The Cybersecurity Information Sharing Act of 2015 (CISA 2015) is set to expire Sept. 30. At this time, policymakers have yet to renew it, although a continuing resolution was presented this week in the House of Representatives. 

CISA 2015 constructed a “a cybersecurity information sharing structure” that allowed the federal government to gather and share threat intelligence. Furthermore, the private sector was enabled to share similar intelligence with the government and amongst each other. As the expiration of this act nears, cybersecurity leaders are expressing their concern. 

Patrick Beggs, CISO at ConnectWise, shares, “I view the looming expiration of CISA 2015 with significant concern. Without the legislation in place, companies may hesitate to disclose indicators of compromise or attack vectors, creating a chilling effect that erodes trust and collaboration.” 

The capabilities of cyber adversaries have increased in sophistication and scale since the establishment of CISA 2015, especially with the introduction of greater AI threats. Without proper protective measures in place, these threats could leave organizations vulnerable. 

Beggs explains, “The timing is especially critical, as adversaries now leverage AI, ransomware-as-a-service, and state-backed resources to disrupt both critical infrastructure and private enterprises. Losing the protections of CISA would force defenders to operate in silos, causing them to be blind to patterns that could otherwise be mitigated if knowledge were shared openly. Our adversaries thrive on information asymmetry, and any gap in coordination works to their advantage. Beyond the immediate tactical risks, the expiration of CISA risks undermining long-term national security resilience. The act has been a cornerstone in fostering public-private partnerships, and if that framework dissolves, it will take years to rebuild trust and momentum. Policymakers must recognize that cybersecurity is a team sport, and the expiration of CISA would not only weaken our defenses but also embolden our adversaries at a moment when unity and vigilance are paramount.”

Joel Burleson-Davis, CTO at Imprivata, adds, “Cyber adversaries are scaling up. AI is making attacks faster, cheaper, and more precise —especially against critical infrastructure. For the past decade, the Cybersecurity Information Sharing Act of 2015 has been our early-warning system, enabling real-time signal-sharing so defenders can spot sparks before they become wildfires. If CISA lapses at the end of September, policymakers warn we could lose as much as 90% of those alerts.”

While the expiration of CISA 2015 would affect all organizations within the United States, some industries could see greater consequences than others. 

“The stakes are highest in sectors like healthcare and manufacturing, where minutes matter,” Burleson-Davis declares. “A slowdown in threat intelligence can cascade into care delays, supply chain disruption, and safety risks. Losing CISA’s liability protections, antitrust exemptions, and nondisclosure safeguards would also chill the willingness of organizations to share what they’re seeing — exactly when we need more eyes, not fewer.”

However, simply renewing CISA 2015 may not be enough. With the evolution of cyber threats over the last decade, the renewal must include timely updates to ensure it is modern and effective. 

Kyle Dewar, Tanium’s Executive Client Advisor, Federal, states, “CISA 2015 enables the teamwork that drives cyber outcomes protecting our citizens, our government, our critical infrastructure, and our corporations. Since 2015, cyber threats have continued to evolve in both persistence and complexity, so, naturally, emergent threats, AI, and supply chain attacks should be incorporated into the modernization of CISA 2015.

“With great power comes great responsibility, and renewing CISA 2015 should focus on correlation, collaboration, and coordination of cyber threats and adversary cyber actions to foster transparency of threat reporting. My call to action is to understand both the concerns (privacy & civil liberties) and the areas of agreement with CISA 2015. Modernizing CISA 2015 should continue safe harbor protections that have a proven record of success, where threat indicators and defensive cyber actions are reported, analyzed, and authoritatively shared by the Cybersecurity and Infrastructure Security Agency with government agencies, corporations, partners, and allies. Measuring the performance of a modernized CISA 2015 through mean-time-to-share (MTTS) or mean-time-to-exchange (MTTE) of threat information would enable measurement of performance indicators that align outcomes driven by CISA 2015 with national security and criminal justice needs of our nation and citizenry.”

In a time where many organizations are already unprepared for cyberattacks as is, the expiration of CISA 2015 could be a significant setback. Nevertheless, organizations should not wait to hear the outcome of CISA 2015’s renewal before taking charge of their security posture. 

Burleson-Davis concludes, “Regardless of what Congress does, operators should act now to blunt any intelligence gap — in cybersecurity, unity and urgency aren’t optional, they’re how we keep the lights on and data, systems and people safe.”