The Future of the Cybersecurity Information Sharing Act (CISA): Renewal, Challenges, and Opportunities

The Cybersecurity Information Sharing Act (CISA) of 2015 was enacted to encourage collaboration between private companies and government agencies by removing liability barriers in sharing threat intelligence. However, due to a built-in sunset clause, the legislation is set to expire on September 30, 2025, unless renewed by Congress. Its uncertain future raises questions about how organizations should handle threat information sharing if the law lapses.

What CISA Provides

At its core, CISA gives organizations legal protection when reporting suspicious activities, vulnerabilities, or potential threats. Shared information can flow between companies and government agencies, enabling:

• Real-time visibility into cyber risks across sectors.

• Protection of both reporting entities and individual identities involved in incidents.

• Collaboration that allows different organizations to piece together fragments of larger cyber threats.

As attorney Andrew Grosso explains, one company may only see part of an attack, but pooling intelligence creates a complete picture: “You might have the legs and the tail, but you haven’t got the whole animal… only by combining different parts can you see the whole threat.”

Why Renewal is Uncertain

The need to reauthorize CISA arrives at a politically complex moment. Its renewal coincides with negotiations over the U.S. debt ceiling, a much larger and more contentious issue consuming congressional attention. Additionally, some lawmakers, such as Senator Rand Paul, are pushing for greater civil liberties protections within CISA—such as allowing individuals to use the Freedom of Information Act (FOIA) to learn if they’ve been flagged in reported data. These debates make simple reauthorization less likely.

Will CISA Be Renewed?

Experts generally expect Congress to renew CISA, possibly even retroactively, but delays could leave a temporary gap in legal protections. During this “limbo,” companies may hesitate to share threat intelligence out of fear of liability.

• Andrew Grosso is confident that CISA’s proven value will drive renewal, emphasizing its role in helping government agencies triangulate fragmented threat data and protect national security.

• Moiz Virani, CTO at Momentum, agrees renewal is likely but sees this as an opportunity for improvement. He highlights that while CISA was not perfect, it provided a workable framework for vulnerability sharing that needs modernization in an age where AI-driven threats and larger attack surfaces dominate.

The Potential Impact of Expiration

If CISA lapses without renewal, the immediate consequence would be the loss of liability protection for companies that share threat data. While some organizations may still choose to cooperate, others could adopt a more cautious stance, slowing down intelligence sharing at a time when cyberattacks are becoming more sophisticated.

Still, experts caution that expiration would not spell disaster. Instead, it could push security leaders to rely more heavily on alternative frameworks and remain more vigilant in their decision-making.

Conclusion

CISA remains a critical pillar of the U.S. cybersecurity ecosystem. Its renewal seems probable, but the timing and potential modifications remain uncertain. Whether through reauthorization or improvement, the act continues to highlight a fundamental truth: cybersecurity is not a solo effort. Collective intelligence and cooperation are essential to defending against today’s evolving threats.

As September 2025 approaches, security leaders must consider how to manage threat-sharing in the event of a temporary lapse—and be prepared for possible updates that reshape how information flows across the public and private sectors.