April 8, 2025

The Cybersecurity Information Sharing Act of 2015: Expiring

Provisions
A decade ago, Congress authorized a cybersecurity • Private entities shall be protected from
information sharing structure that allows the federal liability when conducting certain act-
government to collect and disseminate threat information, authorized activities, including
and enabled private sector entities to voluntarily share that monitoring IT, implementing protective
information with the government, as well as among actions, and sharing cybersecurity
themselves. Congress passed this authorization after information.
discussing the need for an information sharing protection
framework with stakeholders in order to amplify their • Information shared under the act is
collective understanding of cybersecurity threats and how exempt from federal and state disclosure
to respond to them. The provisions in this authorization are requirements.
set to expire on September 30, 2025. A number of industry The Senate Select Committee on Intelligence committee
groups have advocated for its renewal. report on the originally-considered bill highlights some of
the areas of debate. In 2015, privacy protections for the
This CRS In Focus discusses these provisions, potential information of individuals that could potentially be
implications for their expiration, and possible changes to collected and shared through the program, and limitations
statute that Congress may choose to consider. on the use of program information were of primary concern.
Recent Inspector General reviews have not found that PII
Background has been shared in violation of the act.
Congress passed the Cybersecurity Information Sharing Act
of 2015 (act) as Title I of the Cybersecurity Act of 2015. Automated Indicator Sharing Program
The major authorizing provisions prescribe that: The Automated Indicator Sharing Program (AIS)
implements the information sharing requirements
• Agencies with cyber threat information prescribed by the act. It is voluntary program which allows
shall have procedures to share that the federal government and nonfederal participants to share
information in a classified and certain indicators of cybersecurity threat information with
unclassified way with both federal and each other.
nonfederal entities.
The program defines an indicator as a “technical artifact or
• An entity (governmental or observable that suggests an attack is imminent or is
nongovernmental) can have a private currently underway, or that a compromise may have already
sector entity monitor and secure their occurred.” Examples of such indicators might include a
information technology (IT). malicious website, activity by a known threat actor, or the
• Private entities may share information identification of a new technique.
related to identifying and defending
against cyberthreats with other private The AIS primarily shares indicators provided by
entities and with the federal government. government agencies. These indicators could be gained
from both an unclassified source (e.g., reported by a
• The private sector will not be subject to regulated entity) or a classified source (e.g., collected
antitrust liability for participating in the through a classified program or operation, even if the
cybersecurity information sharing information itself is unclassified). These indicators are
activities authorized by the act. uploaded into an AIS server which pushes that information
• Personally identifiable information (PII) to program participants. AIS also collects indicators from
the private sector, which are voluntarily shared.
must be removed from shared
information. Further, the Department of
To participate in the program, an entity (federal or
Homeland Security (DHS) and nonfederal) agrees to participation in writing and
Department of Justice (DOJ) shall release establishes an AIS client server. The entity then connects
guidance on protecting civil liberties the AIS client server to their IT and cybersecurity
when sharing information. equipment to enable real-time, machine-to-machine
• The DHS and DOJ shall issue guidance information sharing. AIS is a technical capability, but the
on federal government and nonfederal information could potentially be shared in other ways (e.g.,
entity information sharing. manual reporting) and still receive protections under the act

https://crsreports.congress.gov
 The Cybersecurity Information Sharing Act of 2015: Expiring Provisions

