The lapse of the **Cybersecurity Information Sharing Act (CISA 2015)** and the **State and Local Cybersecurity Grant Program**, combined with a **staffing reduction to under 900 employees** (from ~2,500) due to government funding expiration, has left CISA critically under-resourced. Without liability protections for private-sector threat-sharing, companies may hesitate to report cyber threats, increasing systemic vulnerabilities. The absence of grant funding further weakens state/local defenses (e.g., hospitals, schools, water systems), raising risks of cascading disruptions. Experts warn of **potential major cyberattacks** during this period, with CISA lacking sufficient personnel to respond effectively. Legal uncertainties (e.g., antitrust exposure, FOIA disclosures) and reduced real-time intelligence-sharing exacerbate the threat landscape, particularly for critical infrastructure. Senators and industry leaders emphasize the urgency of reauthorization, citing risks to **national/economic security**, but partisan delays persist.
Source: https://rollcall.com/2025/10/10/lawmakers-sound-alarm-over-lapsed-cybersecurity-law/
TPRM report: https://www.rankiteo.com/company/cisagov
"id": "cis0332103101125",
"linkid": "cisagov",
"type": "Cyber Attack",
"date": "6/2015",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'customers_affected': 'All U.S. critical '
'infrastructure sectors',
'industry': 'Cybersecurity',
'location': 'United States',
'name': 'U.S. Federal Government (CISA)',
'size': 'Large (reduced from ~2,500 to <900 employees '
'during shutdown)',
'type': 'Government Agency'},
{'customers_affected': 'Millions of U.S. residents '
'reliant on public services',
'industry': 'Multiple (Education, Healthcare, '
'Utilities)',
'location': 'United States',
'name': 'State and Local Governments (e.g., schools, '
'hospitals, water systems)',
'size': 'Varies',
'type': 'Public Sector'},
{'industry': 'Multiple (Cybersecurity, Critical '
'Infrastructure)',
'location': 'United States (primarily)',
'name': 'Private-Sector Companies (e.g., Cyber Threat '
'Alliance members)',
'size': 'Varies',
'type': 'Corporate'}],
'date_publicly_disclosed': '2023-10-01',
'description': 'The expiration of the Cybersecurity Information Sharing Act '
'(CISA 2015) and the State and Local Cybersecurity Grant '
'Program, combined with reduced staffing at the Cybersecurity '
'and Infrastructure Security Agency (CISA) due to a government '
"funding lapse, has heightened concerns about the U.S.'s "
'vulnerability to cyberattacks. The lapse removes liability '
'protections for companies sharing cyber-threat information, '
'discouraging collaboration and leaving critical '
'infrastructure at risk. Key stakeholders, including Sen. Gary '
'Peters, have warned of potential national and economic '
'security risks, while efforts to reauthorize the programs '
'face political hurdles. The reduced CISA workforce may also '
"limit the agency's ability to respond effectively to a major "
'incident.',
'impact': {'brand_reputation_impact': ['Erosion of public trust in federal '
'cybersecurity preparedness',
'Perception of political dysfunction '
'hindering cyber defense'],
'legal_liabilities': ['Loss of antitrust protections for '
'threat-sharing companies',
'Risk of FOIA-disclosure of shared threat '
'data',
'Potential regulatory fines for companies '
'sharing information without protections'],
'operational_impact': ['Reduced federal cybersecurity response '
'capability',
'Discouraged private-sector information '
'sharing',
'Increased legal/regulatory risks for '
'companies sharing threat data',
'Potential delays in state/local government '
'cybersecurity improvements']},
'investigation_status': 'Ongoing (political/legislative; no technical '
'investigation)',
'lessons_learned': ['Short-term legislative patches are insufficient for '
'cybersecurity operations requiring long-term certainty.',
"Political objections (e.g., Sen. Rand Paul's conflation "
'of CISA 2015 with the CISA agency) can derail critical '
'cybersecurity measures.',
'Corporate legal teams may hesitate to share threat data '
'without liability protections, even if operational teams '
'support collaboration.',
'State/local cybersecurity grants have tangible impacts '
