Will Congress reaffirm US cyber threat sharing framework before it’s too late?

As the September 30 expiration date for the Cybersecurity Information Sharing Act of 2015 (CISA 2015) rapidly approaches, Congress faces a pivotal decision that could either preserve or unravel a decade-long framework that is critical to the nation’s cyber defense posture.

Originally passed in response to a surge in nation-state hacks and industrial-scale data breaches, CISA 2015 remains one of the most consequential pieces of cybersecurity legislation in modern U.S. history.

At its core, the law was designed to break down institutional and legal barriers between federal agencies and private companies. It authorized and encouraged the sharing of cyber threat indicators and defensive measures, while shielding private firms from civil liability when sharing information in good faith.

The framework aimed to foster a real-time, trusted environment in which data flows both ways, alerting companies to emergent threats while enabling federal agencies to map broader attack patterns and deploy national mitigation strategies.

“Without the law, too many companies will fear liability concerns when they act as good Samaritans by sharing warnings about cyber threats,” wrote Annie Fixler, director of the Foundation for Defense of Democracies Center on Cyber and Technology Innovation.

“Consensus in Congress seems to be coalescing around a straight reauthorization.” Fixler said, and that “that option provides the greatest likelihood of averting the crisis that would accompany the expiration of the law.” She pointed out, however, that “while there are nearly 90 days left on the calendar before CISA 2015 expires, there are only 35 working days for Congress between now and the end of September. Lawmakers should act with haste.”

In a new audit report, the Government Accountability Office (GAO) confirmed that seven lead federal agencies have fully implemented CISA’s mandates, including the removal of personally identifiable information (PII) from shared data. The agencies also adopted technical infrastructures like the Department of Homeland Security’s (DHS’s) Automated Indicator Sharing (AIS) system, which allows structured, machine-speed sharing of cyber threat indicators across public and private networks.

Section 104(d)(2) of CISA 2015 explicitly states that before a non‑federal entity shares “cyber threat indicators” or “defensive measures,” it must remove any information “that it knows at the time of sharing to be personal information of a specific individual … that is not directly related to a cybersecurity threat.” This ensures only relevant threat data is shared.

The final guidelines to implement this section – issued by DHS and the Department of Justice and updated in April – clarified this requirement. They emphasized that if information “known at the time of sharing to be personal information of a specific individual … is not directly related to a cybersecurity threat, it should be removed prior to sharing.”

Federal agencies have “developed final guidelines related to privacy and civil liberties that govern how threat information is received, used, retained, and distributed to protect personally identifiable information,” GAO said.

“Policies and actions implemented under the Cybersecurity Information Sharing Act of 2015 have positively contributed to the sharing of cyber threat information between federal and nonfederal entities,” GAO said. “Sharing such information can enhance awareness of the extent of current cyber threats and how to mitigate those threats.”

Legal analyses, such as Cadwalader’s review for clients, highlighted that one of the most challenging obligations under CISA is “identifying and removing PII from any cybersecurity information prior to submission via the AIS program.”

The capabilities instituted by the act have become foundational to national cyber resilience. However, if CISA 2015 is allowed to sunset without reauthorization, industry leaders and federal agencies warn that private sector engagement in threat intelligence sharing could plummet.

Without the law’s liability protections, companies might once again hesitate to disclose breaches or suspicious cyber activity, fearing legal exposure, shareholder backlash, or reputational harm.

The stakes are growing as threats become more advanced. Nation-state actors from China, Russia, North Korea, and Iran continue to target U.S. critical infrastructure. Simultaneously, AI-powered phishing, deepfake-enabled impersonation attacks, and ransomware-as-a-service operations are becoming more accessible to less sophisticated threat actors.

Without CISA 2015’s legal and operational backbone, the U.S. could face increased blind spots in threat detection, just as adversaries become nimbler and more unpredictable.

