A critical US law that shields companies from legal liability when sharing cyber threat intelligence has expired after lawmakers failed to reach an agreement during a government funding standoff.
The 2015 Cybersecurity Information Sharing Act (CISA 2015) protected businesses from lawsuits when exchanging cyber threat data through a voluntary program called the Automated Indicator Sharing Program (AIS).
The law was expected to expire on September 30 unless the US Congress voted to extend it before that date.
Despite bipartisan support and urgent warnings from industry leaders, lawmakers allowed the law lapse, leaving companies exposed to potential lawsuits and weakening a key defense against cyber-attacks.
Learn more about the Cybersecurity Information Sharing Act: CISA 2015 Safe Harbor at Risk as September 2025 Deadline Nears
Now, with a government shutdown triggered by Congress’s failure to pass the funding bill, the law’s extension remains uncertain.
CISA 2015 Lapse: A National Security Crisis in the Making
Many cybersecurity professionals are deeply concerned that CISA 2015’s lapse may have far-reaching consequences in US cyber defenses.
Saša Zdjelar is the Chief Trust Officer of ReversingLabs, a company that relied heavily on the law to maintain robust threat repositories.
He said this lapse is “a textbook case of political dysfunction creating real vulnerabilities.”
“At ReversingLabs, we’ve seen firsthand how the law enables the kind of robust threat intelligence sharing that keeps defenses current. Take away those protections, and the collective defense that has kept us strong for a decade begins to crumble, handing adversaries an advantage they don’t deserve,” he added.
Additionally, Zdjelar expects this episode will probably put threat intelligence sharing at risk and boost the threat of software supply chain vulnerabilities.
He also argued that the lapse could have “a chilling effect” on AI security development.
“Legal uncertainty will force companies to become conservative about sharing threat data needed to train AI-powered security tools, hampering development of defenses against AI-enabled attacks,” he explained.
Andy Lunsford, CEO of incident response firm BreachRx, called the failure to renew CISA 2015 “a crisis in the making.”
He warned that some of his clients – already stretched thin by talent shortages harsher regulatory fines and increased detection and escalation costs – will “go dark” on threat sharing without legal protections, creating dangerous blind spots in cyber defense.
“The latest IBM numbers [from the 2025 IBM Cost of a Data Breach Report] show the US is ground zero for data breaches; they are more expensive here than anywhere else in the world by a wide margin. Without CISA 2015, I expect those numbers to double in scale and cost within a year,” he added.
