Critical National Security Law, CISA 2015, Set to Expire at the End of the Month

Critical National Security Law, CISA 2015, Set to Expire at the End of the Month

Client Alert

Authors

At the end of the month, a prominent law passed to promote cybersecurity defenses, the Cybersecurity Information Sharing Act of 2015 (CISA 2015 or “the Act”), will lapse absent reauthorization by Congress and the President. Signed into law by President Obama in December 2015, CISA 2015 established a voluntary information-sharing process between private entities and the federal government with respect to cyber threat indicators and defensive measures, increasing awareness of new threats and potential mitigation techniques across critical sectors.

In this alert, we provide background on CISA 2015, outline the current state of play in Congress, and highlight some of the potential implications that could result from CISA 2015’s expiration. 

Background on CISA 2015

CISA 2015 was created to encourage private and public sector entities to monitor networks for cyber threats and to share cyber threat data with one another. The Act pursues these policy objectives through three core concepts:

First, the Act promotes information sharing by the federal government with private entities. The Act specifically requires the Director of National Intelligence (DNI), the Secretary of the Department of Homeland Security (DHS), the Secretary of the Department of Defense (DoD), and the Attorney General (AG) to develop and issue procedures facilitating the sharing of classified and unclassified cyber threat indicators and defensive measures with the private sector. 6 U.S.C. § 1502(a). Since the law was passed, seven agencies have adopted implementing procedures and increased information sharing with the private sector. For example, in 2020, DHS shared 12,000,000 unclassified threat indicators and defensive measures with private entities, as compared with 300,000 in 2017—a 3,900% increas

Second, the Act authorizes monitoring of private sector networks for a cybersecurity purpose “notwithstanding any other provision of law.” 6 U.S.C. § 1503(a). This portion of CISA 2015 was put in place to encourage private entities to pursue robust network monitoring despite concerns about various privacy and surveillance laws. Specifically, the Act authorizes private entities to (1) monitor their own information systems or the information systems of another entity (federal or non-federal) with that entity’s authorization and written consent; (2) monitor the information stored on, processed by, or transiting such an information system; and (3) operate a defensive measure on their own information systems to protect their rights or property, or on the information systems of another entity (federal or non-federal) with that entity’s written consent to protect that entity’s rights or property. Id. § 1503(a)(1), (b)(1). CISA 2015 also provides liability protection for monitoring information systems in accordance with the provisions described above (though not for the operation of defensive measures). Id. § 1505(a).

Third, the Act bestows special protections on information that is shared consistent with rules established by CISA 2015. Key protections in this regard include protection from the waiver of any evidentiary privilege when information is shared under the Act, limits on the government’s ability to use shared information for regulatory enforcement, and liability limitations. Id. § 1504(d), 1505 (a)–(b).

Of course, these authorities and protections are not boundless. To fall within the Act’s authorization and protections, monitoring and information sharing must abide by the Act’s requirements. Specifically, monitoring must be conducted for a cybersecurity purpose and be conducted by an appropriate authorized entity. For information sharing to be authorized and protected under the Act, the information must (a) be either a “cyber threat indicator” or a “defensive measure”; (b) have been either manually or automatically reviewed to identify and remove personal information; and (c) be shared for a “cybersecurity purpose.” Id. § 1503.

Under the Act, a “cybersecurity purpose” is defined as “the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.” Id. § 1501(4). Cyber threat indicators include information necessary to identify or describe “malicious reconnaissance,” “a security vulnerability,” “malicious cyber command and control,” or “actual or potential harm caused by an incident.” Id. § 1501(6). Defensive measures include actions, devices, techniques or procedures “applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability.” Id. § 1501(7). While the deployment of sensors may broadly be for a cybersecurity purpose (e.g., assisting DoD in protecting its networks or helping a private company protect its network), broad collection of information transiting private networks by the government is unlikely to meet all of the CISA 2015 sharing requirements. 

State of Play 

On September 2, 2025, House Committee on Homeland Security Chair Andrew Garbarino (R-NY) introduced the Widespread Information Management for the Welfare of Infrastructure and Government Act, which would leave core tenets of CISA 2015 largely unchanged and reauthorize the law for 10 years. The draft legislation also would make relatively minor amendments to the law to address artificial intelligence (AI) technology and would require the Secretary of DHS to create an “outreach plan” targeted at small entities and regularly update the House and Senate Homeland Security committees.

More specifically, the draft legislation would amend CISA 2015 to ensure that nothing in 6 U.S.C. § 1503(c), which enables private entities to share cyber threat indicators and defensive measures with the federal government and private entities, may be construed “to preclude the use of artificial intelligence that is developed or strictly deployed for cybersecurity purposes in carrying out the activities authorized under [§1503(c)].” Furthermore, the draft legislation would amend CISA 2015 to note that technical capabilities used to “remove any information not directly related to a cybersecurity threat” may “utilize artificial intelligence that is developed or strictly deployed for cybersecurity purposes.” Finally, the draft legislation would require the Secretary of DHS to develop and implement an outreach plan no later than 90 days after the bill’s enactment to ensure “small or rural owners or operators of critical infrastructure which often lack dedicated cybersecurity staff” better understand the obligations and processes under CISA 2015. The Secretary of DHS would be required to provide updates on such outreach to the House and Senate Homeland Security committees on an annual basis.

On September 3, 2025, the House Committee on Homeland Security unanimously approved the Widespread Information Management for the Welfare of Infrastructure and Government Act, and the bill is currently in the full House for consideration. While several leading industry groups have advocated for the renewal of CISA 2015, certain members have signaled their unwillingness to advance it absent additional political concessions. For example, Senate Homeland Security Chair Rand Paul (R-KY) pledged that he will not support a bill renewing CISA 2015 unless it contains language prohibiting the Cybersecurity and Infrastructure Security Agency (that is, CISA the agency, rather than CISA the law) from engaging in what Paul characterized as anti-disinformation work online. Moreover, reports emerged on September 11, 2025, that Paul has generated his own draft of the bill that would reportedly reauthorize the law for two years and include new oversight requirements.

Implications of Lapse 

If Congress allows CISA 2015 to expire, the impact would likely chill information sharing by private entities, with some Hill staffers estimating that the drop could be as much as 80%. Without the critical protection for legal privileges—and the perceived need for liability and antitrust protections—private entities are less likely to voluntarily share information with the federal government or private entities due to a perceived increased risk (even if the risk in reality may not be material based on a lack of actual grounds for such liability). The consequences could be significant, especially considering the fact that the private sector owns and operates most critical infrastructure in the United States. However, it is less clear how the expiration of CISA 2015 would alter information sharing by the federal government. The seven agencies with procedures in place for sharing information could presumably continue to share information in the absence of the Act. That said, without CISA 2015’s congressional reporting obligations, agencies would arguably be less inclined to independently prioritize and monitor information sharing. Furthermore, agencies might conclude a congressional disfavoring of such continued sharing from a decision by Congress to permit the law to lapse. 

Authors

Notice

Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.

I Accept Cancel