Full Report
A DHS inspector general report found that CISA doesn’t have plans for what to do with AIS if the Cybersecurity Information Sharing Act lapses. The post Watchdog: Cyber threat information-sharing program’s future uncertain with expected expiration of 2015 law appeared first on CyberScoop.
Analysis Summary
# Regulation/Compliance: Cybersecurity Information Sharing Act (CISA 2015) and Automated Indicator Sharing (AIS) Program Uncertainty
## Overview
This summary addresses the impending expiration of the Cybersecurity Information Sharing Act of 2015 (CISA 2015) and the resulting uncertainty regarding the future operation of the Automated Indicator Sharing (AIS) program established under its authority by the Cybersecurity and Infrastructure Security Agency (CISA). The primary concern is the lapse of legal safeguards associated with CISA 2015 and CISA's lack of a finalized plan to continue crucial threat information sharing if the law expires.
## Key Details
- **Issuing Authority:** U.S. Congress (Act); Department of Homeland Security (DHS), specifically CISA (Program Implementation via the Inspector General report).
- **Effective Date:** CISA 2015 was enacted in 2015. The relevant operational deadlines referenced in the article are imminent (set for expiration "Wednesday" relative to the article date of September 30, 2025).
- **Jurisdiction:** United States federal government and private industry entities sharing cyber threat information (CTIs and DMs).
- **Status:** CISA 2015 is nearing expiration without renewal action from Congress; the AIS program's continuation is uncertain.
## Requirements
### Mandatory Requirements (Under current CISA 2015 framework, at risk of lapse)
1. **Information Sharing:** Facilitate the exchange of machine-readable cyber threat indicators (CTIs, e.g., malicious IPs) and defensive measures (DMs) between industry and government, often via the AIS program.
2. **Legal Safeguards:** Benefit from statutory legal protections provided by CISA 2015 when sharing information (though specific details of these safeguards are not detailed in this excerpt).
### Recommended Practices (Inferred Operational Best Practices from IG Report)
1. **Diversify Partnerships:** Avoid over-reliance on a small number of top contributing partners, as such reliance leads to inconsistent results and vulnerability if major partners withdraw.
2. **Program Viability Assessment:** CISA should finalize a plan detailing how to sustain threat sharing if CISA 2015 expires, including analyzing the $1 million per month operational cost of AIS against reduced future value/volume.
## Affected Organizations
- **Industries:** All sectors involved in cyber threat information exchange with the federal government, particularly critical infrastructure owners and operators.
- **Organization Size:** Not explicitly size-bound, but relies on private-sector partners (including ISACs representing hundreds of organizations).
- **Geographic Scope:** United States federal agencies and U.S. private sector entities.
## Compliance Timeline
- **Prior to Expiration Date (Implied):** Industry and cyber professionals expressed alarms regarding the lapse.
- **Expiration Deadline (Set for Wednesday/Tuesday):** The 2015 law is expected to lapse without Congressional action.
- **Post-Expiration:** CISA intends to "analyze the value of AIS" (including operational cost) to determine if resources (approx. $1 million/month) should be redirected, suggesting the continuation of the AIS program is not guaranteed.
## Implementation Guidance
### Assessment Phase
- **CISA Internal Review:** CISA must assess the value of the AIS program against its operating cost ($1M/month) and projected reduced data volume should the law lapse.
### Implementation Phase
- **Contingency Planning:** CISA needs to finalize robust plans for continued cyber threat information sharing in the event the 2015 Act expires, securing necessary resources or leadership approval.
### Validation Phase
- **Monitoring Partner Reliance:** CISA must validate that threat collection volumes are not dependent on single, large contributors to ensure program stability.
## Technical Requirements
1. **Machine-Readable Format:** The AIS program facilitates the exchange of CTIs and DMs in an automated, unclassified, machine-readable format.
2. **Data Volume:** The program exchanged 10 million indicators in 2024, though this volume is highly concentrated among very few partners.
## Penalties & Enforcement
- **Fines:** Not specified in the context of the CISA 2015 expiration itself.
- **Other Consequences:** If CISA does not plan for continuity, the agency "could be hindered in how it shares information on cyber threats, which would reduce its ability to protect the Nation’s critical infrastructure from cyber threats."
- **Enforcement:** The immediate consequence discussed is the potential degradation of CISA’s threat-sharing capabilities due to the lapse of the statutory authority and lack of operational continuity plans.
## Related Standards
- **CISA 2015:** The foundational legislative act enabling the specific AIS mechanism analyzed.
- **NIST/ISO:** Not explicitly mentioned as required standards for AIS participation, but standard cybersecurity frameworks would underpin the technical capability of sharing data.
## Resources
- **Official Documentation:** Inspector General Report (OIG-25-46-Sep25.pdf) detailing findings.
- **Guidance Documents:** Previous industry alarms regarding the implications of the law’s lapse.
- **Tools:** Automated Indicator Sharing (AIS) platform.
## Practical Recommendations
1. **For Congress:** Take immediate legislative action to renew or replace CISA 2015 to preserve established threat sharing channels and the associated legal benefits.
2. **For CISA Stakeholders:** Prepare for a potential operational downgrade or cessation of high-volume automated sharing if the law expires, and actively participate in CISA’s internal value analysis of the AIS program.
3. **For Private Partners:** Review internal policies regarding sharing protocols in case the statutory protections underpinning current sharing mechanisms disappear.