Bipartisan support for reauthorization appears strong. In May, the House Committee on Homeland Security’s Subcommittee on Cybersecurity and Infrastructure Protection, convened a hearing to examine CISA 2015’s performance and its upcoming expiration on September 30. Witnesses included executives from major tech and financial organizations who testified on both the value of threat sharing and suggested areas for improvement.

Chairman Andrew Garbarino opened the hearing by emphasizing that “CISA 2015 has become more vital than ever,” noting the law’s role in facilitating real‑time indicator sharing and safeguarding critical infrastructure.

“There are valid concerns that without [the act’s] protections, the private sector would be less willing to share cybersecurity information, either amongst themselves or with the federal government,” Garbarino said. “Without these safeguards, we can be certain that our nation would be more vulnerable to cyber threats.”

Both Republican and Democratic lawmakers view the law as essential, and many are leaning toward a “clean” reauthorization bill which would preserve the statute without major changes.

DHS Secretary Kristi Noem earlier voiced similar support for reauthorizing the act before the full House Committee on Homeland Security. “We need [industry’s] expertise and knowledge … to make sure we’re prepared to secure our systems and our critical infrastructure,” Noem said during the hearing. “We’re doubling down on the need to build private and partner with those individual industries that have the expertise and knowledge that we’ve lacked for so long, and they’re looking for some more abilities to do new things for this country,”

In parallel, a broad coalition of over 20 industry groups – from the U.S. Chamber of Commerce to healthcare and energy associations – have submitted a joint letter to Congress urging swift reauthorization. The Hacking Policy Council also has urged lawmakers to reauthorize CISA 2015. Failing to renew the law would “jeopardize over a decade of progress in enhancing our collective cybersecurity posture,” the group said in a statement.

Despite this momentum, some members of Congress have floated revisions to address perceived gaps in transparency and oversight. Civil liberties groups have raised concerns about how shared threat indicators could be used for non-cybersecurity purposes, or how the government ensures meaningful data minimization when collecting information from private parties. These concerns could delay a clean reauthorization or provoke a broader legislative negotiation.

Additionally, some cybersecurity experts have argued that CISA could be updated to better reflect current technology and threat models. For example, expanding definitions of “defensive measures” could help legalize newer forms of threat response, such as counter-hacking under strict conditions. Others suggest enhancing requirements for feedback loops so private entities receive clear indicators of the government’s use of their data and resulting benefits.

Even with these possibilities, many argue the priority should be to avoid a lapse in authorization.

Cybersecurity Coalition Executive Director Ari Schwartz wrote in Bloomberg Law this week that, “We must not risk going backward ten years by allowing this law to lapse.”

Technology leaders have warned that without the law “there’s going to be some companies that won’t voluntarily” share information. Larry Clinton, president of the Internet Security Alliance, said if the law is allowed to expire it will be tantamount to “legislative malpractice.”

The law’s expiration would disrupt federal agencies’ ability to engage smaller organizations that lack robust cyber resources. While Fortune 500 companies often have internal threat intelligence teams, smaller regional hospitals, water utilities, and school systems rely heavily on shared alerts and federal coordination. For these entities, CISA’s protections and outreach mechanisms have become lifelines in a threat environment where even a single ransomware attack can cause weeks of operational disruption.

As the legislative window narrows – further constrained by the looming August recess and the 2026 election calendar – the pressure is on Congress to act. The risk of inaction isn’t hypothetical anymore. Cybersecurity alliances and data trust frameworks are delicate, and once severed, they will be difficult to rebuild.

In a moment when cyberattacks are increasingly global, sophisticated, and persistent, the expiration of the very law that was designed to unify America’s cyber defense ecosystem would amount to strategic disarmament. The question before Congress is not merely one of reauthorization, it is also a test of political will in the face of an ever-mutating digital threat landscape.

Article Topics

CISA  |  CISA 2015  |  cybersecurity  |  data sharing  |  legislation  |  U.S. Government