The Cybersecurity and Information Sharing Act of 2015 expired just after midnight on Wednesday morning. This has the potential to drastically change the cybersecurity landscape in the US.
What was CISA 2015?
The Cybersecurity Information Sharing Act of 2015, (not to be confused with the agency with the identical acronym) was a backbone of US cyber defense policy. It allowed for companies to share information about cyber threats, defenses against cyber threats, and other cybersecurity assistance with liability protections, including protections against anti-trust lawsuits. It also stated that the sharing of threat indicators or defensive measures with the government is not a waiver of existing protections, including the protection of trade secrets. When cyber threat intelligence information from a private entity was shared with the government, the information remained the proprietary information of the entity. This law also protected personal information contained in any cyber threat information that is shared with the government, and protected companies from liabilities regarding the monitoring of IT systems.
Interestingly enough, the law specifically stated that it did not create a mandatory requirement for organizations to share threat indicators or defensive measures. This is in contrast to a law recently passed by China that requires organizations to report cyber incidents within 30 to 60 minutes.
The 2015 CISA law set the framework for speedy information exchanges regarding cyber threats. This sharing is essential for cyber defense as automated cyber attacks like a Distributed Denial of Service (DDoS) attack takes about 30 seconds, and skilled ransomware groups can move through a victim’s network in less than 30 minutes.
Why did this happen?
A temporary extension for the bill was proposed in the budget CR that was not passed by the Oct 1 deadline, causing the law to lapse. There was wide bi-partisan support for the re-authorization, except for one senator that opposed the extension unless it included a clause that bans the Cybersecurity and Infrastructure Agency (CISA) from combating disinformation.
What happens now?
What happens now would depend largely on how long the government remains shutdown and what, if any, changes there are to the bill re-authorization. Without the CISA 2015 protections, organizations may pull back on sharing threat intelligence indicators at a time when cyber threats are increasing.
The Automated Indicator Sharing (AIS) program developed by the Department of Homeland Security, which provided most of the public-private cyber threat collection, has no plans for operation past the expiration of the CISA 2015 law. It is worth noting that there also are no plans to discontinue the use of the AIS program.
The question now is how willing companies and organizations will be to continue sharing their threat information without the legal protections that have been in place for the last decade.
Sources
- [1] T. Starks, “Watchdog: Cyber threat information-sharing program’s future uncertain with expected expiration of 2015 law,” Sep. 30, 2025. [Online]. Available: https://cyberscoop.com/watchdog-cyber-threat-information-sharing-programs-future-uncertain-with-expected-expiration-of-2015-law/
- [2] J. Burt, “Critical CISA Cybersecurity Law is Hours Away from Expiring.” [Online]. Available: https://securityboulevard.com/2025/09/critical-cisa-cybersecurity-law-is-hours-away-from-expiring/