Chapter 13: Privacy Issues in Civil Litigation and Government Investigations

The Cybersecurity Information Sharing Act and Its 2025 Sunset

The Cybersecurity Information Sharing Act of 2015 (CISA) lets companies voluntarily share cyber threat indicators and defensive measures with the government in exchange for liability protection. CISA officially sunset on September 30, 2025 after Congress missed the reauthorization deadline, and was then extended to January 30, 2026, with its long-term future uncertain.

CISA was designed to improve U.S. cybersecurity by encouraging the government and participating companies to voluntarily share unclassified information about cyber threats and how they were successfully addressed. Non-federal entities may share or receive cyber threat indicators and defensive measures; the cyber threat indicator definition excludes sensitive personal and business information. The Department of Homeland Security is the main coordinator.

Voluntary, with liability protection

Participation is voluntary and at the discretion of the non-federal entity. The incentive to share is that doing so confers liability protection and legal safeguards - not a penalty for declining.

Watch the date

CISA officially sunset on September 30, 2025 when Congress did not reauthorize it in time, then was extended to January 30, 2026. Treat its status as evolving and verify the current law.

Key terms - quick answers

What is “Cybersecurity Information Sharing Act (CISA)”?

A 2015 law that encourages the voluntary sharing of unclassified cyber threat information between private companies and the federal government, with liability protection for those who share.

What is “Cyber threat indicator”?

Information needed to describe or identify a malicious cybersecurity threat or vulnerability; the definition excludes sensitive personal and business information.

← Automated Employment Decision Tools and the Kronos Biometric Case