Cyber Governance: Managing Life After CISA

We’ve previously blogged about the issues created by the expiration of the Cybersecurity Information Sharing Act of 2015 (CISA), and this recent Risk Management Magazine article offers some specific advice to companies on how to manage in an environment where sharing information about cyber threats is no longer entitled to a safe harbor. The article includes some recommendations for governance practices that companies should consider in order to address the more uncertain regulatory environment:

Update your information-sharing program. Make a simple list of every place the organization shares threat data, including vendors, partners, and information sharing and analysis centers (ISACs/ISAOs). Note what is shared, with whom, and why. Update any agreements to clearly outline what is allowed, how it is sent, how long it is kept, and who can access it. Create legal-approved templates for urgent sharing so teams are not writing ad-hoc emails under pressure. A temporary return of protections does not remove the need to tighten this foundation now.

Review and record data monitoring activities. Assume detection and data handling activities will be closely scrutinized. Minimize data to what the control actually needs, enforce role-based access and immutable logging with appropriate retention, and record the rationale for each field collected by mapping detections to a MITRE ATT&CK, a widely used framework that documents real-world adversary tactics and techniques, and clearly defined business-risk scenarios.

Keep threat intel flowing. Collect only the data needed to run each control. Limit who can view it, maintain tamper-proof logs, and establish clear retention policies. Write down why each data field is necessary and what risk it addresses. Favor contractual pathways with explicit permissions over informal sharing, and route indicators through vetted clearinghouses, ISACs/ISAOs or reputable commercial providers, when possible. Ongoing staffing losses and weakened partnerships mean that even protected programs may operate with less speed and reach, and programs built solely on statutory shelter will face renewed strain if another lapse occurs.

Other recommendations include strengthening internal collaboration, aligning controls with recognized frameworks, modernizing communications and disclosure templates, adapt contract provisions to ensure third parties have contractual commitments to provide timely information concerning potential compromises, and running tabletop exercises for various “no safe harbor” scenarios.