Cybersecurity Information Sharing Act Set to Expire
▼ Summary
– CISA encourages companies to share cybersecurity threat information by providing liability protection and allowing anonymous reporting of suspicious activities.
– The act is set to expire in September 2025 unless reauthorized by Congress, which hasn’t happened yet due to political priorities like the debt ceiling debate.
– Shared threat data gets distributed among government agencies and other companies, helping create a comprehensive view of emerging risks by combining partial threat intelligence.
– Experts believe CISA will likely be renewed, possibly retroactively, though the process may take weeks or months after expiration, creating temporary uncertainty.
– While renewal is probable, some advocates see this as an opportunity to improve CISA for modern challenges like AI and expanded attack surfaces, though its absence would create a legal protection gap.
The Cybersecurity Information Sharing Act (CISA), a law designed to promote the exchange of cyber threat intelligence, is scheduled to sunset at the end of September 2025 unless lawmakers take action to renew it. This legislation offers legal safeguards to organizations that voluntarily report potential security risks, allowing them to share findings without fear of liability. As things currently stand, Congress has not yet moved to reauthorize the program.
According to Andrew Grosso, an attorney and former assistant U.S. attorney, the law enables companies to safely report suspicious software behavior. “If you discover something in your software that shouldn’t be there, and there are signs it could be monitoring your activities or damaging a system, you can report it,” he explains. The receiving government agency may or may not act on the information, but it will distribute the data to other agencies and potentially to other at-risk companies. Grosso adds that companies can also share threat intelligence directly with one another. “It opens a window on risk in real time,” he says. “It encourages reporting, protects the companies that do the reporting, and it tries to protect the identity of people who may be named as ‘suspects’, and the name of any known ‘victims’ of the threat.”
In essence, the framework promotes the flow of threat information and enables its wider distribution, all while safeguarding the privacy of individuals and organizations involved.
Given the clear security advantages CISA provides, why has it reached this uncertain point, and will it ultimately be renewed? The answer to the first question likely boils down to political dynamics and timing. The need to reauthorize CISA coincides with the separate, more urgent, and more contentious debate over raising the federal debt ceiling, which commands greater congressional attention.
Furthermore, the legislative effort required is more complex than a simple renewal. For instance, Senator Rand Paul is advocating for amendments that would allow individuals named in CISA reports to access more information about their inclusion, aiming to better protect civil liberties. This illustrates the kind of complication that could prevent a straightforward extension.
Will CISA be renewed? Grosso believes it almost certainly will be, likely with retroactive effect, though the process could take weeks or months, creating a period of uncertainty for information sharing. His confidence stems from the law’s demonstrated value. When a company detects suspicious network activity, it might stop that specific incident but remain unaware of the broader campaign. A single firm often sees only a fragment of the overall threat.
“You might have the legs and the tail, but you haven’t got the whole animal,” Grosso notes. “A different company may have the forearms, while another company has the torso. It’s only when you combine all these different parts that you get to see the whole animal.” Sharing threat data with the government enables this bigger picture. “The federal government can pour resources into problems that need fixing,” he states. “It can triangulate these different snippets of information from multiple sources to track down the full threat, motivated by the need to protect government, military, national security, critical infrastructure, and the broader private sector.”
Moiz Virani, CTO and co-founder at Momentum, also expects CISA to be renewed, though he hopes improvements will be made. “There’s a moderate to high chance that it will be renewed, but I don’t think it’s guaranteed,” he comments. “There’s a tailwind from the community for re-authorization, so it’s not going to die in silence.” Letting the law expire would create a significant gap by removing the liability protection that enables sharing. However, Virani doesn’t believe a lapse would be catastrophic. “I think of CISA as one tool in the CISO’s toolkit that would no longer be available. That gap might push security leaders making decisions to become more vigilant.”
He does see the renewal process as a chance for enhancement. “CISA wasn’t a super successful program, but it was practical and introduced productive legislation for vulnerability sharing. It moved in the right direction and achieved some successes. However, in today’s AI-driven world with a vastly expanded attack surface compared to a decade ago, there’s both a need and an opportunity to adopt a more proactive stance toward vulnerabilities overall.”
CISA is now in a state of limbo. Renewal is probable, and improvements are possible, but neither outcome is assured. If it is renewed, the action will likely be made retroactive, though that, too, is not guaranteed. This leaves chief information security officers with a pressing question: How should their organizations approach threat information sharing immediately after September 30, 2025?
(Source: Security Week)
