With Expiration of CISA 2015, Cyber Threat Sharing Faces New Risks

When the Colonial Pipeline ransomware attack paralyzed fuel distribution across the East Coast in 2021, both government and private entities raced to exchange cyber threat data to prevent further disruption. That rapid collaboration was made possible, in large part, by the Cybersecurity Information Sharing Act of 2015 (“CISA 2015” or “the Act”), which, for nearly a decade, provided companies the legal confidence to share cyber intelligence without fear of liability or exposure.

Now, that confidence is gone. On September 30, 2025, CISA 2015 expired, along with the safe harbors that once enabled trusted collaboration across industries. Efforts to renew the Act stalled amid the ongoing federal government shutdown, leaving its future uncertain.

A Framework Built on Trust

Recognizing that cyber threat intelligence is most effective when it is shared broadly and quickly, Congress enacted CISA 2015 to strengthen the nation’s cybersecurity posture and remove the legal and operational barriers that discouraged information sharing.

To implement that vision, CISA 2015 established a voluntary framework for exchanging cyber threat indicators and defensive measures between the federal government and non-federal entities, including private companies, state and local governments, and operators of critical infrastructure. The Act recognized that modern cyber threats evolve too quickly and cross too many sectors for any single organization to address alone.

To encourage participation, Congress incorporated several key protections:

• Freedom of Information Act (FOIA) Exemption: Information shared with the federal government was shielded from disclosure under FOIA and comparable state laws, protecting sensitive business and security data.
• Antitrust Exemption: The framework allowed companies to share threat indicators and defensive measures without fear of violating antitrust laws.
• Liability Protection: Private entities that monitored their systems or shared information in good faith were protected from civil liability.
• Voluntary Participation: The Act imposed no obligation to share or to act on received information, preserving flexibility for participants.
• Authorization for Defensive Measures: CISA 2015 explicitly authorized network monitoring and deployment of defensive tools to detect and mitigate cyber threats.

Together, these provisions reduced the legal friction that had historically deterred collaboration and positioned CISA 2015 as a cornerstone of national cyber defense.

The Impact of CISA’s Expiration

With CISA 2015 no longer in effect, organizations can still exchange information with one another and with government agencies, but they must now do so without the liability, antitrust, and disclosure protections that once minimized risk.

The loss of those safe harbors may discourage participation. Organizations that previously engaged in information sharing initiatives may now limit what they disclose or withdraw entirely, concerned that shared data could become discoverable in litigation, scrutinized by regulators, or viewed as raising antitrust concerns.

Even well-intentioned exchanges of technical data may now carry greater legal and reputational exposure. As a result, some entities may narrow their involvement or withdraw from sharing networks altogether, eroding the visibility that CISA 2015 helped to build. In practice, sharing remains permissible, but without CISA’s protections it requires stronger oversight and a higher tolerance for legal risk.

Why It Matters Now

The expiration of CISA 2015 comes at a pivotal time for cybersecurity. The threat landscape continues to evolve, with AI-enabled attacks, supply chain intrusions, and ransomware campaigns targeting both government systems and private enterprises. Without a trusted framework to support collaboration, information sharing may slow, undermining collective efforts to detect and contain emerging threats.

In the absence of CISA’s statutory protections, organizations must determine how to share information responsibly while managing greater legal and regulatory uncertainty. Effective coordination depends on contractual safeguards, internal oversight, and active communication between legal, cybersecurity, and compliance teams.

Practical Steps for Organizations

Until Congress enacts a successor framework, organizations should take proactive steps to manage the legal and operational risks associated with continued information sharing:

1. Reevaluate internal policies. Review existing procedures to ensure they reflect the absence of CISA’s liability and disclosure protections.
2. Use structured agreements. When sharing threat intelligence, rely on nondisclosure agreements, consortium charters, or memoranda of understanding to preserve confidentiality and privilege.
3. Limit sensitive content. Share only the technical details necessary to support detection or mitigation efforts, and remove data that could expose proprietary systems or customer information.
4. Coordinate legal and technical teams. Ensure that counsel, cybersecurity, and compliance professionals jointly evaluate sharing arrangements to align legal risk with operational needs.
5. Monitor developments. Stay informed on legislative and regulatory initiatives that may reintroduce safe harbors or establish new collaboration models in the years ahead.

While no checklist can replace the certainty that CISA 2015 provided, these measures can help organizations continue to share responsibly, demonstrate good-faith cybersecurity governance, and preserve the benefits of collective defense.

Conclusion

The expiration of CISA 2015 does not diminish the need for collaboration; it underscores it. As cyber threats grow more sophisticated and interconnected, information sharing is more important than ever. Whether in energy, government, finance, healthcare, or technology, the strength of our collective resilience depends on how effectively we share intelligence and act on it.

Until a modern framework restores the trust and legal certainty that CISA 2015 once provided, responsible information sharing will remain one of the most critical and vulnerable elements of national cybersecurity.

——————————————————————–

This DarrowEverett Insight should not be construed as legal advice or a legal opinion. This Insight is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal question you may have. Please reach out to us if you need help addressing any of the issues discussed in this Insight, or any other issues or concerns you may have relating to your business. We are ready to help guide you through these challenging times.

This Insight does not constitute written tax advice as described in 31 C.F.R. §10, et seq. and is not intended or written by us to be used and/or relied on as written tax advice for any purpose including, without limitation, the marketing of any transaction addressed herein. Any U.S. federal tax advice rendered by DarrowEverett LLP shall be conspicuously labeled as such, shall include a discussion of all relevant facts and circumstances, as well as of any representations, statements, findings, or agreements (including projections, financial forecasts, or appraisals) upon which we rely, applicable to transactions discussed therein in compliance with 31 C.F.R. §10.37, shall relate the applicable law and authorities to the facts, and shall set forth any applicable limits on the use of such advice.