Education has become a prime target industry for cyber criminals. According to the U.S. Department of Education, school districts nationwide experience five cybersecurity incidents per week, on average. Yet according to the Consortium for School Networking (CoSN), only 1 in 3 U.S. school districts has even one full-time cybersecurity staff member, leaving the majority of districts to rely on outside help or shared services. The act, abbreviated as CISA 2015, not to be confused with the federal agency of the same acronym, has helped fill some of those needs.
“They will essentially lose the advantage of getting things like threat notifications and coordinated systems,” Amy McLaughlin, project director for cybersecurity and network and systems design initiatives at CoSN, said. “They will be struggling along the way they were before 2015, but with a much broader threat environment because we are much more highly dependent on technology than we were 10 years ago, and the threat actors have gotten more and more clever.”
They will be struggling along the way they were before 2015, but with a much broader threat environment because we are much more highly dependent on technology than we were 10 years ago, and the threat actors have gotten more and more clever.
Amy McLaughlin, project director for cybersecurity and network and systems design initiatives, CoSN
ABOUT THE ACT
Congress originally passed CISA 2015 in the wake of breaches like the Office of Personnel Management hack and growing calls for better collaboration on cyber defense. The act created a voluntary system for sharing cyber “indicators” — including malicious websites, new techniques or threat activity among known bad actors — between federal agencies, state and local governments and companies. It directed federal agencies to rapidly distribute information in both classified and unclassified forms to relevant parties.
It also explicitly authorized private firms to monitor their own networks and those of contracted client partners and to share cyber threat information with each other and the government without risk of breach of privacy and antitrust rules. Information shared under the act is exempt from public disclosure requests, keeping sensitive security details private.
The act also enshrined standards for sharing the information, including requiring that personally identifiable information be removed, and tasked federal agencies like the Department of Homeland Security (DHS) and the Department of Justice with guiding participants on protecting civil liberties in the sharing process.
In practice, CISA 2015 led to the development of the DHS Automated Indicator Sharing system, which allows real-time exchange of threat alerts from one machine to another. It also bolstered the role of sector-based Information Sharing and Analysis Centers (ISACs) that funnel threat bulletins to members in specific sectors. The Multi-State ISAC, for example, shares across state governments, while the Research and Education Network ISAC shares across education and research institutions.
Over the past decade, the law has become an important piece of U.S. cyber defenses.
“A significant volume of critical cyber threat intelligence has been exchanged between industry and government under this law,” Rep. Andrew Garbarino, R-N.Y., who chairs a House cybersecurity subcommittee, said in a May hearing.
For example, he said, one major organization shared 84 threat reports in a year, reaching thousands of partners and helping to foster a landscape where information sharing is the norm rather than the exception.
WHY SCHOOLS HAVE A STAKE
The education sector has benefited from this collaborative model, receiving threat advisories through various ISACs, McLaughlin said. Carla Wade, who oversees corporate sponsorship, professional learning and advocacy programs at CoSN, said public schools hold a trove of sensitive student and staff data and often rely on these warning systems in the absence of dedicated cybersecurity personnel.
Both federal officials and school IT experts caution that if the act sunsets on Sept. 30, it could weaken defenses.
“Letting it expire de facto indicates that there is no longer a problem, which is not an accurate assessment or state at all,” McLaughlin said.
In reality, attacks on education continue to climb. According to tech research firm Comparitech, ransomware attacks on the education sector jumped 23 percent in the first half of 2025 compared to the same period in 2024.
Without the legal protections in CISA 2015, private-sector members may be less willing to share cybersecurity information with other companies or public agencies, Garbarino said in the hearing.
The sunset may also diminish resources for ISACs, making it harder to share information, even if organizations want to. A recent $10 million cut to the Multi-State ISAC is one example of potential losses.
“Having that coordinated effort where people know where the information came from, that it’s been vetted and reviewed, and that it’s from a trusted source is really important because there’s no good way to just randomly share information across multiple organizations without a coordinating entity,” McLaughlin said.
CALLS FOR EXTENSION
Lawmakers in the House and Senate; industry groups in banking, power and cybersecurity; and the U.S. Chamber of Commerce have all called for the extension of the act, which is permissible under the law with congressional approval.
A Senate measure introduced in April by Sen. Mike Rounds, R-S.D., and Sen. Gary Peters, D-Mich., would simply renew the law through 2035 without substantive changes. In the House, a parallel effort is underway, with committees weighing reauthorization. Lawmakers have also discussed attaching some refinements to reflect evolving threats and technology, including artificial intelligence.
“While I recognize that there is room to improve and modernize the Cybersecurity Information Sharing Act, we cannot allow efforts to rethink the bill to interfere with its timely reauthorization,” Rep. Bennie Thompson, D-Miss., the ranking member on the Homeland Security Committee, said in a public statement. “If history is any guide, changes to CISA 2015 — however minor — will involve multiple stakeholders and multiple rounds of careful negotiation.”
