CISA 2015 Reauthorization – Are Changes on the Horizon?

March 3, 2025

As we noted in Federal Cybersecurity Policy in 2025: What to Watch in Changing Times, key parts of the Cybersecurity Information Sharing Act of 2015 (CISA 2015), the United States’ foundational cybersecurity information sharing law, are set to sunset on September 30, 2025, unless it is reauthorized. This need for reauthorization presents opportunity and peril for organizations that rely on the law to engage in protected collaboration.

The law has been a vital part of the cyber defense and response landscape because of liability protections extended to private sector entities that were designed to be an important driver of cybersecurity information sharing. CISA 2015 provided important liability shields for sharing “cyber threat indicators” (CTIs) and “defensive measures” (DMs) between private sector entities and with the federal government through the U.S. Department of Homeland Security (DHS) Automated Indicator Sharing (AIS) system.

But observers have said that the law has been underutilized over the past 10 years, and the DHS Inspector General observed in a recent report that participation in information sharing through DHS has dropped to an all-time low. Several factors have been identified as contributing to underutilization, including private sector reticence about sharing due to ongoing liability concerns, the narrow scope of information permitted to be shared under CISA 2015, the absence of meaningful reciprocal sharing by government agencies, and the excess of low-value information.

As CISA 2015 comes up for reauthorization, policymakers and organizations should consider whether there are potential changes that could jump-start cybersecurity information sharing under the law and provide more meaningful liability protections to private sector participants. Expanding liability protections, antitrust exemptions, and the protection of privilege could go a long way to enhancing critical information-sharing efforts.

Liability Protection Is Limited to Some Types of Sharing

CISA 2015 was intended to provide increased authority for cybersecurity information sharing between and among the private sector, the federal government, and state, local, tribal, and territorial governments. Under CISA 2015, a non-federal entity is generally authorized to share a CTI or DM for a cybersecurity purpose. Sharing can be with other private parties or with the government. Liability protections for sharing with the government are available if sharing with the government is done through the DHS process. This means that a private sector organization sharing CTIs and DMs with DHS receives liability protections only if it shares through DHS’ AIS system or a similar mechanism under the statute. Those protections do not expressly extend to sharing with other U.S. departments and agencies, such as the Federal Bureau of Investigation (FBI) and Secret Service. Broader liability protections for sharing information outside of DHS AIS channels could encourage more collaborative activity and the sharing of more information with additional stakeholders and investigative agencies.

Certain Narrow Definitions Impact Protections

CISA 2015 permits information sharing about CTIs and the use of DMs where there is a “cybersecurity purpose,” defined as “the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.” The term “cybersecurity purpose” is also used as a limitation on an entity’s monitoring of information systems and the operation of DMs. As a result, each activity must be done for a cybersecurity purpose to receive liability protections. Stakeholders and policymakers could consider whether the definition of cybersecurity purpose should be expanded to include other activities and to protect other systems, networks, and assets beyond information systems and information on an information system.

“Cybersecurity threat” is defined under CISA 2015 as “an action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system.” Stakeholders may wish to evaluate whether this definition adequately covers the range of cyber threat activity today and for the foreseeable future. As with the definition of cybersecurity purpose, Congress could consider whether the definition should be scoped more broadly or explicitly to reach other systems or technology that an organization uses, which could be vulnerable to a cyberattack.

CISA 2015 limits the information a private sector entity can share through the DHS AIS system to CTIs and DMs. DM is defined as:

“an action, device, procedure, signature, technique, or other measure applied to an information system or information stored on, processed by, or transiting such information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability.”

The statute explicitly authorizes the “operation” of DMs by a private entity “to protect the rights or property of such private entity … [or to] protect the rights or property” of another entity with written consent. However, the definition of DM excludes a measure that harms an information system not owned by the private entity operating the measure or another entity authorized to provide consent to the measure.

Congress and Government Experts Appear to Agree on Reauthorizing CISA 2015

The reauthorization of CISA 2015 was a hot topic during the January 22, 2025 House Committee on Homeland Security hearing entitled “Unconstrained Actors: Assessing Global Cyber Threats to the Homeland.” The panel of cybersecurity experts, composed of former government officials and private-sector experts, agreed strongly on the importance of reauthorizing CISA 2015 and expanding liability protections.

Former Acting National Cyber Director Kemba Walden warned that failure to renew CISA 2015 would undermine the government’s ability to interface with industry including through the Joint Cyber Defense Collaborative, a public-private collaboration that plays a role in information sharing. She also suggested expanding the definition of cybersecurity purpose to cover cybersecurity frauds and scams. Other CISA 2015 priorities highlighted by the witnesses were increasing the speed at which information is shared by the government and intelligence community sharing in unclassified form.

Clean Reauthorization, or Update and Expand?

Some supporters of CISA 2015 believe Congress should pass a clean reauthorization bill to avoid bogging discussions down with controversial changes. Others may call for adjustments to key terms and expanded protections to encourage sharing. The interplay with new incident reporting rules being developed by DHS’ Cybersecurity and Infrastructure Security Agency (CISA) also adds some uncertainty. Finally, there are provisions that could be updated to reflect current DHS operations (e.g., the day-to-day responsibilities of the National Cybersecurity Communications and Integration Center have shifted to other CISA divisions).

Key Issues for Stakeholders

There are a variety of issues stakeholders may need to consider as CISA 2015 reauthorization discussions get underway.

  • Should the definitions of CTIs, DMs, and cybersecurity purpose be amended to expand liability protections and encourage greater sharing?
  • Should the exception allowing government use of shared information to inform regulation and enforcement be scaled back or eliminated?
  • Should Congress extend liability protections to permit direct sharing with agencies and departments beyond DHS and without going through the AIS system?
  • Should Congress direct DHS to share contextual information and increase the speed of sharing?

Conclusion

When CISA 2015 was passed 10 years ago, getting it over the finish line required bicameral and bipartisan consensus between many committees in the House and Senate, which resulted in a more limited information sharing framework than what the U.S. optimally needs to protect the private sector; the federal government; state, local, territorial, and tribal governments; and individuals. The coming months are the right time to communicate with Capitol Hill about whether there are improvements that need to be made to CISA 2015 for it to enable meaningful information sharing and adequate liability protections for the private sector in the face of growing cyber threats from nation-state actors and criminal organizations.

Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek