Reauthorization of the Cybersecurity Information Sharing Act (CISA) of 2015

 

Introduction: Ensuring Continuity of a Key Cybersecurity Framework

The Cybersecurity Information Sharing Act of 2015 (CISA) established a voluntary framework for sharing cyber threat information between the private sector and government. Built with legal and privacy safeguards, it has enabled the timely exchange of threat indicators while protecting civil liberties.

This act has become a cornerstone of U.S. cyber defense, integrated into federal programs and industry practices. It has strengthened collective resilience, improved coordination, and enhanced detection of emerging threats. It expired on September 30, 2025, and without renewal, the U.S. risks losing one of its most effective tools for public-private collaboration on cybersecurity. Expiration weakens national cyber defenses and creates uncertainty for companies and agencies alike. CISA should be prioritized to maintain continuity of information sharing, ensure stability in federal and industry cybersecurity practices, and protect the nation against escalating cyber threats.

Benefits of CISA 2015 for Cyber Threat Information Sharing

CISA 2015 delivered several lasting contributions to U.S. cybersecurity. It enabled the real-time exchange of cyber threat indicators across agencies and organizations, improving early detection and coordinated response. By strengthening national resilience and reinforcing protections for critical infrastructure, the Act became a cornerstone of collective defense. Importantly, it fostered a cooperative public–private partnership, designed to be voluntary but supported by clear incentives, liability protections, and antitrust exemptions that lowered the risks of participation. At the same time, CISA embedded strong privacy and security safeguards, requiring the removal of personal information and mandating privacy reviews to ensure civil liberties were protected while advancing national security.

Alignment with ACM Ethical Principles

CISA’s framework aligns closely with the ACM Code of Ethics and its underlying principles. By upholding the public interest and minimizing cyber risks, the Act supports the professional duty to prevent harm and safeguard society. It fosters trust and collaboration through responsible, voluntary knowledge sharing, reinforcing a culture of trustworthiness across both government and industry. The Act also reflects a collective professional responsibility for maintaining robust, secure systems, recognizing that cybersecurity is a shared obligation. Equally important, CISA embeds respect for privacy and responsible data handling, ensuring that the exchange of threat information does not compromise personal rights but instead upholds ethical standards for protecting individual data.

Broad Support from Government, Industry, and Domain Experts

CISA has enjoyed broad support from across government, industry, and the cybersecurity expert community. Lawmakers across the political spectrum have consistently underscored its value as a national security measure, framing it as essential to the country’s cyber posture. Technology and telecommunications companies highlight the operational benefits and liability protections that make participation practical and effective. Critical infrastructure providers—including banks, utilities, and healthcare systems—have pointed to tangible gains in resilience and incident response since the Act’s passage. Likewise, cybersecurity professionals and alliances regard CISA as a foundational element of collective defense, reinforcing its role as a cornerstone of U.S. cybersecurity strategy.

Preserving an Ethical, Collaborative Security Framework

In conclusion, the Cybersecurity Information Sharing Act of 2015 established mechanisms that not only strengthened U.S. cybersecurity but also aligned closely with the ACM’s ethical principles. By fostering collaboration, safeguarding privacy, and supporting collective responsibility, CISA created a trusted framework for defending against cyber threats. Reauthorization should consider modernizing to address current threats, including those driven by AI and ransomware. Previously identified privacy concerns, such as law enforcement use, protections in place before sharing, and access to personal information, should be considered while also safeguarding our nation’s cybersecurity infrastructure.

PDF available here.

Members help shape the Committee’s action agenda, author its official Statements and other materials shared with policy makers and the public, and spot emerging issues on which the Committee might engage. Join USTPC today!