Topics:
The congressional delay in hammering out a federal budget has added another layer of pain to the ongoing crisis for the Cybersecurity and Infrastructure Security Agency (CISA), which extends beyond the current funding concerns. While the ongoing government shutdown has significantly reduced the agency's workforce, it's the expiration of critical information-sharing legislation and a regulatory compliance vacuum that has left enterprises unsure about their next steps.
The Cybersecurity Information Sharing Act of 2015—the foundational legal framework that enables companies to share sensitive threat data with the government and among themselves—expired on Sept. 30, 2025, precisely one day before the shutdown began. The House did pass a continuing resolution extending CISA 2015 through Nov. 21; however, that extension was collateral damage in the broader budget impasse and never made it through the Senate before funding lapsed.
The practical consequences of the lapse have been chilling. Without CISA 2015's liability and antitrust protections, some analysts and staffers estimate threat intelligence sharing could decline by as much as 80%. Corporate legal teams are reportedly growing concerned about potential liabilities associated with continued participation in information-sharing exchanges and ISACs (information sharing and analysis centers) until legal clarity is established. This means that threat data, which might have prevented attacks—such as indicators of compromise from other victims, early-stage reconnaissance patterns, and emerging exploits—now stops flowing. Adversaries, particularly state-backed actors, certainly understand the vulnerability window of exposure this creates.
"The expiration removes liability protections for voluntary cyber threat information sharing between private entities and the government, potentially reducing the volume and timeliness of shared indicators," explained Theresa Payton, CEO at cybersecurity services provider Fortalice Solutions.
"This can limit enterprises' access to government-sourced threat intelligence, slowing detection of emerging threats and increasing reliance on internal or commercial sources, which may not match the breadth of federal insights," Payton added. A DHS OIG report from September 2025 noted ongoing delays in automating threat sharing under the original framework, exacerbating gaps in real-time intelligence.
Michael Farnum, advisory CISO at cybersecurity services provider Trace3, emphasized the importance of CISA's threat intelligence and enterprise security programs. "Ultimately, most, if not all, CISOs and security departments do rely on CISA for knowing the big risks, issues, and advice regarding remediation. They look to CISA for information and guidance, regardless of whether the CISO works for critical infrastructure, government, or traditional enterprises, so it could seriously impact the response capabilities of many organizations," he said.
Still, most mature programs don't simply depend on CISA, Farnum stressed, adding that many firms likely have threat intelligence services in place to detect active attacks or critical vulnerabilities being exploited. "It's the same with response to alerts. They should already have plans in place for responding to incidents. But when it comes to knowing the actual scope and ramifications of a breach that involves governments and state-actors, etc., there is not really a replacement for what CISA does," Farnum said.
CISA's delay in publishing its cyber incident reporting rule for critical infrastructure—pushed from October 2025 to May 2026—gained new urgency amid the shutdown. Originally mandated by the 2022 Cyber Incident Reporting for Critical Infrastructure Act, the final rule would establish 72-hour breach notification requirements and 24-hour ransom-payment reporting deadlines for operators in 16 critical infrastructure sectors.
With the shutdown preventing CISA from finalizing this guidance, enterprises in these sectors—such as power companies, water utilities, hospitals, and telecommunications firms—face an additional nine months of regulatory uncertainty. They cannot now confidently calibrate their incident response playbooks or invest in the specific compliance infrastructure needed without knowing the exact regulation.
For organizations relying on federal cybersecurity partnerships, the convergence of these three setbacks—operational shutdown, expiration of the information-sharing law, and delayed regulatory guidance—represents a fundamental shift in their threat landscape. NIST, which develops cybersecurity standards and frameworks used globally, also saw its workforce cut to just 34% during the shutdown, meaning framework updates and technical guidance stalled alongside CISA's operations.
The Information Sharing and Analysis Centers (ISACs), which enterprises and critical infrastructure operators rely on for sector-specific threat intelligence, have been disrupted. The multisector ISAC (MS-ISAC), which served 18,000 government entities, transitioned to a paid membership model after federal funding ended, creating cost barriers precisely when information sharing needs are highest.
Payton advised organizations to consider taking the following actions to address current threat information gaps:
Ask your General Counsel to work with DHS CISA General Counsel on a 1:1 Memo of Understanding for sharing information and protections.
Join the FBI's InfraGard program to collaborate with the FBI and private sector members for sharing cyber threat intelligence and resources.
Participate in sector-specific Information Sharing and Analysis Centers (ISACs) or Organizations (ISAOs) for peer-to-peer threat sharing without CISA protections.
Subscribe to commercial threat intelligence platforms for aggregated feeds and analysis.
Enhance internal capabilities through tools like SIEM systems, endpoint detection, and AI-driven anomaly detection to generate proprietary intelligence.
Collaborate through trusted alliances, such as the Cyber Threat Alliance, and ensure that you involve your General Counsel in legal reviews of sharing agreements to mitigate liability risks.
Until Congress passes full FY2026 appropriations or a longer-term continuing resolution—currently expected sometime in November or December—CISA will remain substantially underfunded, and the nation's cybersecurity information-sharing architecture will continue to operate under legal and operational uncertainty. "It's a non-trivial issue to many security departments," added Farnum.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.