'on community resilience (e.g., schools, hospitals).',
"CISA's reduced staffing during shutdowns creates "
'systemic vulnerability to major incidents.'],
'post_incident_analysis': {'corrective_actions': ['Bipartisan negotiation to '
'separate CISA 2015 '
'reauthorization from '
'unrelated political '
'disputes.',
'Development of a dedicated '
'legislative process for '
'cybersecurity updates '
'(e.g., 5-year review '
'cycles).',
"Expansion of CISA's "
'shutdown-exempt staff to '
'maintain core functions.',
'Public-private working '
'groups to modernize '
'threat-sharing frameworks '
'(e.g., AI, systemic '
'risks).',
'State/local cybersecurity '
'coalitions to sustain '
'grant-funded initiatives '
'during federal lapses.'],
'root_causes': ['Political gridlock preventing '
'timely reauthorization of '
'critical cybersecurity programs.',
'Conflation of CISA 2015 (law) '
'with CISA (agency) by key '
'senators (e.g., Rand Paul).',
'Over-reliance on short-term '
'Continuing Resolutions for '
'long-term cybersecurity needs.',
'Lack of clear legislative '
"vehicles for updating CISA 2015's "
'threat definitions (e.g., AI, '
'supply chain).',
'Insufficient contingency planning '
'for CISA operations during '
'government shutdowns.']},
'recommendations': ['Pass a 10-year reauthorization of CISA 2015 with '
'retroactive protections to Oct. 1, 2023.',
"Modernize the definition of 'cyber-threat indicators' to "
'include supply chain and AI-related threats.',
'Incentivize sharing of single-point-of-failure data to '
'address systemic risks.',
'Restore full funding for CISA to avoid operational gaps '
'during shutdowns.',
'Reauthorize the State and Local Cybersecurity Grant '
'Program for 10 years, with provisions for AI-system '
'support.',
'Clarify distinctions between CISA (the agency) and CISA '
'2015 (the law) to address political misconceptions.',
'Establish bipartisan task forces to depoliticize '
'cybersecurity legislation.'],
'references': [{'source': 'Politico'},
{'source': 'Sen. Gary Peters (D-MI) statements'},
{'source': 'Cyber Threat Alliance (Michael Daniel)'},
{'source': 'Internet Security Alliance (Larry Clinton)'},
{'source': 'House Homeland Security Committee'}],
'regulatory_compliance': {'regulations_violated': ['Cybersecurity Information '
'Sharing Act (CISA 2015)'],
'regulatory_notifications': ['Lapse of FOIA '
'exemptions for shared '
'threat data',
'Loss of antitrust '
'protections for '
'collaborating '
'companies']},
'response': {'communication_strategy': ["Sen. Peters' public warnings about "
'national/economic security risks',
'Media outreach by Cyber Threat '
'Alliance and Internet Security '
'Alliance',
'House Democratic staffer comments on '
'program success in state/local '
'governments'],
'recovery_measures': ['Short-term extensions via Continuing '
'Resolution (CR) in House/Senate bills',
'Potential inclusion in larger legislative '
'vehicles'],
'remediation_measures': ["Sen. Gary Peters' 10-year CISA 2015 "
'reauthorization bill (Protecting '
'America from Cyber Threats Act)',
"House Homeland Security Committee's "
'10-year extension bill (sponsored by '
'Rep. Andrew Garbarino)',
'Proposed updates to cyber-threat '
'indicator definitions (e.g., supply '
'chain, AI threats)',
'Incentives for sharing '
'single-point-of-failure data (proposed '
'by Internet Security Alliance)'],
'third_party_assistance': ['Cyber Threat Alliance '
'(information-sharing coordination)',
'Internet Security Alliance (advocacy '
'for policy updates)']},
'stakeholder_advisories': ["Sen. Peters' warnings to reporters about national "
'security risks.',
'Cyber Threat Alliance and Internet Security '
'Alliance statements on information-sharing '
'impacts.',
'House Homeland Security Committee Republican aide '
'comments on CR extensions.',
'House Democratic staffer remarks on state/local '
'grant program success.'],
'title': 'Lapse of Federal Cybersecurity Programs Increases Vulnerability to '
'Cyberattacks',
'type': ['Policy/Regulatory Failure', 'Operational Risk'],
'vulnerability_exploited': ['Lapse of CISA 2015 liability protections',
'Reduced CISA staffing (from ~2,500 to <900)',
'Expiration of State and Local Cybersecurity '
'Grant Program',
'Lack of real-time threat-sharing incentives']}