If your company shares cyber threat intelligence with an ISAC (Information Sharing and Analysis Center, the industry groups where companies exchange threat data), exchanges indicators of compromise with industry peers, or participates in any government threat-sharing program, you have 21 days to figure out your legal exposure. The Cybersecurity Information Sharing Act of 2015, the federal law that protects these activities from lawsuits, antitrust claims, and public records requests, expires on January 30, 2026. Congress has shown little urgency to fix it.
This isn't a distant policy concern. It's a contract problem, a board question, and an operational decision that needs attention before the month ends. Your general counsel, your CISO, and your information-sharing partners all need to be in the same room this week.
What CISA 2015 Actually Protects
The Cybersecurity Information Sharing Act of 2015, codified at 6 U.S.C. §§ 1501-1510, created a legal safe harbor for companies that share cybersecurity threat information. Before the law, companies faced a difficult choice: share threat intelligence to help defend against attacks, or stay silent to avoid legal risk. CISA 2015 fixed that with three core protections.
Liability protection. Under 6 U.S.C. § 1505, no lawsuit can be maintained against a company for monitoring its own systems or sharing cyber threat indicators and defensive measures, as long as sharing follows the Act's requirements. The protection is broad. It covers sharing with other private companies, with ISACs, and with federal agencies.
Antitrust exemption. Companies that share threat information are often competitors. CISA 2015 confirmed that exchanging cyber threat indicators wouldn't be treated as collusion under antitrust laws. For sector-specific ISACs where rivals share attack patterns and defensive techniques, this protection was essential.
FOIA and disclosure exemption. Information shared under CISA 2015 can't be obtained through Freedom of Information Act requests or state public records laws. Companies could share sensitive incident details with federal agencies without worrying that competitors, journalists, or plaintiffs' attorneys would get access later.
These protections don't apply automatically. To qualify, companies must share information for a "cybersecurity purpose," review it to remove personal information not related to the threat, and share only "cyber threat indicators" or "defensive measures" as the statute defines them. But for companies that follow the rules, CISA 2015 created real legal cover.
The Expiration Timeline
CISA 2015 was set to expire on September 30, 2025.
It did.
For roughly six weeks, the law's protections lapsed entirely. Companies sharing threat intelligence operated without the statutory liability shield they'd relied on for nearly a decade.
Congress revived the law on November 12, 2025 as part of a government funding bill. But the extension was short: CISA 2015 protections now expire on January 30, 2026. Three weeks from today.
Permanent reauthorization has stalled in the Senate. The House Homeland Security Committee passed the WIMWIG Act on September 3, 2025, extending CISA 2015 for ten years. A bipartisan pair of senators introduced a clean extension bill in October. But Senator Rand Paul, who chairs the Senate committee with jurisdiction over CISA 2015, has blocked consideration. His objection isn't about cybersecurity. He wants unrelated changes to the Cybersecurity and Infrastructure Security Agency's authority over online content moderation.
That impasse has frozen the reauthorization process.
The most likely outcome, according to congressional observers, is another short-term extension attached to a spending bill. But that's not guaranteed. And even if it happens, the pattern of 60 to 90 day extensions creates its own problems for companies trying to plan compliance programs and negotiate contracts.
What This Means for Your Business
The expiration of CISA 2015 protections creates three legal risks your leadership team needs to evaluate now.
Litigation exposure. Without CISA 2015's liability shield, companies that monitor systems or share threat intelligence could face lawsuits. The most likely claims involve privacy violations, where plaintiffs argue that monitoring or sharing included personal information that wasn't directly related to a cybersecurity threat. Class action attorneys have already shown interest in cybersecurity-related claims. The absence of statutory protection removes a significant early dismissal argument.
There's a counterargument worth noting. Some legal commentators suggest that common-law defenses and existing contractual protections may provide adequate cover for threat-sharing activities. The strength of that position varies by jurisdiction and depends heavily on how your information-sharing agreements are drafted. It's not a reason to panic, but it's also not a reason for complacency.
Contract complications. If your company participates in an ISAC or has bilateral threat-sharing agreements with partners, those contracts likely reference CISA 2015 protections. Check your information-sharing agreements this week. Many include representations that shared information qualifies for statutory protection, or indemnification provisions that assume the legal framework remains stable. If CISA 2015 lapses permanently, those provisions may need renegotiation.
Customer contracts present similar issues. Enterprise sales to security-conscious buyers often include representations about your security practices, including how you handle threat intelligence. If your security program depends on ISAC participation or government threat feeds, procurement teams may ask how you're managing the legal uncertainty.
