The Cybersecurity Information Sharing Act Has Lapsed—Here’s How to Adapt & Stay Ahead of Attackers

When the Cybersecurity Information Sharing Act quietly expired on September 30—right as Cybersecurity Awareness Month began—it impacted cyber threat intelligence for everyone. “The spigot of information has turned off at a terrible, terrible time,” shared Sherri Davidoff, founder of LMG Security. “The loss of threat intelligence sharing between the government and the private sector will likely have a big impact on everyone’s cybersecurity.”  Let’s dive into the role of the Cybersecurity Information Sharing Act, why this loss matters, and actionable steps to reduce the impact on your organization.

Why the Cybersecurity Information Sharing Act mattered

For a decade, the Cybersecurity Information Sharing Act (CISA 2015) created a safer legal lane for two-way sharing of indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs). It reduced liability if shared logs inadvertently contained sensitive data, protected participants from certain antitrust concerns, and enabled government sanitization of submissions before redistribution.

“It made it safe for organizations and the government to bidirectionally share critical threat intelligence and indicators of compromise that helped other companies identify and stop potential attacks without legal liability and antitrust concerns,” Matt Durrin, director of training and research for LMG Security, explained.

This wasn’t theoretical. The Automated Indicator Sharing (AIS) pipeline delivered machine-readable threat intel at scale. One major provider’s contributions caused a dramatic spike in shared indicators between 2023 and 2024. Yet participation has been shrinking: contributors dropped from 250+ organizations in 2020 to ~87 recently, a sign that risk anxiety was already cooling the flow. Now, that the Cybersecurity Information Sharing Act has lapsed, expect an even sharper chilling effect.

And sharing saves real organizations from real breaches. Matt Durrin recounts how an LMG Security customer was warned of an attack on their systems using the AIS data pipeline, “CISA called a client to let them know that they were being attacked, and even gave them the hostname of the affected computer, where they found the preloader for BlackCat/ALPHV/LockBit-style ransomware. They were able to stop the attack in time, but if CISA hadn’t called, they probably would have been hit.”

What the CISA 2015 Means For Your Organization

Without the Cybersecurity Information Sharing Act, you should plan for:

• Reduced upstream visibility. You—and the vendors you rely on—will receive fewer timely, sanitized alerts and reduced threat intelligence.
• Higher liability concerns when sharing. Privacy, privilege waivers, FOIA exposure, and renewed antitrust fears are now a risk and raise the perceived cost of contributing intel.
• Slower community defense.  If organizations are scared to share, we’re all at greater risk.

How to Reduce Your Risk By Increasing Your Private–Sector Intelligence Pipeline

So, regardless of whether or not Congress restores some version later, you need a contingency plan now. Here are some practical steps you can take to replace some of this threat intelligence data:

1) Broaden your external intelligence network.

• Join and actually use your sector ISAC/ISAO and local security groups. Formalize participation with monthly intel huddles and Slack/Signal channels for time-sensitive indicators.
• Leverage vendor relationships. Your EDR/XDR, email security, and firewall providers often have direct lines to federal investigators even if you don’t. Ask for their intel provenance and escalation process. Require “out-of-band” critical alerts (phone/SMS) for active exploitation.
• Reciprocity matters. Don’t just collect—share your information. Be proactive about how you share information. The IOCs you see can help another organization not suffer the same fate.
• Assign an “Intel Liaison” (one person in SecOps or the IR lead) to attend ISAC briefings, post weekly roll-ups, and coordinate safe, minimal-necessary sharing with peers and vendors.

2) Pre-negotiate the legal lane before you share intel.

• Have counsel review now, not during an incident. Establish a short “safe-sharing” procedure that includes data minimization steps (hashing, redaction), privilege preservation language, and approved recipients.
• Antitrust hygiene. Keep peer exchanges focused strictly on security indicators and defensive measures; exclude pricing, SLAs, or competitive strategy.
• FOIA awareness. If sharing with public entities, understand what could be disclosed and strip any business-sensitive data.
•  Build a 1-page Intel Sharing Playbook that is approved by Legal and the CISO that answers: what we share, how we sanitize, who approves, where it goes, and how we document it.

3) Plan for reduced early warning intel and practice how to respond.

“When you do tabletop exercises and plan your incident response, simulate loss of upstream intelligence and identify other sources,” Durrin shared. Run quarterly tabletops (ransomware, cloud identity compromise, third-party/OAuth abuse), then patch gaps in detection, containment, and communications. If you prefer a facilitator, we offer tabletop exercises and IR training that include today’s latest threats. For more details, read our blogs on running evergreen tabletop exercises and last year’s top tabletop scenarios.

4) Strengthen internal telemetry so you can “self-detect.”

• EDR/XDR hardening: Confirm kernel-level visibility on all servers and endpoints, strict tamper protection, and tuned detection for lateral movement toolmarks (Cobalt Strike/Sliver/Impacket), Linux persistence, and data staging.
• Network & identity signals: Enforce MFA everywhere, monitor for anomalous OAuth grants, and alert on new MFA methods or sudden consent to high-risk scopes.
• Log quality > log quantity: Ensure high-fidelity logging on VPNs, SSO, firewalls, mail gateways, cloud admin actions, and endpoint script hosts—with retention that matches dwell-time reality.
• Run a 14-day detection validation sprint: purple-team known ransomware precursors (e.g., Kali tool use, suspicious remote admin, shadow accounts) and verify alerts fire within minutes.

5) Tighten third-party risk for a post-AIS world.

Modern compromises often enter via cloud and third-party routes (think OAuth, chatbots, and integrations). Bake threat-sharing expectations into contracts:

• Contractual clauses requiring suppliers to notify you of active exploitation within 24 hours and share relevant IOCs. Add an addendum to critical vendor agreements standardizing breach notice, IOC format (STIX/TAXII or CSV), and direct security-team-to-security-team channels.

• Right to audit logging and IR posture for critical apps.
• Kill-switch plans for OAuth tokens and API keys, with tested revocation runbooks.

“Even if you don’t get CISA calls, your vendors do. The bigger they are, the closer their relationship is with law enforcement—and that should flow down to you,” Durrin shared.

6) Communicate faster, act sooner.

• Build escalation trees with phone numbers—not just email tickets.
• Designate the authority to contain in the IR plan (e.g., SOC may isolate endpoints without prior business approval during high-confidence events).
• Practice makes prepared. Consider external IR training so your team can recognize and react to modern tradecraft.

Don’t wait for Washington

The Cybersecurity Information Sharing Act may or may not return in a new form. Either way, you can thrive in a lower-visibility environment by creating your own threat intelligence system. Build the relationships. Pre-clear the legal path. Test the plan. Instrument the network. And communicate like your business depends on it—because you never know when your revenue and reputation may be in danger.

We can help. Please contact us if you want an outside team to facilitate realistic exercises, update your IR plan, train your team, or help tune your detection to today’s TTPs.