CISA 2015 Has Sunset. Now What?

The Cybersecurity Information Sharing Act of 2015 (CISA 2015), an important law used by governmental and private-sector entities to share "cyber threat indicators" and "defensive measures," has sunset. Although Congress was widely expected to renew the law just a few months ago, legislative efforts stalled ahead of CISA 2015's September 30, 2025, sunset date.

Companies that rely on CISA 2015 to provide and receive crucial information about cyber threats and defensive measures should immediately examine their data sharing relationships to determine whether they may continue to share such information in light of the law's expiration. The law became increasingly important throughout its life given the proliferation of state data privacy laws and class action suits related to data privacy and security. 

This blog post summarizes CISA 2015, discusses recent efforts and debates related to the law's renewal, and identifies several important next steps for companies that rely on CISA 2015 to share cyber threat information. Note that CISA 2015 is distinct from the Cybersecurity and Infrastructure Security Act of 2018 (CISA 2018), which created the Cybersecurity & Infrastructure Security Agency (CISA). Sunset of CISA 2015 does not affect CISA's core statutory authorities but may severely limit CISA's cyber information sharing efforts. Moreover, debates about CISA's role have become central to the debate about the renewal of CISA 2015.

Overview of CISA 2015

CISA 2015 was enacted in December 2015 to facilitate public and private-sector sharing of information related to cyber threats and defensive measures. Key provisions of the law include:

• Express authorization for private entities to monitor their information systems for cyber threats and to employ defensive measures. 6 U.S.C. § 1503(a), (b).
• Express authorization for private entities to share cyber threat indicators and defensive measures with public and private-sector entities for a "cybersecurity purpose." Id. at § 1503(c). The term "cybersecurity purpose" is defined broadly as "the purpose of protecting an information system … from a cybersecurity threat or security vulnerability." Id. at § 650(6).
• A requirement that companies take steps to remove any personally identifiable information that is not "directly related" to a cybersecurity threat before sharing any cyber threat indicator or defensive measure. Id. at § 1503(d)(2). Companies also must implement controls to secure cyber threat indicators and defensive measures from unauthorized access or acquisition. Id. § 1503(d)(1).
• A directive to the Department of Justice (DOJ) and Department of Homeland Security (DHS) to issue public guidance for non-federal entities on sharing cyber threat indicators in compliance with CISA 2015. Id. at § 1504(a)(4). DOJ and DHS issued the original version of this guidance in 2016 and subsequently issued two updated versions. The most recent version was published in April 2024. CISA 2015 also directs DOJ and DHS to issue various procedures and privacy and civil liberties guidelines on federal receipt and use of cyber threat indictors. Id. at § 1504(a)(1)-(3), (b). Copies of these procedures and guidelines are available on the CISA website.
• A directive to DHS to develop a "real time, automated process" for sharing cyber threat indicators and defensive measures with the federal government. Id. at § 1504(c)(1)(B). This directive is the basis of CISA's Automated Information Sharing (AIS) program. A recent report from the DHS Office of Inspector General found that CISA had not finalized plans to maintain the AIS program after the sunset of CISA 2015, potentially putting the program in jeopardy.
• Significant preemption and liability protections for entities that comply with CISA 2015. For instance:
  • Companies that monitor information systems, operate defensive measures, and share cyber threat indicators and defensive measures in compliance with CISA 2015 do so "notwithstanding any other provision of law," meaning that companies may engage in those activities even if doing so violates another federal, state, or local law. Id. at §1503(a)(1), (b)(1), (c)(1).
  • Companies also are shielded from liability for engaging in activities, including data sharing, authorized by CISA 2015. Id. at §1505(a), (b). The law provides that sharing cyber threat indicators and defensive measures compliance with CISA 2015 is not an antitrust violation. Id. at § 1503(e).
  • CISA 2015 also includes specific protections for cyber threat indicators and defensive measures shared with the federal government, including protections for the attorney-client privilege and proprietary information, prohibitions on use of such information for federal, state, and local regulation and enforcement actions, and exemptions to disclosure under the Freedom of Information Act (FOIA). Id. at § 1504(d).

CISA 2015 also includes a sunset clause, under which the law expired on September 30, 2015. Id. at § 1510(a). Actions taken in compliance with CISA 2015 when the law was in effect remain entitled to the liability protections described above. Id. at § 1510(b).

