The uncertain future of the Cybersecurity Information Sharing Act of 2015

Article

On October 1, 2025, the Cybersecurity Information Sharing Act of 2015 (CISA 2015) expired; however, on November 12, 2025, Congress extended the Act through the end of January. The extension comes on the heels of the government shutdown, which prohibited earlier actions to mitigate the Act’s expiration. The Act created a formal framework for government agencies and private companies to share cyber-threat information with liability protections and designated the Department of Homeland Security (DHS) as the central coordinator for information sharing across federal agencies.

Private Sector Impact

For the private sector, CISA 2015 plays an important role in promoting information-sharing about cyber threats through shielding companies from legal liability for participating in cyber threat information-sharing. Specifically, CISA 2015 prohibits any lawsuits based on monitoring information systems, deploying defensive measures, and sharing cyber threat indicators, which allow organizations to freely share information about cybercrimes without fear of retaliation. Without this protection, organizations may be subject to liability claims for sharing information about cyberattacks or incidents with the federal government. Thus far, the Act has served as a catalyst for public-private partnerships in combatting cyber threats. However, if CISA 2015 is not replaced or extended past January 2026, the lack of liability protection will likely discourage organizations from information sharing and handicap federal investigations into cyber threats.

Public Sector Impact

In addition to private sector protections, the Act also creates clear pathways for disseminating information to federal agencies. Under CISA 2015, DHS serves as the primary coordinator of cyber information sharing with other agencies such as the Federal Bureau of Investigation, Department of Defense, and National Security Agency. Under the Act, DHS created the Cybersecurity & Infrastructure Security Agency, which serves as a hub for cyber threat information sharing and resources. Without CISA 2015, or legislation to replace it, cyber threat information sharing will be less coordinated amongst federal agencies and potentially prohibit those agencies’ ability to effectively respond to cyber incidents.

Private Organization Considerations

Private organizations should prepare ahead of time in case CISA 2015 expires in January 2026. Specifically, companies should:

  • Reconsider information-sharing practices and determine whether a more cautious approach is appropriate to shield themselves from liability.
  • Confirm whether they are currently relying on any CISA 2015 protections when information sharing.
  • Determine risk-tolerance for information sharing should the Act sunset in 2015.
  • Analyze whether contracts can be amended to include information sharing privileges.

If you have questions about the latest legislative updates, how to keep your organization in compliance, or if you would like to discuss proactive measures to protect against cyber threats, reach out to a member of our national data privacy and cybersecurity team.

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.