A critical law that helps the federal government guard against cyberthreats to U.S. critical systems recently expired as the government shut down in October. The Cybersecurity Information Sharing Act (CISA) has been a core foundation of the nation’s cyberdefenses since it was signed into law in 2015.
For a decade, CISA gave companies legal cover to monitor systems and share cyberthreat data without fear of liability. Without renewal, the protective shield vanishes and elevates legal risk for organizations that previously operated under a safe harbor.
Without CISA, the private sector—which controls most U.S. critical networks such as electrical grids, transportation systems, and communication services—is less likely to swap vital information for fear of being exposed to legal risks.
Data shared under CISA 2015 provides an essential tool for the federal government to understand how hackers are plotting attacks against the nation’s networks, which have been relentlessly targeted by Chinese, Russian, North Korean, and Iranian operatives in recent years.
One example is the Salt Typhoon breach, disclosed in 2024, involving Chinese hackers comprising wide swaths of privately owned U.S. telecommunications infrastructure. They used their covert access to steal a trove of Americans’ cellphone records and listen in on the conversations of senior U.S. political figures.
Now, both the government and private organizations are partially flying blind when it comes to preventing such devastating effects.
With the landscape shifting, enterprises must lean on mature governance, risk, and compliance (GRC) frameworks to defend themselves, said Nichole Windholz, CISO at Onspring. Windholz has more than 20 years of experience in information technology and security, including having led global security initiatives for a Fortune 500 company, where she built and scaled a cybersecurity incident response center.
Onspring makes business process automation software that keeps the enterprise secure. Organizations around the world use Onspring to automate manual processes in the GRC, audit and assurance, vendor management, and legal sectors.
What is CISA and how important is it to the government and independent companies?
CISA 2015 created a foundation for voluntary cyberthreat information-sharing between private companies and the federal government, providing liability protections that encouraged transparent collaboration. It’s been one of the most important tools for real-time cyberdefense across both public and private sectors.
What are the worst-case scenarios that can happen if the federal government doesn’t act to reinstate CISA?
Without CISA’s protections, the loss of liability protections and safe harbor for threat-sharing is expected to dramatically reduce the flow of cyberintelligence into federal and industry response systems. Without this real-time exchange, operators of critical infrastructure such as power grids, financial systems, and communications networks face increased exposure.
Attackers targeting operational-technology and industrial-control systems exploit exactly those blind spots. Firms may hesitate to monitor or share incident information due to legal ambiguity, shifting decisions from cyberteams to legal counsel and introducing dangerous delays. In aggregate, this could lead to a cascade: one successful breach in a major infrastructure sector, slower response across partners, and greater systemic risk for public safety and commercial operations.
What are the steps companies can take to stay safe during this time when the cybersecurity environment is uncertain?
In this complex security environment, companies should focus on reinforcing their own cybersecurity governance. I advise leaders to be diligent with documenting who decides what to share, under what conditions, and how that data is protected. It’s also a good time to re-examine your network of relationships and ensure all third parties handling sensitive data meet the same risk management standards. Transparency and defensibility are key when federal protections are in a state of flux.
What can organizations do to protect themselves moving forward?
Organizations need to be proactive in refining both their information-sharing practices and their internal monitoring protocols. Even without CISA 2015’s protections, companies still have a legal basis for collaboration, but they must do it with greater precision. Information shared with public or private partners needs to be stripped of personal or competitively sensitive data wherever possible, routed through counsel when necessary to manage privilege and antitrust exposure, and transmitted via secure, access-controlled channels. Maintaining detailed audit trails of what was shared and why it was shared will help demonstrate intent and defensibility.
At the same time, with monitoring authorizations uncertain, organizations need to revisit employee consent and privacy notices to ensure cybersecurity monitoring remains compliant. Acceptable-use policies, login banners, and device agreements should make it clear that network and communication monitoring is limited to threat detection, prevention, and mitigation. Access to this data should remain tightly controlled and documented. Together, these steps give companies a stronger governance foundation to operate safely amid shifting federal oversight.
Beyond CISA, companies should remember that information-sharing doesn’t stop here. Companies can continue exchanging intelligence through other industry channels— such as MSSPs [managed security service providers], local security groups, and sector-specific ISACs [information sharing and analysis centers] such as FS-ISAC or H-ISAC—as well as vendors specializing in threat intelligence. This is also a good opportunity for leaders to make sure they have “the basics” covered, including vulnerability management, incident response, and risk management.
How can Onspring help companies protect themselves during this time?
A strong governance, risk, and compliance framework can form a sturdy backbone for risk mitigation efforts, giving organizations visibility into how information is used and protected.
Onspring supports organizations by offering tools that connect governance, risk, and compliance data in one place. Teams can map and monitor operational, reputational, and regulatory risks tied to information-sharing. With Onspring, organizations can also ensure oversight frameworks are in place and maintain audit-ready documentation of their security and compliance posture.
Do you have any predictions as to how this shakes out? Do you foresee Congress passing any cybersecurity information-sharing regulations this year?
Given the legislative gridlock and the ongoing government shutdown, the most likely outcome this year is a short-term extension or stopgap measure to restore protections briefly. A full modernization, including expanded protections, retroactivity, or AI-specific language, is unlikely until next year. In the meantime, organizations should act as though continuity is uncertain and fortify their internal governance and sharing practices accordingly.