On Tuesday, September 30, 2025, the Cybersecurity Information Sharing Act of 2015 (CISA 2015) expired after its 10-year effective period lapsed without reauthorization from Congress, in the wake of a government shutdown that took effect on October 1, the following day. This cornerstone framework has served as an enabling mechanism for industry to voluntarily share cyber threat indicators and defensive measures with the federal government while receiving liability and privilege protections that make such collaboration feasible in practice. CISA 2015's lapse could cause tremors through the foundation of public–private cyber defense, chilling information sharing and weakening collective resilience. Businesses and trade groups have urged the extension of the law to preserve these protections, but political obstacles have cast doubt on whether reauthorization, albeit delayed, is a possibility. As a result, both private entities and government agencies may face uncertainty about what threat intelligence and other key cyber defense information can be shared, how, and with what legal risk.
Background: What CISA 2015 Does
CISA 2015 was enacted to create a legal framework that encourages voluntary, timely sharing of cyber threat information among private sector entities and federal government agencies. Its three core pillars are:
- Government-to-private sharing obligation: CISA 2015 obligates certain federal agencies (the Office of the Director of National Intelligence, Department of Homeland Security, Department of Defense, and Office of the Attorney General) to issue procedures for sharing both classified and unclassified threat indicators and defensive measures with private entities.
- Authorized private sector monitoring and defensive measures: CISA 2015 authorizes private entities (or their authorized partners) to monitor their own networks (or, with authorization and written consent, others' networks) and to deploy "defensive measures" provided they align with statutory constraints.
- Liability protections and privilege safeguards: When entities share threat indicators or defensive measures in compliance with CISA 2015's rules, they enjoy certain protections, such as limitations on liability (e.g., antitrust, etc.), nonwaiver of evidentiary privilege, and constraints on regulatory use of shared data.
Over the years, the law has helped catalyze and promote public–private cooperation, allowing agencies to distribute threat indicators and improving situational awareness across sectors.
Why CISA 2015 Matters
It enables voluntary but legally protected sharing. Lowering the legal and reputational barriers to information sharing is one of CISA 2015's core rationales. Without its liability and disclosure shields, many organizations may hesitate to share sensitive, early-stage threat data.
It undergirds collective defense and threat detection. Cyber adversaries commonly reuse techniques, tactics, and procedures. A shared threat indicator or defensive measure can accelerate detection and response across multiple victims or industries. As such, information sharing can raise the bar by providing barriers to threat actors expanding their attack volume.
It gives a measure of legal assurance. CISA 2015 helps provide clarity and confidence to CISOs, legal teams, and boards; if sharing is done correctly, potential regulatory, antitrust, or other liability exposures could be mitigated.
It can be crucial in critical infrastructure and regulated sectors. These industries have become a particularly heightened target for threat actors in recent years, and, as such, robust trust in sharing mechanisms is especially vital.
Risks and Consequences of a Future Without CISA 2015
If CISA 2015's expiration is prolonged, or if the law or analogous protections are not reauthorized, the following risks could materialize.
The Chilling of Private Sector Sharing
Without CISA 2015's statutory protections, some analysts and political staffers estimate an 80% reduction in threat intelligence sharing. Even if other existing laws and regulations could impose some overlapping protections, CISA 2015's perceived role as the key provider of protections, especially in the antitrust realm, could create a slowdown in information sharing across industries.
Weakened Incentives for Threat Collaboration
Absent CISA 2015's framework, private entities may be more reluctant to proactively share early or incomplete signals. This may slow collective detection, threat hunting, or cross-industry correlation.
Government Hesitation or Reprioritization
Although federal agencies may continue to share information under existing interagency authorities, without the statutory mandate and reporting requirements in CISA 2015, agencies may deprioritize active sharing to private entities.
Prior to CISA 2015's lapse, several proposals were introduced that could reauthorize the law for a number of years ahead. However, as of the writing of this article, these proposals were ultimately blocked, or died on the vine. While still possible, it is unclear whether reauthorization will come to fruition in the future.
Recommendations
- Review your threat-sharing posture now
- Confirm whether your entity is currently relying on CISA 2015's protections when sharing threat indicators or defensive measures
- Consider whether adjustments should be made to information sharing practices, for example, by taking a more cautious approach and limiting sharing to purely factual information that would not otherwise be subject to legal privilege or damage the company's reputation if disclosed
- Evaluate internal processes and legal reviews in the event of an extended or permanent lapse
- Engage with policy and industry coalitions, and monitor
legislative activity
- Many trade groups and coalitions (e.g., the U.S. Chamber of Commerce-led coalition) have already urged Congress to pass a clean reauthorization
- Join an Information Sharing and Analysis Center (ISAC) community for information on industry-specific best practices, such as FS-ISAC for financial services or Health-ISAC for healthcare
- Watch for amendments to bills that may contain CISA 2015 reauthorization language
- Plan contingency approaches for technology, contracts,
and risk
- Consider whether contractual language (e.g., in vendor, M&A, or sector agreements) anticipated a lapse or sunset of statutory protections
- In high-security or regulated industries, assess whether alternative legal pathways (e.g., Freedom of Information Act (FOIA) exemptions, state-level protections, regulatory carveouts) may supplement risk mitigation
- Legal and compliance teams should work with security teams to reevaluate risk tolerance for sharing sensitive indicators, especially early-stage or borderline signals
Final Thoughts
CISA 2015 has long been a linchpin of US public–private cyber threat cooperation, offering critical legal protection for information sharing. Its expiration would represent a setback for collective defense efforts and elevate uncertainty, especially in sectors in which real-time threat intelligence can, at times, mark the difference between a severe business impact and none at all. While a clean, multiyear reauthorization remains a preferred path for many stakeholders, political constraints make the outcome far from assured.
Given the precarious timeline, organizations should act now and assess their reliance on CISA 2015, survey their legal risk tolerance for sharing, and engage in strategy planning for both prolonged and permanent lapse scenarios as well as potential reauthorization that could still change the status quo, depending on the ultimate statutory language.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
