Cybersecurity at Risk: CISA 2015 Lapses Amid Government Shutdown

The expiration of the Cybersecurity Information Sharing Act of 2015 (CISA 2015) during the US government shutdown has left the nation’s cyber defenses exposed. 

Without this law, companies lose liability protections for sharing threat intelligence, creating a chilling effect on the flow of critical information. 

“Now, the private sector is going to be very reluctant to tell anybody what happens to them,” Mike Hamilton, field CISO of Lumifi Cyber and former CISO of Seattle, told CSO.

What CISA 2015 provided

CISA 2015, enacted a decade ago, established a framework that allows private companies to share cyber threat indicators with federal agencies, while shielding them from regulatory or legal consequences. 

The law played a pivotal role in reducing barriers to the sharing of cyber threat information. It gave companies the legal ability to monitor their own and customers’ networks for intrusions, and it shielded shared data under exemptions from antitrust liability, Freedom of Information Act requests, and other disclosure risks.

These protections enabled real-time sharing across critical sectors, including energy and financial services. 

In practice, the law removed much of the hesitation surrounding the exchange of indicators of compromise (IoCs), such as malicious IP addresses or attack techniques, as legal teams could sign off more quickly. Without it, security leaders must tread cautiously, slowing down collaboration at a moment when speed is essential.

Its expiration on Sept. 30, 2025, leaves organizations more vulnerable and reduces the government’s visibility into emerging threats. The law was not reauthorized due to legislative gridlock during the shutdown, despite broad bipartisan support and backing from the cybersecurity sector. 

Experts warn that the absence of liability protections may discourage collaboration at a time when adversaries are increasingly sophisticated.

The impact of the lapse

The effect of the law’s expiration will depend largely on how long it remains inactive. In the short term, experts predict a minimal impact, with only temporary hesitancy. 

However, if the lapse stretches into weeks or months, organizations may significantly reduce intelligence-sharing practices, undermining collective defense. 

Ari Schwartz, executive director at the Center for Cybersecurity Law and Policy and partner at law firm Venable, told CSO: “If it goes for some period of time, not having this provision is going to have an impact.”

Sectoral impacts will vary. Organizations that already had robust, pre-2015 information-sharing agreements, such as those within Information Sharing and Analysis Centers, may continue without significant disruption. However, industries that relied heavily on CISA 2015’s legal cover may find themselves constrained.

From a legal perspective, chief information security officers are advised to consult either in-house or external counsel before engaging in new information sharing. Legal reviews will now be required, delaying responses and potentially leaving gaps in visibility and defense.

Keeping defenses strong during the gap

Until Congress reauthorizes the law, CISOs and security teams should:

• Engage legal counsel immediately to review current information-sharing practices, document decisions, and ensure compliance with all applicable regulations.
• Leverage existing ISAC agreements and trusted partner networks to maintain intelligence flows outside of CISA’s protections.
• Strengthen internal monitoring and detection capabilities while also subscribing to third-party threat intelligence services to reduce reliance on federal feeds.
• Adopt a layered defense strategy with multi-factor authentication, segmentation, least-privilege access, and proactive incident response planning.
• Conduct resilience exercises and tabletop tests that simulate incidents without federal support to validate readiness.
• Reinforce supply chain and insider risk programs by tightening vendor security assessments, employee training, and insider-threat detection.

By taking these proactive steps, organizations can sustain strong cyber resilience and reduce risk even while federal information-sharing protections remain in limbo.

When gridlock becomes a security risk

The lapse underscores how political gridlock can weaken national cybersecurity. 

As Nathaniel Jones, VP of Security and AI Strategy at Darktrace and former CISA section chief, told CSO, “If the law remains lapsed for a lengthy period, that will diminish capabilities across the industry to share and enhance real-time sharing of cyber threat indicators.” 

Most observers expect Congress to eventually restore the law, either through a short-term extension or a longer reauthorization, with some proposals calling for a new 10-year window.

However, the uncertainty highlights a deeper systemic risk: US cybersecurity resilience depends not just on technology and best practices but also on political stability and legislative foresight.

As the Cybersecurity and Infrastructure Security Agency (CISA) stated in a recent comment to CSO, “The Cybersecurity Information Sharing Act of 2015 remains vital to this mission and allowing it to lapse would be a serious blow. CISA will continue its mission, but America’s defenders deserve both the tools and the support to meet growing threats.”

While technical defenses continue to advance, information-sharing remains one of the strongest collective tools against cyber threats. The lapse of CISA 2015 demonstrates how quickly trust, cooperation, and visibility can erode without legal protections. 

For security teams, the key takeaway is to strengthen internal defenses, rely on established agreements, and plan for uncertainty, as even slight delays in action can increase risk.

As legal and political uncertainties persist, adopting zero-trust security provides a proactive way for organizations to maintain visibility and control.