Why It Matters
A decade-old law that underpins how the federal government and private sector share cyber threat intelligence is set to expire September 30, and Congress has yet to chart a clear path forward on the CISA 2015 expiring provisions.
A new Congressional Research Service report lays out the stakes plainly: let the Cybersecurity Information Sharing Act of 2015 lapse, and the legal scaffolding that encourages companies to share threat data with the government, and with each other, disappears with it.
It's the legal basis for liability protections, antitrust exemptions, and disclosure shields that make private sector participation in threat-sharing programs possible. Without those protections, companies face real legal exposure for sharing information about breaches, intrusions, or vulnerabilities.
The CRS report is direct about the consequence: "Without these protections, private sector entities may be less willing to share cyber threat information with the federal government and each other." The result, the report warns, could return the government to the exact problem that drove Congress to pass the law in the first place, operating without a complete picture of the cyber threats facing the country.
Industry groups have already weighed in, broadly advocating for long-term renewal. The cybersecurity information sharing deadline is not a distant concern. Congress has roughly four months.
The Bigger Picture
Congress passed CISA 2015 as Title I of the broader Cybersecurity Act of 2015, responding to a recognized gap: private companies were reluctant to share information about cyberattacks, fearing lawsuits, antitrust exposure, or privacy liability. The law addressed that by authorizing private entities to monitor their own networks and share threat indicators with the federal government, while requiring the removal of personally identifiable information before any data changes hands.
The operational engine of the framework is the Automated Indicator Sharing program, administered by the Department of Homeland Security. AIS pushes threat indicators (think malicious websites, known threat actor activity, or newly identified attack techniques) to participating government and private sector entities. The private sector can also submit indicators back into the system voluntarily.
The law was originally authorized for 10 years. Congress extended it briefly through a continuing resolution and then again through September 30, 2026, via the Consolidated Appropriations Act. Neither extension changed the substance of the law.
That brings Congress to a decision point with real consequences for CISA renewal in 2026. The CRS report identifies three broad options: a clean extension that simply pushes back the sunset date, a substantive reauthorization that updates the law's definitions and scope, or alternative legislative vehicles that could reshape the framework entirely.
What the Law Doesn't Cover
One of the more pointed findings in the report concerns what the law was never built to address. The definitions in CISA 2015 do not explicitly cover operational technology, the industrial control systems, and SCADA infrastructure that run gas pipelines, dams, and power plants. Edge devices, like home routers that connect networks, are also not captured. And artificial intelligence is not addressed in the statute at all.
The report notes that nation-state actors and cybercriminals are actively targeting operational technology and edge devices. Some observers, according to the report, consider it vital for Congress to expand the law's definitions during reauthorization to provide stakeholders clarity on which threat types are covered and protected.
The Voluntary vs. Mandatory Question
The report also surfaces a structural tension that Congress will have to confront. CISA 2015 was built as a voluntary program, and the Senate committee that originally debated it was explicit about that intent. But in 2022, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act, known as CIRCIA, which created a mandatory reporting requirement for certain entities that experience a cybersecurity incident or make a ransomware payment.
That shift is significant. The CRS report frames CIRCIA's passage as "a substantive change in the nature of cybersecurity data collection, whereby the government deemed it necessary to require the private sector to submit information to a federal agency in order for the government to have a more complete picture of cyberattacks across the nation."
Congress may now face pressure to bring CISA 2015 into alignment with that logic, potentially requiring cybersecurity firms, cloud service providers, or critical infrastructure entities to share threat information rather than leaving it to their discretion.
Political Stakes
For the Administration: The Trump administration is managing competing pressures. Its broader deregulatory posture favors keeping participation voluntary, but the national security imperative for complete threat intelligence cuts the other way. Compounding the tension, the administration has overseen significant staffing reductions at the Cybersecurity and Infrastructure Security Agency, the DHS component that runs the AIS program. A weakened statutory framework, layered on top of reduced agency capacity, creates compounding risk.
For Congress: The CISA sunset provisions represent a test of whether Congress can move beyond short-term patches. The law has now been extended twice through appropriations riders rather than standalone legislation. A Senate bill, S. 1337, was introduced to address longer-term reauthorization, but the path forward remains unsettled. A shorter extension would give Congress time to watch how CISA 2015 interacts with CIRCIA's still-developing mandatory reporting rules. A longer authorization would give the private sector the certainty it has been asking for.
For the Private Sector: Companies that have built compliance programs, information-sharing agreements, and cybersecurity service offerings around CISA 2015's protections are watching the September deadline closely. The report notes that without the law's explicit authorizations, "the marketplace for the provision of cybersecurity services to other companies may collapse."
For the Public: The critical infrastructure cybersecurity sharing framework that CISA 2015 supports covers sectors that touch everyday life: energy, water, finance, and healthcare. A gap in that framework, even a temporary one, reduces the government's ability to detect and respond to attacks on those systems.
The Bottom Line
Congress built a cybersecurity information-sharing architecture a decade ago that has largely worked. Inspector General reviews have not found PII violations. The AIS program is operational. Industry participation, while voluntary, has been sustained.
What Congress has not done is update the law for the threat environment that now exists, one that includes AI-enabled attacks, compromised industrial control systems, and adversaries targeting the edge devices that connect critical networks. The September 30 deadline forces a choice: extend what exists, modernize it, or let it expire and accept the consequences. The CRS report makes clear that the last option carries the most risk.
Access the Legis1 platform for comprehensive political news, data, and insights.