Proposals to Renew CISA 2015

Renewal of CISA 2015 has received strong support from industry groups and many lawmakers. In May 2025, a coalition of 52 industry organizations across numerous sectors urged Congress to renew the law before it sunset, calling the law "a cornerstone of American cybersecurity." On September 2, 2025, Rep. Andrew Garbarino, chair of the House Committee on Homeland Security, introduced the Widespread Information Management for the Welfare of Infrastructure and Government (WIMWIG) Act to renew CISA 2015 for 10 years—until 2035—and to make some modest amendments. Among other changes, the WIMWIG Act would permit companies to use AI to remove personally identifiable information from cyber threat indicators and defensive measures and would extend certain preemption and liability protections to uses of AI for cybersecurity purposes. Other amendments would bolster CISA outreach to rural owners or operators of critical infrastructure and speed dissemination of cyber threat information to state, local, tribal, and territorial governments. The WIMWIG Act unanimously cleared the House Committee on Homeland Security on September 3.

Despite widespread support for renewing CISA 2015, the WIMWIG Act has received opposition from some lawmakers, including Sen. Rand Paul. As we have discussed previously in a post about federal cybersecurity priorities, Paul and other Republican lawmakers have been critical of CISA, alleging that the agency infringed on free speech and suppressed conservative voices as part of its effort to combat disinformation. Paul, who previously has said he would like to eliminate CISA entirely, has blocked efforts to renew CISA 2015 until the law is amended to include anti-censorship limits on CISA. The WIMWIG Act contains no such provisions.

As a stopgap, a continuing resolution passed on September 19, 2025, included a short-term extension of CISA 2015 until November 21, 2025. However, the continuing resolution subsequently failed in the Senate, and debates about renewal of CISA 2015 have been eclipsed by much larger debates about government funding. Other efforts to advance renewal in the House and Senate also have failed.

Next Steps for Companies

The prospects of an eventual renewal of CISA 2015 remain strong given the law's widespread support. But until Congress renews the law, companies must act quickly to review their cyber threat information sharing relationships and to mitigate any risks. Companies should review any formal agreements they have with governments and other private-sector entities, as well as less formal memoranda of understanding (MOUs) or other arrangements. Companies also should examine their participation in information sharing and analysis centers (ISACs) and other intel sharing consortia and public-private partnerships, many of which cite CISA 2015 as a foundation of their cyber information sharing activities.

Companies should consider the following when reviewing these relationships:

• What laws may restrict sharing of cyber threat information? Since CISA 2015 first went into effect, 22 states have enacted so-called "comprehensive" data privacy laws that restrict use and disclosure of personal data. These laws define personal data broadly to include certain data that may be shared as cyber threat intelligence, including IP addresses, browsing history, and location information. Disclosure of cyber threat information that contains personal data also may implicate various federal sectoral laws, including the Gramm-Leach-Bliley Act (GLBA) for financial institutions the Stored Communications Act (SCA) and Electronic Communications Privacy Act (ECPA) for providers of "electronic communications services" and "remote computing services," and the Health Insurance Portability and Accountability Act (HIPAA) for certain healthcare entities, including healthcare providers and health plans.
• Do provisions of other laws support the sharing of cyber threat information? While many federal and state laws restrict the disclosure of personal information, most of those laws have exceptions that may permit companies to share information for the purposes of preventing, detecting, and responding to cyberattacks. For example, most comprehensive state privacy laws include broad exemptions for use and disclosure of personal data that "prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action." See, e.g., Va. Code. Ann.§ 59.1-582(7). Federal laws include similar exemptions. For example, the SCA allow providers of covered services to disclose customer communications and information to governmental and private-sector entities "as may be necessarily incident to … the protection of the rights or property of the provider…" 18 U.S.C. § 2703(b)(5), (c)(3). Regulation P, a Consumer Financial Protection Bureau (CFPB) regulation issued under GLBA, permits covered financial institutions to disclose personal data to protect the security of customer records and to protect against "actual or potential fraud, unauthorized transactions, claims, or other liability." 15 C.F.R. § 1016.15(a)(2)(i)-(ii).
  • Note, however, that applicable laws are not uniform with respect to these types of exceptions. Notably, the California Consumer Privacy Act (CCPA) provides a more limited exemption for combating fraud and other illegal activity that is applicable only to disclosures of personal data to law enforcement agencies.
• How can the company minimize risks of sharing cyber threat information? Companies should consider suspending any sharing of cyber threat information that may violate federal or state laws until CISA 2015 is renewed, unless a relevant exception applies. Companies also should consider how they can reduce legal risks of sharing such information, particularly through data minimization, aggregation, anonymization, and pseudonymization. To the extent the company can remove personal data from cyber threat information—for example, by removing unnecessary personal data or providing data in anonymized form—it can reduce its risks of sharing data in violation of privacy laws or of being subject to class action suits alleging that disclosure of the data was unlawful.

Looking Ahead

DWT's privacy and security team regularly advises companies across sectors on sharing cyber threat information with public and private-sector entities, and on responding to government requests for personal and other sensitive information. We will continue to monitor relevant developments, including the ongoing debates about renewal of CISA 2015.