US Cyber Threat Sharing Law 'CISA 2015' Expires, Creating Potential Intelligence Gap

Executive Summary

A cornerstone of U.S. public-private cybersecurity collaboration, the Cybersecurity Information Sharing Act of 2015 (CISA 2015), was allowed to expire on October 1, 2025. The law provided critical liability, antitrust, and public disclosure protections to private sector entities, incentivizing them to share cyber threat indicators and defensive measures with the federal government. Its expiration, a result of legislative gridlock, has sparked widespread concern across the cybersecurity industry. Experts fear that without these legal safeguards, companies will become far more reluctant to share threat intelligence, potentially creating a significant blind spot in the nation's collective cyber defense. The lapse also coincided with the expiration of the State and Local Cybersecurity Grant Program (SLCGP), further straining national cyber resilience. New legislation has been introduced to remedy the situation, but the immediate future of this vital information-sharing framework is in limbo.

Regulatory Details

Expired Law: Cybersecurity Information Sharing Act of 2015 (CISA 2015)

• Purpose: To facilitate the voluntary sharing of cyber threat information between the private sector and the U.S. government, and among private sector entities.
• Key Provisions: Provided companies with liability protection for sharing and receiving threat indicators, protection from FOIA disclosure, and antitrust exemptions for collaborative cybersecurity activities.
• Mechanism: Information was shared with the Department of Homeland Security's CISA (the agency) through its Automated Indicator Sharing (AIS) program.

Reason for Expiration: The act had a sunset clause and required reauthorization. A 'clean' reauthorization was reportedly blocked by Senator Rand Paul over unrelated concerns about the CISA agency's activities, and the failure to pass it was compounded by a government shutdown.

Affected Organizations

• U.S. Private Sector: All industries, particularly those in critical infrastructure, finance, and technology that are primary targets for cyberattacks and active participants in threat sharing programs.
• U.S. Government: The Department of Homeland Security (DHS) and its CISA agency, which relied on the data feed from the private sector to build a national threat picture.
• State and Local Governments: The concurrent lapse of the State and Local Cybersecurity Grant Program (SLCGP) removes $1 billion in funding aimed at bolstering their cyber defenses.

Compliance Requirements (Now Lapsed)

Under CISA 2015, to receive legal protections, companies were required to:

1. Review and remove any personal information of a specific individual not directly related to a cybersecurity threat before sharing.
2. Share indicators through the designated government portal (CISA's AIS platform).
3. Implement security controls to protect any information they received.

With the law's expiration, these explicit requirements and their corresponding protections are now void.

Impact Assessment

The primary impact is the potential for a drastic reduction in the volume and timeliness of threat intelligence sharing. Legal experts at WilmerHale have predicted that information sharing could drop by as much as 80%.

• Business Impact: Companies may revert to a more cautious, siloed approach to threat intelligence, fearing lawsuits, regulatory action, or reputational damage if shared data is mishandled or leads to unintended consequences. This legal uncertainty creates risk.
• Operational Impact: Without a robust feed of real-time indicators from the private sector, the U.S. government's ability to detect and warn about large-scale campaigns is diminished. This creates a more dangerous and complex security environment for everyone.
• Financial Impact: The lapse of the SLCGP directly defunds critical cybersecurity improvements at the state and local levels, leaving them more vulnerable.

Enforcement & Penalties

This is not a matter of penalties for non-compliance, but rather the removal of legal protections. Companies are now subject to the default legal landscape regarding liability, which is far less favorable for open information sharing.

Compliance Guidance (Moving Forward)

1. Introduce New Legislation: Senator Gary Peters has introduced the Protecting America from Cyber Threats (PACT) Act. This bill aims to:
   • Retroactively reauthorize the CISA 2015 protections to October 1, 2025, to cover the gap.
   • Extend the program for 10 years.
   • Rename the original act to reduce confusion with the CISA agency.
2. Legal Review: Companies that actively participated in information sharing under CISA 2015 should consult with their legal counsel to reassess the risks of continued sharing without the explicit statutory protections.
3. Advocacy: Industry groups, like the Protecting America's Cyber Networks Coalition, are advocating for the swift passage of the PACT Act or a similar replacement to restore the framework.
4. Alternative Sharing Mechanisms: In the interim, companies may rely on trusted, private-sector Information Sharing and Analysis Centers (ISACs), which operate under different legal agreements, though these may not offer the same level of liability protection as the federal statute.