because an agreement is in place. For example, a group of connects IT with physical systems. Examples include
companies may use the technology developed for AIS to industrial control systems (such as those which monitor gas
share information amongst themselves, but rely on their pipelines for line pack and pressure) and its components,
sector’s information sharing and analysis organization including supervisory control and data acquisition
(ISAO) to submit that information to the government. (SCADA) systems (such as those that facilitate safety
operations at dams and powerplants). Edge devices are a
Implications of Expiration type of information and communications technology used to
If Congress allows the act to expire, then changes in connect one network to another (e.g., a home router).
cybersecurity information sharing practices may affect both Nation-state actors and cyber criminals have targeted OT
the government and private sector. and edge devices; however, these technologies are not
explicitly captured by the definitions currently contained
The information protection measures, antitrust protections, within the act. Furthermore, artificial intelligence is not
liability protections, and protections from disclosure (e.g., specifically addressed in the act. Some observers think it
in court proceedings) that are explicit and specific to the act vital for Congress to include expanded definitions in a
would be affected by the act’s expiration. Without these reauthorization in order to provide stakeholders clarity on
protections, private sector entities may be less willing to which types of threat information are encouraged to be
share cyber threat information with the federal government shared and are protected under the act. Congress may
and each other. Lacking that private sector information, the choose to consider expanding the act’s definitions to
federal government may find itself in the same position that include novel attack vectors and/or new methods of
drove passage of the act—not knowing the extent of current defense, or generalizing the language to allow for future
cyber threats and lacking the information necessary to technological developments.
mitigate those threats.
Information Sharing Mandates
Further, the ability for the private sector to exchange Congress may also choose to consider whether program
information and provide technical assistance on threats, and participation should remain voluntary. The Senate
the marketplace for the provision of cybersecurity services committee report made clear that, at the time the act was
to other companies, may collapse without these explicit debated, the committee was seeking to create a voluntary
authorizations. information sharing program. Since the act, Congress
created a mandatory cyber incident reporting framework
The absence of the act’s authorizations may not affect the through the Cyber Incident Reporting for Critical
technical capabilities DHS created to enable the AIS Infrastructure Act of 2022 (CIRCIA). CIRCIA requires that
program, as DHS was working on creating that program certain entities report to the government when they
under other information sharing authorities prior to the act. experience a cybersecurity incident or make a ransomware
payment. CIRCIA’s passage reflected a substantive change
Considerations for Reauthorization in the nature of cybersecurity data collection, whereby the
Congress may choose to do a clean extension, whereby only government deemed it necessary to require the private
the expiration of the act is amended to a later date. sector to submit information to a federal agency in order for
Congress may also choose to alter other aspects of the act in the government to have a more complete picture of
legislation that amends the expiration date. Congress may cyberattacks across the nation.
also choose alternative legislative vehicles entirely in lieu
of or in addition to extension of the act. While both the act and CIRCIA provide cybersecurity
information to the government, they do so in tandem and
Duration of a Potential Extension not as a replacement for each other. The former provides
Congress originally authorized the act for 10 years. potentially incident-preventing information. The latter seeks
Congress may choose to extend this period for any duration to understand elapsed events in order to prevent future ones.
lawmakers wish. This may be for a matter of months as an Further, the act provides a structure for continual,
interim measure, a finite period (potentially years), or an omnidirectional information sharing, where CIRCIA
indefinite continuance. A shorter-term extension may provides for occasional, unidirectional reporting by industry
provide Congress additional time to observe how the or government.
authorities in the act interact with newer cybersecurity
provisions (e.g., cyber incident reporting or minimum Congress may choose to consider whether or not to require
standards). A longer-term authorization may provide certain entities to share cyber threat information under the
stakeholders (including the private sector) with more Cybersecurity Information Sharing Act. For example,
certainty concerning their ability to implement and benefit Congress could require aggregators of cyber threat
from the act’s provisions, procedures for information information (e.g., cybersecurity firms or cloud service
sharing, and liability protections when taking action against providers) or critical infrastructure entities (e.g., healthcare
cybersecurity threats. or financial institutions), a subset of those categories, or a
broader group of participants to share cyber threat
Changing Definitions information under the act.
During the decade since enactment, risks to cyberspace
have evolved. One risk which has risen in prominence is the Chris Jaikaran, Specialist in Cybersecurity Policy
targeting of nontraditional IT, including operational
technology (OT) and edge devices. Operational technology IF12959

https://crsreports.congress.gov
 The Cybersecurity Information Sharing Act of 2015: Expiring Provisions

Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.

https://crsreports.congress.gov | IF12959 · VERSION 4 · NEW