As Congress returns from its August recess, the clock is ticking on
Cybersecurity Information Sharing Act of 2015 (CISA 2015), a foundational cybersecurity
law set to expire on Sept. 30.
House Homeland Chairman Garbarino has rightly prioritized reauthorization of CISA 2015 and the House recently advanced an extension of the bill. However, the House and Senate remain divided over proposed changes to the legislation, which is threatening the reauthorization process. A clean reauthorization is urgently needed. Without it, we risk losing critical protections that support the federal government’s AI Action Plan and the private sector’s ability to rapidly detect and respond to cyber threats.
For nearly a decade,
CISA 2015 has been a cornerstone of sharing information across the cybersecurity ecosystem. It’s the legal framework that lets the public and private sectors work together to stop threats in their tracks.
Industry leaders in
energy, healthcare, and finance — along with
security coalitions across the board — have been clear: letting these authorities expire would leave defenders at a serious disadvantage and undermine several objectives of the AI Action Plan, from standing up an AI Information Sharing and Analysis Center to responding to AI-specific vulnerabilities.
What is CISA 2015?
To put it simply, CISA 2015 makes real-time cyber threat sharing possible between companies and the federal government as well as state, local, and industry partners. It enables the exchange of threat indicators and defensive tactics while upholding strong privacy and civil liberties protections.
The law allows companies to legally monitor their own systems (or others’, with permission) and use defensive tools to detect and counter malicious activity. And perhaps most importantly, it protects the people and organizations doing the right thing: CISA 2015 includes a suite of legal protections designed to make sharing information safer and easier.
The AI Action Plan: Prioritizing responsible and secure AI without regulating the private aector
The AI Action Plan contains several important provisions related to secure and responsible AI development without imposing new requirements on private companies. But the lack of regulation doesn’t mean companies should be complacent.
The plan calls for expanding existing cyber vulnerability sharing mechanisms to include known AI-specific vulnerabilities. Coordinated disclosure and open channels for vulnerability reporting—like Vulnerability Disclosure Programs (VDPs) — are core tools for security professionals. Bringing that same mindset into securing AI is not only logical — it’s essential.
Government agencies and academic partners are being encouraged to coordinate AI-focused hackathons to test systems for things like robustness and use control. This is exactly the kind of real-world, adversarial testing that makes systems stronger.
As AI is deployed across more sectors, it’s clear that security needs to be built in from the start—and that it takes trusted collaboration between government, industry, and researchers to get it right. We’re glad to see that approach reflected in the plan, but the expiration of CISA 2015 and the important clarity and protections it provides would threaten this important work.
Next steps for companies and Congress
While the AI Action Plan takes a light regulatory approach for private companies, the federal government, as well as customers, legislators, regulators, and the public are closely monitoring AI models and how they are used. Securing AI systems and ensuring they perform as intended is essential for establishing trust and enabling their responsible deployment.
For companies, especially those supplying or integrating AI systems with federal agencies, the implications are significant. Thankfully, many of the tools that companies can use to build secure and trustworthy systems are familiar to security teams, including AI red-teaming, bug bounty and vulnerability disclosure programs, and continuous monitoring and life-cycle audits.
AI is transforming government and industries, but we have only begun to realize its benefits. The AI Action Plan has the potential to transform how federal agencies operate and how services are delivered to American citizens. As the federal government seeks to model how to deploy AI effectively and responsibly, private companies will have the opportunity to do so as well, either as contractors or by adopting best practices that promote security and earn the trust of customers, elected officials, and the public.
But these goals are now almost immediately at risk as the expiration of a key enabling law rapidly approaches. Congress must act now and reauthorize CISA 2015.
A clean reauthorization of CISA 2015, before the law lapses, is the only way to ensure continuity in public-private threat sharing, protect our nation’s infrastructure, and support the secure development and deployment of AI models that benefit society.
