The Cybersecurity Information Sharing Act of 2015 (“CISA”) expired yesterday on September 30, 2025.
Though Congress discussed renewing the statute prior to its expiration, CISA was not officially reauthorized by the federal government.
CISA was designed to encourage private organizations to share cybersecurity information with other private sector entities and the federal government through the Department of Homeland Security, aiming to strengthen overall monitoring capabilities and bolster collective defense against cyber threats. In particular, the statute allowed private entities to monitor their own information systems and take defensive measures related to those systems, so long as such actions complied with other applicable data privacy and cybersecurity laws, rules, and regulations. Additionally, CISA provided legal protections to reporting private entities in order to encourage their participation.
CISA’s overarching goal was to counter cyber-attacks, and due to its expiration, we may see significantly fewer private organizations open to sharing cybersecurity-related data without CISA’s protections and guardrails. The landscape is now uncertain, and without CISA’s safeguards, companies may face greater legal risks when sharing data breach and cyber threat information with other organizations or the federal government. This increased risk could discourage the reporting practices established over the past decade and undermine the collaborative cyber defense efforts built during that time.
Importantly, the sharing of technical threat information, such as indicators of compromise and malicious tactics, techniques, and procedures, remains lawful, just as it was prior to the enactment of CISA in 2015. However, with the lapse of CISA, organizations should consider taking some extra precautions when sharing cyber threat-related information that previously would have been protected under CISA. Additionally, entities should review their data privacy and cybersecurity measures in place, such as employee policies on data-sharing and company privacy notices, to ensure that a valid legal basis remains to monitor information systems and communications for cyber threats.
At Foster Swift Collins & Smith, P.C., we are closely monitoring developments in the information technology, data privacy, and cybersecurity spaces, and are committed to advising our clients on how to prepare for possible legal and compliance impacts.
