The Cybersecurity Information Sharing Act (CISA 2015) officially expired on September 30, 2025, eliminating the legal framework that enabled government and industry to share cyber-threat data safely and consistently.
What happened
The expiration ended statutory protections that allowed private companies to voluntarily share threat indicators with the Department of Homeland Security without fear of legal exposure. The law, enacted in 2015, created a legal bridge between federal government and private industry for sharing threat indicators such as malware signatures, IP addresses, and attack tactics. It provided liability protection for companies sharing data and privacy safeguards to ensure personal information was removed before data exchange. This framework enabled the bidirectional flow of cyber intelligence that protected hospitals, banks, utilities, and defense contractors from nation-state actors and criminal groups.
Going deeper
Federal agencies and private companies have scaled back voluntary exchange of threat intelligence since the law lapsed. Industry data shows:
- The volume of indicators of compromise shared through formal channels has declined by more than 70%
- Several sector-specific Information Sharing and Analysis Centers (ISACs) report 24-48-hour delays in disseminating alerts once handled automatically
- Healthcare networks have seen a 12% increase in detected ransomware activity since early October, attributed to slower coordination on threat signatures
- Energy and utilities operators report longer response times when facing nation-state actors' efforts to probe OT systems
- Financial institutions note reduced visibility into cross-border fraud campaigns and business email compromise patterns
Without legal clarity and liability protections, organizations are hesitating to report incidents or indicators, creating data silos.
What was said
Senators Gary Peters (D-MI) and Mike Rounds (R-SD) introduced the "Protecting America from Cyber Threats Act" to renew the expired cybersecurity provisions.
Michael Centrella, head of public policy at SecurityScorecard and former assistant director at the U.S. Secret Service, stated that the expiration "represents an erosion of the trust, speed, and collaboration that underpin national resilience."
Centrella further emphasized that "each day without reauthorization erodes the trust, coordination, and shared visibility that have underpinned the resilience of America's most critical systems."
He noted that "in cybersecurity, no single actor can stand alone, and visibility, trust, and collaboration remain our strongest defenses. Anything less leaves us exposed."
By the numbers
- CISA 2015 expired on September 30, 2025, after 10 years
- Volume of shared threat indicators declined by more than 70% in weeks following expiration
- ISACs report 24-48-hour delays in alert dissemination
- Healthcare ransomware activity increased 12% since early October
- The framework protected hospitals, banks, utilities, and defense contractors for a decade
In the know
The Cybersecurity Information Sharing Act created a two-part protection system: liability shields that allowed companies to share threat data without legal risk, and privacy safeguards that removed personal information before exchange. This balance enabled companies to voluntarily share indicators like malware signatures, software vulnerabilities, and malicious IP addresses with federal partners. The framework allowed near-real-time detection and coordinated mitigation of attacks across sectors. Without it, federal entities lose visibility into threats originating in private networks, while companies no longer benefit from federally curated indicators and cross-sector analysis.
Why it matters
Healthcare organizations face growing risk from this expiration. The 12% increase in detected ransomware activity since early October directly correlates with slower threat coordination. Healthcare networks rely on shared threat intelligence to identify attack patterns before they reach systems containing protected health information. The 24-48-hour delays in alert leave healthcare providers vulnerable during the crucial window when ransomware groups typically launch attacks. With adversaries exploiting automation and AI while healthcare faces reduced visibility into cross-sector threats, organizations must now defend against nation-state actors and criminal groups without the real-time intelligence that previously enabled coordinated defense. Each day without reauthorization increases the likelihood that healthcare data breaches will become more frequent and severe.
The bottom line
The expiration creates a national security risk with direct impact on healthcare cybersecurity. Congress must act swiftly to reauthorize information-sharing protections that enable healthcare organizations to defend against threats. Healthcare providers should evaluate their current threat intelligence sources and consider additional security measures to compensate for reduced federal coordination.
Related: HIPAA Compliant Email: The Definitive Guide
FAQs
Why did Congress allow the Cybersecurity Information Sharing Act to expire?
The expiration resulted from legislative gridlock and competing priorities in cybersecurity and privacy reform.
How does the absence of CISA affect private sector cyber risk management?
Without liability protection, companies are reluctant to share indicators, limiting visibility into emerging threats.
What temporary measures exist while Congress debates renewal?
Agencies are relying on informal sharing agreements and sector-based partnerships until new legislation passes.
How are small and mid-sized businesses impacted by this change?
They lose access to the same high-quality intelligence feeds larger organizations receive through federal channels.
%20-%202024-10-15T195322.633.jpg)