US lawmakers have until September 30 to reauthorize a 2015 law that provides a safe harbor for sharing cyber threat intelligence.
The Cybersecurity Information Sharing Act (CISA 2015) was passed in the US Senate in October 2015 in the wake of the 2015 OPM breach. It was signed into law by President Barack Obama in December 2015.
Aimed at facilitating information sharing between cybersecurity companies and the US federal government, CISA 2015 established a legal framework and provides a statutory liability shield that protects organizations from civil suits and regulatory actions when they monitor their systems and share cyber threat indicators or defensive measures.
As the expiration date for the Act looms, Infosecurity spoke to experts about the provisions CISA 2015 offers and the debates surrounding the renewal and the consequences of non-renewal.
CISA 2015 Explained
The AIS Program
The CISA 2015 legal framework includes the Automated Indicator Sharing Program (AIS), a voluntary program that enables the federal government and non-federal participants to share specific indicators of cybersecurity threat information with one another.
The program defines an indicator as a "technical artifact or observable that suggests an attack is imminent or is currently underway, or that a compromise may have already occurred."
Examples of such indicators include a malicious website, activity by a known threat actor or the identification of a new technique.
To take part in the program, an entity must agree to participation in writing and establish an AIS client server. The entity then connects the AIS client server to their own IT and cybersecurity equipment, enabling real-time, machine-to-machine information sharing.
CISA 2015 Provisions
CISA 2015 also offers antitrust protection for industry-to-industry collaboration.
Some of the requirements introduced by CISA 2015 include:
- Good‑faith monitoring and sharing for cybersecurity purposes
- Sharing via authorised channels, such as the Department of Homeland Security (DHS), the Cybersecurity and Information Security Agency (CISA) or one of the established Information-Sharing and Analysis Centers (ISACs) and Organizations (ISAOs), with required markings
- Reasonable efforts to remove personal information not necessary to describe the threat
- Preservation of privilege/trade secrets and Freedom of Information Act (FOIA) nondisclosure for shared data
- Narrow antitrust protection for the act of sharing threat intel (not for coordinating on prices, products, etc.)
Speaking to Infosecurity, Shane Tierney, a senior compliance manager at Drata, said the “balance of safe harbor plus privacy obligations was designed to break down hesitation that kept useful threat data siloed.”
Cynthia Kaiser, SVP of Halycon’s Ransomware Research Center, described CISA 2015 as “one of America’s most vital cybersecurity protections.”
“Just this year, the Act has facilitated threat warnings to thousands of organizations, and it is especially useful to small-to-medium-sized businesses (SMBs) who would not ordinarily have free access to this amount of preventative cybersecurity intelligence,” she told Infosecurity.
Tierney added that the law, though primarily domestic, also carries international significance because the credibility of US data‑sharing and privacy protections is under close scrutiny abroad.
A Law With An Expiration Date
From the outset CISA 2015 included a 10‑year sunset provision, with key elements set to expire on September 30, 2025.
“It’s fairly common for Congress to include sunset clauses in surveillance and cybersecurity legislation as a way to ensure periodic review,” Tierney explained.
In the case of CISA 2015, the ten-year timeline was intended to bring lawmakers back to the table to reconsider whether elements such as the liability shield, the definitions of ‘cyber threat indicators’ and the privacy requirements were still appropriate.
“Because technology, attack patterns, and public expectations evolve so quickly, a permanent statute could risk locking in rules that no longer fit the landscape,” he added.
Debates Around CISA 2015’s Renewal
Push to Renew CISA 2015
Several stakeholders have already advocated for the renewal of the law.
In March 2025, 12 organizations, including several banking trade associations, the Business Software Alliance and the Operational Technology Cybersecurity Coalition, urged Congress to extend the expiration date. The plea came in an open letter addressed to US Senate Majority Leader and Minority Leader, John Thune and Charles Schumer, the House Speaker, Mike Johnson, and the House Minority Leader, Hakeem Jeffries.
In April, Senators Gary Peters (D-MI) and Mike Rounds (R-SD) introduced the Cybersecurity Information Sharing Extension Act, a move to extend the provisions of CISA 2015.
During Black Hat USA, held in Las Vegas in August 2025, two leaders of the US national cybersecurity agency (CISA) also spoke in favor of an extension of the legislation.
Christopher Butera, the agency’s active executive assistant director, and Robert Costello, its CIO, said they were “really hopeful that Congress will reauthorize” the Act before the deadline.
“Information becomes dated very quickly, because the adversaries are pivoting so quickly, which makes rapid sharing even more important,” Costello added.
In July, Rand Paul (R-KY.), the chairman of the Senate Homeland Security and Governmental Affairs Committee, told US reporters that he intends to hold a markup of the CISA 2015 extension legislation in September.
Andrew Garbarino (R-NY), the new leader of the House Homeland Security Committee, told Cyberscoop in August that the markup was scheduled to happen “shortly after Congress returns from recess in September.”
Drata’s Tierney and Halcyon’s Kaiser are also in favour of an extension.
CISA 2015’s Remaining Points of Contention
Nevertheless, Tierney emphasized that the law’s reauthorization could still fail due to slow legislative processes.
“Broad agreement doesn’t guarantee fast action. Cybersecurity often attracts consensus in principle, but in practice, it tends to slip down the priority list until deadlines spur movement. In recent years, legislative gridlock has made it harder to move even relatively uncontroversial and bipartisan measures without delay,” he noted.
“That’s why CISA 2015 is being addressed late, despite little debate around its core provisions. The delay reflects process more than substance. These lapses can also feed skepticism abroad, where policymakers sometimes view the US as slower to balance privacy and security,” he added.
Additionally, there are concerns that debates surrounding specific provisions may come back to haunt the legislation, chief among them questions about data privacy.
