Why Reauthorizing CISA 2015 Is Critical to the AI Action Plan

It’s summer and two things are true: Washington, D.C. is unbearably humid, and it’s time for Congress to reauthorize the Cybersecurity Information Sharing Act of 2015 (CISA 2015).

We’re talking about the law, not the agency. For nearly a decade, CISA 2015 has been a cornerstone of sharing information across the cybersecurity ecosystem. And as the Trump Administration looks to bolster critical infrastructure cybersecurity through their AI Action Plan, it’s the legal framework that lets the public and private sectors work together to stop threats in their tracks. 

Industry leaders in energy, healthcare, and finance — along with security coalitions across the board — have been clear: letting these authorities expire would leave defenders at a serious disadvantage and undermine several objectives of the AI Action Plan, from standing up an AI Information Sharing and Analysis Center to responding to AI-specific vulnerabilities.

What exactly does CISA 2015 do?

At its core, CISA 2015 makes real-time cyber threat sharing possible, not just between companies and the federal government, but also with state, local, and industry partners. It enables the exchange of threat indicators and defensive tactics while upholding strong privacy and civil liberties protections.

It allows companies to legally monitor their own systems (or others’, with permission) and use defensive tools to detect and counter malicious activity. And perhaps most importantly, it protects the people and organizations doing the right thing. CISA 2015 includes a suite of legal protections designed to make sharing safer and easier. That means:

• No liability for information properly shared through the DHS process.
• No antitrust exposure when companies collaborate on threat info.
• No risk of violating the Electronic Communications Privacy Act when monitoring systems for threats (although that protection doesn't extend to more aggressive “active defense” measures).
• No surprise Freedom of Information Act (FOIA) disclosures — shared data isn’t subject to federal or state public records laws.

It’s not just about government-to-company sharing

Most people think of CISA 2015 as enabling information sharing between the government and the private sector, and it definitely does that. But one of the most powerful evolutions we've seen since it became law has been in private-to-private sharing.

For example, the protections CISA 2015 offers underpin industry efforts to quickly pass on critical threat intelligence from one company to another — often before a vulnerability can be exploited at scale. During incidents like Log4Shell, speed mattered. CISA 2015 provided a structure to share data fast, responsibly, and without legal ambiguity.

Any lapse in CISA 2015 authorities could bring new ambiguity between organizations we aim to warn and protect — all while attackers keep moving. Forcing U.S. companies to navigate additional legal uncertainty in the middle of a security crisis only helps adversaries.

Reauthorizing CISA 2015 should be a no-brainer

Cyber threats aren’t slowing down. If anything, they’re getting faster, smarter, and more coordinated. Our defenses need to be just as agile — and CISA 2015 is one of the rare tools that helps both the private and public sectors stay on the same page.

While we may not be able to do anything about the humidity in Washington, Congress has the chance to keep this vital law alive — not just by reauthorizing it, but by recognizing how effective it’s been and building on it. Because at the end of the day, security is a team sport. And CISA 2015 helps us all play on the same side.

Follow the HackerOne policy blog for expert insights and updates that matter to security leaders.