The Cybersecurity Information Sharing Act (CISA) of 2015 has been the bedrock of the U.S. government’s formal mechanism for sharing cyber threat information with the private sector. As its sunset clause approaches (September 30, 2025), it’s not merely a legislative formality; it’s a crucial moment for policymakers to assess whether the mechanism, born from years of debate, has delivered on its promise of collective defense. In the world of Cyber Threat Intelligence (CTI), the value of information is measured by its timeliness, context, and actionability. The expiring CISA gives us an opportunity to ask the hard question: Has the framework made the U.S. enterprise, and specifically the critical infrastructure, demonstrably more secure? The answer, as is often the case in security policy, is “yes, but with significant caveats.”

The 2015 legislation sought to solve a fundamental problem: private companies, possessing invaluable data on intrusions and threats, were hesitant to share this information with the government due to fear of liability and anti-trust litigation. CISA’s core mechanism was simple yet revolutionary: it created a legal safe harbor for entities that shared cyber threat indicators, which could include IP addresses, domains, and malware signatures through a designated government portal, provided they removed personally identifiable information. This flow of information was to be a two-way street, facilitated primarily by the Department of Homeland Security, now the Cybersecurity and Infrastructure Security Agency, and the Director of National Intelligence.

The premise was sound, and an acknowledgement that no single public or private entity possesses the complete picture of the threat landscape. The government sees the sophisticated, nation-state-level campaigns (Advanced Persistent Threats), while the private sector sees the high-volume, financially motivated attacks and the real-time vulnerabilities being exploited in production environments. Merging these perspectives was intended to create a superior, national-level CTI picture, allowing for more proactive defense. There is no better example to highlight the importance of this sharing arrangement than in critical infrastructure where the entities are generally privately owned but are increasingly in the crosshairs of foreign adversaries, especially over the past decade.

The Government Accountability Office (GAO), in its mandated July 2025 review of the CISA mechanism, provided a necessary dose of analytic rigor to the program’s perceived success. The GAO’s findings illuminate both the strengths that should be retained and the structural weaknesses that demand immediate legislative and operational remediation.

• Establishing a Legal Baseline and Trust: The single greatest strength of CISA was its existence. By explicitly granting liability protection, the Act successfully nudged reticent legal and corporate risk departments to authorize information sharing. The GAO confirmed that agencies did develop government-wide policies, procedures, and guidelines to assist in sharing, fulfilling the Act’s requirements for agencies designated to implement the act. This legal clarity was instrumental in establishing the baseline of trust necessary for the entire framework to function.

• Increased Volume of CTIs: Multiple reviews, including those from the Intelligence Community Inspector General (ICIG) referenced in GAO reporting, have noted a measurable increase in the volume of cyber threat indicators and defensive measures shared through the unclassified automated sharing tool [1]. 

• PII Protection Compliance: The GAO confirmed that the seven designated federal agencies (including DHS, DOJ, DOD, and ODNI) met the Act’s legislative requirements for protecting privacy and civil liberties by developing policies, procedures, and guidelines for the removal of personally identifiable information from shared cyber threat indicators.

Despite the compliance achievements, the GAO report, there are several shortcomings that need to be remedied should the Act be reaffirmed. This will be critical in demonstrating consistent maturity in this effort allowing the Act to reach its full potential as a potent mechanism in reducing cyber risk.

• The Actionability Gap (The “So What?”): This is, arguably, the most significant failure. Multiple GAO and ICIG reports have highlighted that the quality of information shared with Automated Indicator Sharing participants was not always adequate to identify and mitigate cyber threats. The same reporting noted that a big complaint about the cyber threat indicators was that they did not contain enough contextual information to help decision-makers take action.

• Over-Centralization and Velocity Issues: The CISA framework, largely centered on DHS/CISA, struggled with the velocity of information. The operational imperative of CTI is near real-time sharing. The GAO noted that agencies identified timeliness and data quality as long-standing barriers to effective sharing. While automation has undoubtedly aided the sharing process, the centralized process can act as a bottleneck hindering the speed of delivery.

• Uneven Participation and Maturity: The lack of participation from mid-tier and smaller organizations remains a critical shortcoming, as smaller entities often lack the technical maturity or resources to effectively ingest or contribute high-quality intelligence. 

