Cybersecurity Information Sharing Act Nears Expiration
The Cybersecurity Information Sharing Act (CISA), first passed in 2015 to encourage organizations to share threat intelligence without liability risks, is set to expire on September 30, 2025, unless renewed by Congress.
CISA allows companies to report suspicious software or activity safely, enabling government agencies to aggregate threat data and share it across both public and private sectors. This cooperation helps build a complete picture of attacks — each company may only see “a part of the animal,” but combined reporting reveals the full threat.
Despite broad support, renewal is caught up in congressional politics, coinciding with contentious debates over the U.S. debt ceiling. Some lawmakers are also pushing for additional reforms, including expanded transparency for individuals flagged in CISA reports.
Experts believe the law will likely be reauthorized, possibly even retroactively, given its role in protecting national security and critical infrastructure. Still, a lapse would leave organizations without the legal protections that currently facilitate threat sharing.
Industry voices see renewal as an opportunity to modernize CISA — making it more effective in an era of AI-driven threats and an expanding attack surface.