“The Act was initially more controversial, with some privacy advocates concerned that threat information shared with the government would contain user data, leading to broad surveillance powers,” Kaiser observed.
This is another reason for the Act’s deadline, she pointed out. The US Congress sought to allow stakeholders to reassess whether the information shared actually improved national security, whether privacy protections needed strengthening and if the Act’s benefits outweighed its risks and costs.
According to Tierney, these concerns could jeopardize the Act’s reauthorization.
“Privacy and civil-liberties advocates have long argued the liability shield is too broad. Companies are protected even if they share excessive or inaccurate information, which risks exposing personal data,” he said.
“The law requires ‘reasonable efforts’ to scrub personally identifiable information (PII), but that language is vague and weakly enforced. Critics like the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) argue sensitive data can slip through with little accountability,” he added.
Tierney believes that the tension between defenders who want speed and volume and privacy groups that demand tighter guardrails “has never been resolved.”
“The controversy doesn’t mean the law fails entirely, but it does mean any renewal should include stronger, clearer privacy provisions. Without them, trust in the system erodes, both domestically and with international partners evaluating US data-sharing practices,” he argued, citing the Center for Democracy & Technology as one major organization pushing for these refinements.
What Happens If CISA 2015 Expires
A Win for Threat Actors
A scenario where CISA 2015 lapses would “absolutely” be a win for cyber threat actors, said Tierney.
“Any slowdown or fragmentation in sharing helps attackers. If companies hesitate to contribute indicators, adversaries get more time to spread attacks before they’re detected. Even a temporary legal gap disrupts automated feeds and weakens trust across sectors. Once pipelines stall, they rarely restart at full speed,” he said.
In practice, Tierney explained, companies would lose much of the legal clarity and protections that underpin the sharing of cyber threat indicators.
As a result, legal teams and CISOs would likely become more cautious, particularly where customer or employee data could be implicated.
Participation in automated feeds to DHS programs or sector hubs would be harder to justify if liability protections, FOIA shielding and limits on regulatory use were no longer well defined.
This would result in narrower information‑sharing channels, slower response times and a shift toward smaller trusted networks rather than broad cross‑sector collaboration. Privacy safeguards could also be unsettled, with statutory backing for PII scrubbing open to question.
A failure to renew could hinder the activities of Halcyon’s Ransomware Research Center, Kaiser told Infosecurity.
“The loss of antitrust protections would cause industry to share less, which will make US – and global – networks less safe.”
How To Prepare for CISA’s Non-Renewal
Compliance Managers’ Checklist
In case of a failure to renew CISA 2015, Tierney believes compliance managers should prioritize the following actions:
- Review their organization’s policies on what is shared, with whom and under what safeguards
- Confirm PII scrubbing practices are strong and that every sharing decision is documented
- Build smaller trust networks within their industry in order to reduce dependence on federal frameworks
- Proactively display alignment with other standards (e.g. SOC 2, ISO 27001, GDPR) to demonstrate resilience and transparency
“That way, customers and partners continue to trust the organization regardless of legislative uncertainty. Proactive privacy and security governance will always travel further than reliance on one law alone,” he said.
CISOs’ Checklist
As for CISOs, Tierney thinks they need to prepare for both operational and strategic pivots. If statutory protections lapse, they should:
- Be ready to lean on smaller, high trust sharing communities instead of broad federal channels
- Brief boards and executives on the risks of legal uncertainty, so decision-making is aligned in advance
- Coordinate with legal teams, particularly as regulators and data-protection authorities scrutinize cross-border practices
- Reinforce privacy-by-design in security operations will help demonstrate accountability in any scenario
- Show that their defenses remain strong and adaptive, keeping trust with customers and partners intact
Likely Scenarios for CISA 2015’s Future
Despite these concerns, both Kaiser and Tierney believe a multi-year renewal before the deadline passes is the most likely scenario.
“Both parties [the Republican Party and the Democratic Party] understand that letting liability protections lapse would chill information sharing just as cyber-attacks are accelerating,” Tierney said.
“The open question is whether renewal is simply a rubber-stamp or an opportunity to strengthen privacy safeguards and add accountability. From a practical standpoint, industry and government both need a durable framework, not stop-and-start patches. A clean multi-year extension would restore stability; a thoughtful one that updates privacy provisions would also bolster trust at home and abroad,” he added.
Moreover, if US lawmakers fail to agree on a multi-year renewal but want to avert the legislation’s lapse, they could also decide to pass a short-term extension.
While Tierney described this scenario as a “very plausible” one that could “buy time and avoid an immediate lapse,” he also argued that such a scenario would also “prolong uncertainty.”
“For companies, that means hesitation to invest in new sharing pipelines or participate in long-term joint defense projects,” he explained.
“The risk is that every short-term patch erodes confidence in the system and creates a stop-start cycle. Better than an outright lapse, yes, but still disruptive. Lawmakers should push for a stable, multi-year solution,” he advocated.
Halcyon’s Kaiser expressed a slightly different view. While she acknowledged that there may still be contentious points in the legislation, she believes that lawmakers should prioritize renewing [CISA 2015] over anything else.
“A clean extension that allowed time for edits to be introduced and arbitrated before it was fully reauthorized would be an optimal outcome,” she finally suggested.
Conclusion
As the deadline for reauthorizing the US Cybersecurity Information Sharing Act approaches, it is clear that the renewal of this legislation is vital.
While it is true that the Act has a sunset clause to allow for revisions and updates to be made, non-renewal could leave many organizations in a perilous and uncertain situation regarding the sharing of critical and lawful information.
A multi-year renewal before the deadline passes may be the most likely scenario, but it is uncertain what form this renewal will take.