The Cybersecurity Information Sharing Act of 2015 officially expired on September 30, 2025, removing legally guaranteed protections for organizations sharing cyber threat data with the federal government and private partners. This lapse came amid the current government shutdown, which leaves private sector companies without liability protections, freedom of information act exemptions, and privilege waivers with incentives of voluntary cybersecurity information sharing. Industry experts are calling the 2015 law the most successful cyber legislation ever passed by Congress.
Congressional Deadlocks delay critical cybersecurity law renewal
Senator Gary Peters introduced the Protecting America from Cyber Threats Act to update the expired legislation with a ten-year extension with retroactive coverage for the current lapse period. The Michigan Democrat changed the bill’s name to avoid confusion with the Cybersecurity and Infrastructure Security Agency, which has been criticized by some Republicans for alleged social media censorship activities. Peters stressed that the legislation is about cracking information-sharing protection barriers only, and not reauthorizing agencies.
Senator Rand Paul has repeatedly objected to Peters’ floor attempts to extend the original law, noting free speech adumbrations of CISA agency operations. Paul dropped any plans for his own markup of renewal legislation in September, complaining that Democrats were not negotiating in good faith with regard to free speech guarantees. The representative of a Kentucky Republican testifying before the FCC affirms that longer-term reauthorization would have to include strong free speech protections in any final legislation.
Industry players require long-term certainty for their business operations
Michael Daniel, leader of Cyber Threat Alliance, cautioned that if the lapses continue for an extended period of time, it could prompt organizations to question their information-sharing practices. He stressed the need for sophisticated cybersecurity operations using long-term assurance rather than temporary patches to keep threat intelligence sharing programs effective.
Government shutdown adds to cybersecurity vulnerabilities across the country
The expiration of the law was combined with the federal government shutdown, making it even more difficult for national efforts to coordinate on cybersecurity. Organizations that previously benefited from CISA 2015 are at risk of legal exposure when they share sensitive threat intelligence information with government agencies and private sector partners. The shutdown blocked inclusion in the House-passed continuing resolution that failed to move in the Senate of a shorter-term extension.
Peters rejected proposals for short-term extensions, saying this is what stakeholders need to run good cybersecurity programs. He pointed out that businesses simply cannot operate with frequent, few-week patches, given that they are insufficient for advanced cybersecurity operations. The senator expressed confidence that his bill would be passed by an overwhelming majority if brought to a floor vote.
Trump’s administration is lobbying senators for quick reauthorization
The Trump administration has been actively lobbying senators in support of CISA 2015 reauthorization because of the critical importance of continuing cybersecurity information sharing capabilities. Senate Majority Leader John Thune has talked about procedural options on how the legislation could get through normal Senate proceedings.
The private sector is exposed to growing legal risks
Without CISA 2015 protections, organizations exchanging cyber threat information are potentially liable to be held, FOIA asked, and denied legal privilege protecting information. Industry groups have said the protections are crucial to ensure these security information sharing networks remain robust to defend against forms of sophisticated cyber threats. Companies are therefore forced to rethink their information-sharing practices and keep track of legislative efforts to reintroduce protective frameworks.
The lapse of America’s premier cybersecurity information sharing law in a government shutdown produces unprecedented vulnerabilities in national cyber defense capabilities. While threat sharing can continue to be done voluntarily, the lack of legal protection might disincentivize voluntary participation in critical information-sharing programs. Swift congressional action is still needed to restore these important cybersecurity protections and continue to ensure strong national cyber defense coordination.