October 7, 2025

The Cybersecurity Information Sharing Act of 2015 (CISA) was a piece of legislation designed to improve cybersecurity in the United States through enhanced information sharing. As of September 30th, 2025, the act, and the protections it afforded, have expired.  

In this post, we provide context around CISA, detail what its expiration means for organizations, and offer guidance for how to move forward in the near term.

What Was CISA?

The CISA legislation was enacted in December 2015 as part of the Consolidated Appropriations Act of 2016. Its primary purpose was to encourage the sharing of cyber threat information between private sector entities and the government by:

• Creating a voluntary framework for the exchange of cybersecurity threat information: Through a centralized reporting network, organizations that recognized or experienced a cyber threat or attack could share what they knew. The resulting database offered critical threat intelligence to organizations so they could respond and protect themselves in real-time.
• Providing liability protections for companies that shared cyber threat indicators and defensive measures: These protections offered an umbrella of safety for sharing threat intelligence. Organizations could not be sued for sharing information in good faith or face antitrust violations when collaborating on cybersecurity issues, provided they followed the established procedures.
• Establishing the Department of Homeland Security (DHS) as the primary government entity to receive threat information: By centralizing threat intelligence through DHS’s Automated Indicator Sharing (AIS) system, the government preserved the accurate dissemination of information to both public and private entities while maintaining appropriate oversight.
• Requiring federal entities to develop procedures to receive and share threat information: This two-way exchange encouraged information sharing in a way that built a cooperative threat intelligence community, with specified timelines and formats for sharing relevant data.
• Including provisions for privacy protection and the removal of personal information: Scrubbing intelligence reporting of personal information accelerated and streamlined information sharing while reducing the risk of PII exposure. The law required specific protocols for removing unnecessary personally identifiable information before sharing.

What Remains Available Through The CISA Agency

CISA can mean one of two things: first, the legislation, passed in 2015; second, the federal agency of the same name, which was founded in 2018. It’s important to clarify that while the legislation has expired, the CISA federal agency continues to operate and will provide cybersecurity services and resources. Here’s what organizations can still access:

Automated Indicator Sharing (AIS): Though the legal liability protections have changed, the technical infrastructure for sharing cyber threat indicators remains operational. Organizations can still participate in the AIS program to receive machine-readable threat intelligence.

Vulnerability Management Resources: The Known Exploited Vulnerabilities (KEV) catalog continues to be maintained and updated. Vulnerability advisories and guidance for remediation remain available, and the coordination of vulnerability disclosures will continue.

Incident Response Support: CISA still provides incident response assistance to federal agencies, critical infrastructure, and state/local governments. The agency will continue to deploy teams to help organizations recover from significant cyber incidents.

Additional Advisory Services: CISA continues to provide comprehensive support for public and private organizations via the National Cybersecurity and Communications Integration Center (NCCIC). Organizations can still leverage CISA’s technical guidance, the “Shields Up” campaign resources, best practice recommendations, and collaborative programs like the Joint Cyber Defense Collaborative (JCDC), all while maintaining access to critical infrastructure partnership frameworks and sector-specific coordination.

What’s Different, and What Remains the Same

From a CISA perspective, the expired legislation means that the statutory liability protections for information sharing through CISA are no longer in effect. Organizations can still engage with CISA for cybersecurity assistance, but may want to add legal checks into their processes prior to information sharing. 

It’s important to remember, however, that CISA is not the only source of threat intelligence. While the expiration changes how organizations might use a significant US government-facilitated channel, it does not affect the broader landscape of threat intelligence platforms and data sources. Threat intelligence companies not operating under the CISA 2015 framework continue to offer their services without interruption. Additionally, industry-specific and open-source sharing groups maintain operations and liability protections that are separate from CISA 2015.

For most security teams, CISA was only one of many inputs into a larger threat intelligence ecosystem. The focus now shifts toward re-evaluating that mix of inputs and ensuring that partnerships and practices are aligned with the new legal landscape.

What You Can Do Today 

Regardless of whether or not your organization uses CISA as a primary intelligence source, industry shifts such as this often serve as both a catalyst and reminder to revisit best practices. 

GuidePoint Security recommends the following actions to strengthen your security posture:

Conduct Comprehensive Security Architecture Reviews

Now is an opportune time to conduct a security architecture review to ensure your systems are designed for resilience, even when threat intelligence might be delayed:

• Evaluate your security architecture to ensure you are implementing best practices and adhering to proven cybersecurity frameworks.
• Review network segmentation to limit lateral movement in case of compromise.
• Assess your identity and access management (IAM) maturity to reduce dependence on perimeter defenses and protect valuable resources.
• Evaluate your security stack for overlapping capabilities and potential gaps that threat intelligence previously helped address.

Enhance Incident Response Capabilities

With potential changes to information sharing dynamics, strengthening your independent incident response capabilities becomes even more critical:

• Update incident response playbooks to account for potentially reduced external intelligence support.
• Implement or enhance your endpoint detection and response (EDR) capabilities for better visibility across complex and distributed computing networks.
• Consider advanced tools that correlate threats across multiple security layers.
• Establish clear processes for internal threat hunting that don’t solely depend on external indicators.
• Test your incident response capabilities through tabletop exercises and penetration testing focused on scenarios with limited external intelligence.

Leverage Trusted Information Sharing Communities

By cultivating trusted information-sharing relationships, you can continue gathering and sharing threat intelligence. The following practices will become even more valuable for the foreseeable future:

• Engage with industry-specific ISACs (Information Sharing and Analysis Centers) where peer trust relationships often transcend regulatory frameworks.
• Participate in regional cybersecurity alliances where local organizations face similar threats.
• Consider trusted managed security service providers as intelligence partners who can aggregate and anonymize threat data.
• Leverage private intelligence services to maintain access to curated, actionable threat information without direct exposure to liability concerns.
• Establish direct peer-to-peer relationships with security leaders in your industry for informal information sharing.

Prioritize Security Hygiene and Foundational Controls

When threat intelligence might be less readily available, focusing on security fundamentals becomes even more important:

• Maintain rigorous patch management processes with emphasis on CISA’s KEV catalog.
• Implement robust access controls and authentication mechanisms.
• Regularly audit and update security configurations across your environment, especially cloud and converged environments.
• Consider advanced security validation services to test your defenses against the latest threat techniques.
• Enhance employee security awareness training to create a human firewall within your organization.

By focusing on these proactive measures, your organization can maintain a strong security posture despite changes to CISA. GuidePoint Security stands ready to help you navigate these challenges through our comprehensive security services.

Strengthen Your Legal and Financial Protection Strategy

With the expiration of CISA’s liability protections, organizations face new considerations regarding their cybersecurity risk management approach. This shift makes it more important than ever to evaluate your cyber insurance coverage and legal preparedness.

GuidePoint Security’s comprehensive whitepaper, “Cyber Insurance & Legal Strategy: Mitigating Cyber Risks,” offers valuable insights that complement the strategies outlined in this blog:

• Understand how cyber insurance policies work, and use this understanding to fuel discussions around potential adjustments in light of changing information-sharing liabilities.
• Learn how to develop a cohesive strategy between your technical controls, legal preparations, and insurance coverage.
• Discover best practices for documenting security controls to support both insurance applications and potential legal defenses.
• Gain insights into how threat intelligence sharing practices should be reflected in your cyber insurance considerations.

Our experts can help you navigate both the technical and legal implications of CISA’s expiration, creating a comprehensive security strategy that addresses both your defensive capabilities and risk transfer mechanisms.

Download the whitepaper >