Cybersecurity Framework Faces Expiry, Urgent Congressional Action Required
The Cybersecurity Information Sharing Act (CISA) of 2015, a pivotal piece of legislation facilitating cooperation between the federal government and private sector on cybersecurity threats, is set to expire on September 30, 2025. A new report from the Congressional Research Service (CRS) has raised the alarm about the potential fallout if the act is not renewed, with experts and industry leaders urging Congress to act promptly to avoid weakening the nation’s cyber defense capabilities.
Originally passed as part of the broader Cybersecurity Act of 2015, Cybersecurity Information Sharing Act was designed to encourage the exchange of threat intelligence while offering liability protections to private entities sharing sensitive data. It also includes provisions that mandate the removal of personally identifiable information (PII) before data is shared, with oversight provided by the Department of Homeland Security (DHS) and Department of Justice (DOJ) to safeguard civil liberties.
As Congress deliberates the future ofCybersecurity Information Sharing Act , cybersecurity policy analyst Chris Jaikaran emphasized in the CRS report that lawmakers could simply extend the act’s expiration date or take the opportunity to revise its scope and definitions to address modern threats more effectively. The report presents a range of legislative options, from short-term extensions that allow time to assess evolving cybersecurity landscapes to more comprehensive, long-term reauthorizations that provide clarity and confidence to stakeholders.
Emerging Threats Prompt Calls for Expanded Definitions and Protections
The CRS report highlights how the cyber threat landscape has shifted dramatically over the past decade. Today, malicious actors—including nation-state hackers and organized cybercriminals—are increasingly targeting operational technology (OT) and edge devices, which are not explicitly covered under the current language of the act. These systems, such as industrial controls for pipelines and smart devices that connect networks, have become prime targets due to their critical functions and potential vulnerabilities.
The report also raises concerns that artificial intelligence (AI), a rapidly evolving and impactful technology, is not addressed in the existing statute. As AI continues to transform cybersecurity strategies—both as a tool for defense and as a potential weapon for attackers—experts believe that Cybersecurity Information Sharing Act must adapt accordingly. Expanding the definitions within the act to reflect newer technologies and attack vectors could enhance information sharing and ensure broader protection across sectors.
Some observers argue that modernizing the act to include these elements would offer greater clarity to stakeholders about what qualifies as protected, shareable information. This would not only enhance collaboration between the government and private sector but also ensure that emerging threats are met with appropriate countermeasures.
Without Renewal, Cybersecurity Collaboration and Trust Could Erode
The CRS report warns that letting the act expire could significantly disrupt public-private cybersecurity partnerships. The absence of liability and antitrust protections could deter private companies from voluntarily sharing threat intelligence, reducing the government’s visibility into the evolving threat environment. This would echo the conditions that initially led to CISA’s enactment—a lack of coordination and information flow critical to national cyber defense.
While DHS’s Automated Indicator Sharing (AIS) program—which facilitates voluntary exchange of threat indicators—may continue under other authorities, its effectiveness could be undermined without CISA’s legal backing. Additionally, the report prompts Congress to consider whether CISA’s voluntary framework should remain unchanged in light of newer, mandatory reporting mechanisms like the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), enacted in 2022.
According to Jaikaran, while CISA and CIRCIA both aim to improve cybersecurity data collection, they serve different roles. CISA supports real-time, proactive threat prevention through bidirectional sharing, while CIRCIA focuses on post-incident analysis and future prevention. As cyber threats grow more complex, the potential exists for Congress to mandate certain entities—such as cloud providers or critical infrastructure operators—to participate more actively in information sharing under CISA.
Ultimately, the decision Congress makes in the coming months could shape the future of national cybersecurity cooperation, either reinforcing or undermining the trust and mechanisms that have protected U.S. networks for the past decade.
