger requirements for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to engage with emerging sectors, particularly around AI-driven threats.

Chairman Andrew Garbarino (R-NY), who sponsored the reauthorization, framed the effort as “future-proofing” a proven tool. Cyber leaders from across sectors endorsed the changes, underscoring the stakes if the law were allowed to lapse.