As the September 2025 expiration of the Cybersecurity Information Sharing Act (CISA 2015) looms, Congress faces a critical decision that will shape the future of national cyber defense. At a time when state-sponsored hackers and criminal syndicates are targeting U.S. critical infrastructure with growing precision, the ability for government and industry to share real-time threat intelligence is not a luxury — it’s a necessity. 

CISA 2015 has become a cornerstone of America’s cybersecurity posture. Letting it lapse would not only disrupt trusted information-sharing partnerships, but also send a dangerous signal to adversaries that the U.S. is retreating from coordinated cyber defense. Reauthorization is not just prudent policy — it is a national security imperative.

What is CISA 2015?

Passed with bipartisan support nearly a decade ago, CISA 2015 enables companies and government agencies to share cyber threat indicators and defensive measures in real time. It offers liability protections and privacy safeguards that make it possible for critical infrastructure operators, technology companies, and federal agencies to work together to identify, analyze, and respond to emerging threats. Importantly, it facilitates this cooperation while respecting civil liberties and privacy.

All information must be shared via a U.S. Department of Homeland Security (DHS)-sanctioned method. The preferred and most common method is the automated indicator sharing (AIS). The AIS program uses a specialized software program called the Trusted Automated Exchange of Indicator Information. Through this software, private sector companies can share and receive real-time information on cyber threats. 

The AIS program is open to private sector participants as well as state, local, tribal, and territorial governments, foreign governments, and foreign private sector entities. Entities may also submit information through DHS’s National Cybersecurity and Communications Integration Center (NCCIC) website, as well as through email or other indirect methods such as through ISACs and ISAOs.

There are many safeguards to ensure this data is only being used for cybersecurity purposes. For example, non-federal entities are required to remove personal information before sharing threat indicators and DHS is required to conduct a privacy review of received information.

Right now, CISA 2015 is an integral part of our national cyber defense strategy. It enables cybersecurity professionals in both the public and private sectors to act quickly when they see a threat, as well as share that threat information with their counterparts. It has become an essential part of how the U.S. defends itself from foreign adversaries, criminal hackers, and insider threats.

Why Reauthorization Is Urgent

CISA 2015 enables companies to share threat intelligence without fear of violating antitrust laws or breaching customer privacy. Without reauthorization these protections fall. The legal certainty that encourages collaboration across sectors begins to falter. And ultimately, the real-time cooperation that stops cyberattacks before they spread could stop altogether.

Ari Schwartz, the director of the Cybersecurity Coalition, recently spoke about the potential benefits of reauthorizing CISA 2015 during a recent hearing on cybersecurity regulatory harmonization before the House Committee on Homeland Security’s Subcommittee on Cybersecurity and Infrastructure Protection.  

A Better Alternative to Regulation

Rather than imposing prescriptive regulations, CISA 2015 embraces a public-private partnership (PPP) model that recognizes the complexity of the cybersecurity landscape. It encourages industry-led engagement to build resilience through collaboration, not through compliance. This approach has proven more flexible, more responsive, and more effective in managing fast-evolving cyber threats.

A Collective Effort

CISA 2015 ensures that no single company is left to face threats in isolation. When one organization detects a sophisticated phishing campaign or a zero-day vulnerability, they can share that information with others. Without it companies may hesitate to share, fearing legal or reputational consequences. The result? Slower responses, more successful attacks, and a weaker national security posture.

The Bottom Line

Cybersecurity is a nation-wide effort and CISA 2015 is the structure that enables cybersecurity operations to function. Reauthorizing CISA 2015 isn’t a bureaucratic box to check – it’s a national security imperative. As Congress considers next steps, it must act decisively to preserve one of the most effective tools we have to counter cyber threats. The safety of our digital infrastructure, our economy, and our society depends on it.

‍