Antitrust hesitation. The most underappreciated risk is the chilling effect on information sharing itself. General counsels at competing companies may grow reluctant to exchange detailed threat information without the antitrust safe harbor. This isn't paranoia. Before CISA 2015, antitrust concerns were a genuine barrier to threat intelligence sharing. The law specifically addressed that concern because industry leaders said it was blocking collaboration.
For critical infrastructure operators, this matters beyond individual company risk. Collective defense against sophisticated threat actors, particularly nation-state actors like the Salt Typhoon group currently targeting telecom infrastructure, depends on rapid information sharing. Legal uncertainty slows that down.
The Board Meeting Question
Your next board meeting will likely include a cybersecurity update. Directors increasingly expect regular reporting on cyber risk, especially after the SEC's disclosure rules took effect. Here's the question a prepared director might ask: "Our security program relies on threat intelligence from our ISAC. What happens to that information flow if CISA 2015 doesn't get renewed?"
If your answer is "we're monitoring the situation," that's not sufficient.
Boards want to know you have a plan. The plan doesn't need to be complicated, but it should exist.
At minimum, you should be able to explain: which information-sharing relationships depend on CISA 2015 protections, what contractual provisions reference the statute, whether you've consulted with partners and ISACs about contingency planning, and what changes you'd make to sharing practices if the law lapses permanently. That's a 15-minute conversation with your CISO and general counsel, translated into board-ready language.
The Maryland and DC Angle
For companies in the DC metro area, this issue has particular relevance. The region hosts major federal contractors, defense industrial base companies, and critical infrastructure operators who actively participate in government threat-sharing programs.
The Department of Homeland Security's Automated Indicator Sharing (AIS) program, which allows machine-to-machine exchange of threat indicators between government and industry, operates under CISA 2015's framework. Federal contractors who participate in AIS or sector-specific programs should confirm how their participation agreements address potential statutory gaps.
Maryland's proposed cybersecurity legislation and DC's data protection requirements don't directly address this federal issue. But companies subject to state-level security requirements should consider how reduced threat intelligence flows might affect their ability to meet those obligations.
Practical Takeaways
Your executive team should complete these steps before January 30:
Audit your information-sharing agreements this week. Pull every ISAC membership agreement, bilateral threat-sharing contract, and government program participation document. Flag any provisions that reference CISA 2015, statutory protection, or liability limitations tied to federal cybersecurity law.
Convene a joint meeting with your CISO and general counsel. These two functions need to align on risk tolerance. Your CISO understands operational dependencies on threat intelligence. Your general counsel understands the liability exposure. Neither can make this call alone.
Contact your ISAC about their contingency planning. Major ISACs are aware of this issue. Ask what guidance they're providing to members and whether they're adjusting sharing protocols during periods of statutory uncertainty.
Review customer contract representations. If you make representations about your security practices in enterprise sales agreements, confirm whether those representations assume continued CISA 2015 protection. Flag any contracts requiring renegotiation.
Prepare a board-ready summary. Even if your next board meeting isn't until Q2, document your assessment now. Directors may ask about this in informal conversations.
Document your current sharing practices. If litigation ever arises, you'll want a clear record of what information you shared, with whom, for what purpose, and what review processes you followed. Good documentation now could matter later.
Monitor congressional action through January 30. Subscribe to alerts from your DC counsel or trade association. The situation could change quickly if Congress attaches an extension to must-pass legislation.
Develop a "pause protocol" if needed. Decide in advance what sharing activities you'd pause if the law lapses and how you'd communicate that to partners. Having a plan beats making rushed decisions under pressure.
What We're Watching
Senate floor action before January 30. The only path to permanent reauthorization runs through Senator Paul's committee or a floor workaround. Watch for procedural moves in the final weeks of January.
Short-term extension in spending legislation. The government's current funding expires in early 2026. CISA 2015 could get extended again as part of that negotiation.
CISA guidance on non-statutory sharing. The Cybersecurity and Infrastructure Security Agency may issue guidance on how companies can continue sharing threat information even without CISA 2015 protections, using existing legal frameworks.
ISAC policy updates. Major ISACs may adjust their sharing protocols or membership agreements to address the uncertainty. Watch for communications from your sector's ISAC.
Industry litigation. If CISA 2015 lapses, watch for test cases that probe the boundaries of liability for threat-sharing activities conducted without statutory protection.
Looking Ahead
The companies best positioned to handle this uncertainty are those who've already had the internal conversations, reviewed their contracts, and developed contingency plans. Congress may find another short-term fix, or the law may lapse again. Either way, the pattern of uncertainty will continue until permanent reauthorization passes.
You've got 21 days. That's enough time to prepare, but only if you start now.