A recent Congressional Research Service (CRS) report detailed that a decade-old federal framework that enables cybersecurity information sharing between the government and private sector is set to expire on Sept.30, 2025. Originally enacted to strengthen collective defenses against cyber threats, the authorization has become a cornerstone of national cybersecurity strategy. As the provisions in this authorization are set to expire, industry groups are urging Congress to renew the provisions, warning that losing this legal foundation could weaken threat intelligence coordination at a critical time.
Chris Jaikaran, a cybersecurity policy specialist, wrote in the CRS report that Congress may choose to do a clean extension, whereby only the expiration of the act is amended to a later date. “Congress may also choose to alter other aspects of the act in legislation that amends the expiration date. Congress may also choose alternative legislative vehicles entirely in lieu of or in addition to extension of the act.”
Congress originally authorized the act for ten years. Congress may choose to extend this period for any duration lawmakers wish. This may be for a matter of months as an interim measure, a finite period (potentially years), or an indefinite continuance.
Jaikaran recognizes that a shorter-term extension may provide Congress additional time to observe how the authorities in the act interact with newer cybersecurity provisions (e.g., cyber incident reporting or minimum standards). A longer-term authorization may provide stakeholders (including the private sector) with more certainty concerning their ability to implement and benefit from the act’s provisions, procedures for information sharing, and liability protections when taking action against cybersecurity threats.
The report also accounted that during the decade since enactment, risks to cyberspace have evolved. “One risk that has risen in prominence is the targeting of nontraditional IT, including operational technology (OT) and edge devices. Operational technology connects IT with physical systems. Examples include industrial control systems (such as those which monitor gas pipelines for line pack and pressure) and its components, including supervisory control and data acquisition (SCADA) systems (such as those that facilitate safety operations at dams and powerplants).”
It added that edge devices are a type of information and communications technology used to connect one network to another (e.g., a home router).
Another aspect that the CRS report noted was that nation-state actors and cyber criminals have targeted OT and edge devices; however, these technologies are not explicitly captured by the definitions currently contained within the act. Furthermore, artificial intelligence is not specifically addressed in the act.
The CRS report mentioned that some observers think it is vital for Congress to include expanded definitions in a reauthorization to provide stakeholders clarity on which types of threat information are encouraged to be shared and are protected under the act. Congress may choose to consider expanding the act’s definitions to include novel attack vectors and/or new methods of defense or generalizing the language to allow for future technological developments.
Congress passed the Cybersecurity Information Sharing Act of 2015 as Title I of the Cybersecurity Act of 2015 to enhance threat intelligence coordination between federal and nonfederal entities. Major authorizing provisions prescribe that federal agencies must establish procedures to share cyber threat information in both classified and unclassified formats; private sector entities are authorized to share cyber threat data with the federal government; and participating private entities are protected from antitrust and liability claims when acting under the law.
Also, personally identifiable information (PII) must be removed before sharing, and the Department of Homeland Security (DHS) and Department of Justice (DOJ) shall release guidance on protecting civil liberties when sharing information. These agencies shall also issue guidance on federal government and nonfederal entity information sharing. It also prescribed that private entities shall be protected from liability when conducting certain act-authorized activities. Furthermore, information shared under the act is exempt from federal and state disclosure laws.
“The Senate Select Committee on Intelligence committee report on the originally considered bill highlights some of the areas of debate,” Jaikaran said. “In 2015, privacy protections for the information of individuals that could potentially be collected and shared through the program, and limitations on the use of program information were of primary concern.”
He noted that recent Inspector General reviews have not found that PII has been shared in violation of the act.
The CRS report warned that if Congress allows the act to expire, then changes in cybersecurity information sharing practices may affect both the government and private sector. “The information protection measures, antitrust protections, liability protections, and protections from disclosure (e.g., in court proceedings) that are explicit and specific to the act would be affected by the act’s expiration. Without these protections, private sector entities may be less willing to share cyber threat information with the federal government and each other.”
“Lacking that private sector information, the federal government may find itself in the same position that drove passage of the act—not knowing the extent of current cyber threats and lack the information necessary to mitigate those threats,” the report added. “Further, the ability for the private sector to exchange information and provide technical assistance on threats, and the marketplace for the provision of cybersecurity services to other companies, may collapse without these explicit authorizations.”
Additionally, the absence of the act’s authorizations may not affect the technical capabilities DHS created to enable the AIS program, as DHS was working on creating that program under other information sharing authorities before the act. The Automated Indicator Sharing Program (AIS) implements the information-sharing requirements prescribed by the act. It is a voluntary program that allows the federal government and nonfederal participants to share certain indicators of cybersecurity threat information.
The CRS report pointed out that Congress may also choose to consider whether program participation should remain voluntary. The Senate committee report made clear that, at the time the act was debated, the committee was seeking to create a voluntary information sharing program.
Since the act, Congress has created a mandatory cyber incident reporting framework through the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). CIRCIA requires that certain entities report to the government when they experience a cybersecurity incident or make a ransomware payment. CIRCIA’s passage reflected a substantive change like cybersecurity data collection, whereby the government deemed it necessary to require the private sector to submit information to a federal agency for the government to have a more complete picture of cyber attacks across the nation.
“While both the act and CIRCIA provide cybersecurity information to the government, they do so in tandem and not as a replacement for each other,” Jaikaran wrote in the CRS report. “The former provides potentially incident-preventing information. The latter seeks to understand elapsed events in order to prevent future ones. Further, the act provides a structure for continual, omnidirectional information sharing, where CIRCIA provides for occasional, unidirectional reporting by industry or government.”
He also raised the option that Congress may choose to consider whether or not to require certain entities to share cyber threat information under the Cybersecurity Information Sharing Act. For example, Congress could require aggregators of cyber threat information (e.g., cybersecurity firms or cloud service providers) or critical infrastructure entities (e.g., healthcare or financial institutions), a subset of those categories, or a broader group of participants to share cyber threat information under the act.