With the expiration date nearing, the national security community faces a critical choice: merely reauthorize the existing CISA framework, or mandate a substantive, operational overhaul. The stakes are too high for the former. The threats facing the U.S. enterprise have evolved dramatically since 2015. Ransomware has professionalized into a persistent threat to supply chains, and the line between cybercrime and nation-state activity has blurred.

CISA 2015 was a crucial first step toward a proactive collective defense bridging the longstanding gap between the government and the private sector. However, the GAO’s findings confirm what CTI practitioners have long known: the mechanism is in place, but the intelligence flow is suboptimal.. The U.S. needs a framework that is “intelligence-centric,” not merely “data-centric.” As the Act faces its expiration, policymakers should strongly consider not just reauthorizing the Act, but fix the actionability, velocity, and inclusivity shortcomings in the current iteration. For instance, empowering and funding Information Sharing and Analysis Centers and Information Sharing and Analysis Organizations to be the primarydissemination points, rather than secondary channels, could address a current problem area.

A national collective defense is not a passive data repository; it is a dynamic, high-velocity intelligence ecosystem. The next iteration of information sharing legislation must recognize this CTI reality, or we will continue to lose the cyber war one slow, unactionable report at a time.

Recommendations: A Path Towards True Collective Defense

To transition from a flawed but necessary program to a truly robust collective defense mechanism, the next iteration of the information sharing framework must embrace operational and policy maturity.

1. Mandate Contextualized, Intelligence-Grade Reporting

The focus must shift from sharing raw Indicators of Compromise (IOCs) to sharing CTI reports framed by the MITRE ATT&CK framework.

• Recommendation: Legislative language must require shared data to be enriched with context—TTPs, victimology, intent, and remediation steps—where feasible. CISA must establish the formal reporting process and quality controls that the DHS OIG and GAO have recommended [3], effectively raising the bar for the quality and actionability of shared information.

2. Decentralize and Sector-Focus the Dissemination

The speed of information sharing must increase exponentially, especially with the rise of machine-to-machine sharing protocols.

• Recommendation: Empower and fund ISACs and Information Sharing and Analysis Organizations (ISAOs) to be the primary dissemination points, rather than a secondary channel. The GAO has noted the ongoing need for CISA to assess whether the current mix of centralized and federated approaches is optimal [5], but the immediate operational necessity is to move toward faster, sector-specific distribution.

3. The ‘Defensive Exchange’ for Small-to-Midsize Enterprises (SMEs)

The lack of SME participation remains a critical vulnerability, as highlighted by the general consensus of uneven participation across the sector.

• Recommendation: Create a federally funded “Defensive Exchange” program. This is not another CISA portal; it’s a mechanism that provides free, automated security services (like DNS protection) to qualifying SMEs in exchange for their participation in threat data sharing. This solves the maturity and resource problem simultaneously, securing the supply chain from the bottom up.

4. Clear and Expedited PII Guidance

While the GAO found compliance on paper with the PII provisions [4], the practical ambiguity remains a challenge that hinders high-velocity sharing.

• Recommendation: CISA, in collaboration with the Attorney General and the Privacy and Civil Liberties Oversight Board (PCLOB), must publish a streamlined, prescriptive PII removal standard that is auditable. This policy must ensure clear, unambiguous legal protection for private sector entities that utilize the CISA automated sharing tools, encouraging greater velocity and volume of quality contributions.

End Reference Citations

1. U.S. Government Accountability Office (GAO). Cybersecurity: Implementation of the 2015 Information Sharing Act. GAO-25-108509, 2025.
2. Cybersecurity Information Sharing Act of 2015, Pub. L. No. 114-113, §§ 101–110, 129 Stat. 2242, 2933–2946 (codified at 6 U.S.C. §§ 1501–1510).
3. Department of Homeland Security Office of Inspector General (DHS OIG). Additional Progress Needed to Improve Information Sharing under the Cybersecurity Act of 2015. OIG-22-59, 2022 (referenced in GAO findings).
4. U.S. Government Accountability Office (GAO). Cybersecurity: Federal Agencies Met Legislative Requirements for Protecting Privacy When Sharing Threat Information. GAO-19-114R, 2018.
5. U.S. Government Accountability Office (GAO). Cybersecurity: Agencies Need to Improve Collaboration and Assess Information Sharing Effectiveness. GAO-23-106037, 2023.