Two Critical Cybersecurity Programs End on the Same Day—And We’re All Less Safe Because of It

September 30, 2025, marks a dark day in American cybersecurity history. On this single date, two foundational pillars of our nation’s cyber defense are collapsing simultaneously: the federal government’s agreement with the Center for Internet Security (which runs the MS-ISAC supporting state and local governments) has ended, and the Cybersecurity Information Sharing Act of 2015 itself has expired without reauthorization.

This isn’t just bureaucratic housekeeping gone wrong. These are deliberate choices—or failures to choose—that will measurably weaken America’s ability to defend against increasingly sophisticated cyber threats from nation-states and criminal organizations. And the timing couldn’t be worse.

What Just Happened: A Timeline of Decline

The MS-ISAC Funding Cuts

On September 30, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) cut its ties to—and funding for—the Center for Internet Security, a nonprofit that provides free and low-cost cybersecurity services to state and local governments.

This didn’t happen overnight. The warning signs were clear:

February 2025: The Department of Homeland Security terminated funding for the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), which was run by CIS and advised American election officials and voting machine makers about democracy-menacing cyber threats.

March 2025: CISA announced a $10 million cut in funding for the Multi-State Information Sharing and Analysis Center (MS-ISAC)—about half the total budget—which provides critical cybersecurity threat detection and analysis resources to state and local governments.

August 2025: The Department of Homeland Security published rules for the State and Local Cybersecurity Grant Program that specifically prohibit grantees from spending their funds on MS-ISAC services—eliminating a potential lifeline for the program.

September 30, 2025: CISA’s cooperative agreement with the Center for Internet Security reached its planned end, cutting all remaining federal funding to the MS-ISAC.

The Cybersecurity Information Sharing Act Expires

The Cybersecurity Information Sharing Act of 2015 was set to expire on September 30, 2025, due to a sunset clause built into the legislation. At the time of writing, it has not been reauthorized by Congress.

Despite bipartisan support, urgent pleas from industry coalitions, and warnings from cybersecurity experts, Congress has failed to act. With a potential government shutdown looming due to stalled appropriations bills, cybersecurity has taken a backseat, and political realities are dimming prospects for renewal before the deadline.

Why This Matters: Understanding the Impact

The MS-ISAC: A Lifeline for Local Governments

The Multi-State Information Sharing and Analysis Center has provided no-cost and low-cost cyber threat prevention, protection, response, and recovery for state and local governments since 2003, serving more than 18,000 state, local, tribal, and territorial government organizations.

The services provided are substantial:

In 2024 alone, MS-ISAC services helped local governments:

  • Detect more than 43,000 potential cyberattacks to SLTT networks and escalate them to affected organizations 97% faster than commercial alternatives
  • Identify and prevent more than 59,000 potential malware and ransomware attacks
  • Prevent 25 billion connections to malicious sites online
  • Block 5.4 million known malicious or suspicious emails

These aren’t abstract statistics. They represent actual attacks on police departments, school districts, water utilities, election offices, and emergency services that were stopped before they could cause damage.

State and local officials have questioned how they will rapidly share threat information if they see a cyber issue happening in Oregon and need to let Michigan know about it.

State CIOs and cybersecurity officials from states like New Hampshire and Minnesota emphasized the immense value the MS-ISAC provides, with many believing that any reduced ability to share information puts every local entity at greater risk from very real cyber threats.

The act allows organizations to report suspicious software or threats safely and free of liability concerns. The government agency that receives the threat information shares it with other agencies and with other companies that may similarly be threatened.

The framework provides critical protections:

Information protection measures, antitrust protections, liability protections, and protections from disclosure in court proceedings are all specific to the act and would be affected by its expiration.

Without these protections, organizations will retreat into information silos, leaving us blind to emerging threats. A financial institution that detects suspicious activity linked to a nation-state campaign could face legal exposure for sharing that intelligence.

The act passed with bipartisan support following the 2015 Office of Personnel Management breach and sought to encourage public and private sector entities to share cyber threat information, removing legal barriers and the threat of unnecessary litigation.

The Elephant in the Room: Why Threat Sharing Matters

Here’s the uncomfortable truth about modern cybersecurity: no single organization can see the entire threat landscape.

Imagine a sophisticated nation-state campaign targeting America’s critical infrastructure:

  • A power company in Texas sees unusual network probing
  • A water utility in Ohio experiences similar reconnaissance
  • A telecommunications provider in Virginia detects the same command-and-control signatures
  • A hospital in Florida is hit with a variant of the same malware

Separately, these look like isolated incidents. Together, they reveal a coordinated attack.

This is not hypothetical. We face AI-powered attacks, the proliferation of cybercrime-as-a-service, supply chain compromises that ripple across entire sectors, and sophisticated ransomware ecosystems where criminals and nation-states share resources. Recent nation-state attacks on U.S. critical infrastructure including communications systems, the Treasury Department BeyondTrust breach, and the SolarWinds incident where nine agencies were compromised all underscore the need for information sharing.

One company sees the tail. Another sees the torso. Only through sharing do we see the whole beast.

Without the legal protections of CISA and the infrastructure of the MS-ISAC, that sharing stops. Organizations go silent, not out of malice, but out of fear:

  • Fear of lawsuits
  • Fear of regulatory action
  • Fear of public disclosure
  • Fear of competitive disadvantage

This isn’t speculation—it’s the pre-2015 reality we’d return to.

Who Pays the Price?

Small and Mid-Sized Governments Hit Hardest

Rural and under-resourced counties have relied on free tools and technical assistance through the MS-ISAC to bolster cyber-readiness. An MS-ISAC poll showed 83% of members said they would not easily be able to find alternatives if the group’s services were to disappear, and 95% said elimination of services would have a negative effect on their cybersecurity.

Starting October 1, MS-ISAC switched to a fee-based model with membership costs tied to operating budgets. Small districts pay around $1,495 per year, scaling into tens of thousands for larger jurisdictions.

For a small-town police department or rural school district already stretched thin, even $1,500 might be impossible to find in the budget. And they cannot use federal State and Local Cybersecurity Grant Program funds to pay for MS-ISAC memberships—eliminating what could have been a funding solution.

Election Security in Jeopardy

Election workers and officials have expressed fears about threats and intimidation without federal support, particularly following the complete termination of EI-ISAC funding in February 2025.

As one election security expert put it: “Election security is genuinely a race without a finish line and our adversaries are not sitting around eating bon-bons. Our adversaries—both foreign adversaries like Russia, China and Iran, and also domestic terrorists—are continually inventing and executing new and different ways to try to infiltrate our systems.”

With the 2026 midterm elections approaching, this timing is particularly concerning.

Critical Infrastructure at Risk

Nation-state hackers have launched numerous attacks on U.S. critical infrastructure including communications systems, signaling they are positioning for bigger, more disruptive attacks.

Water utilities, power grids, hospitals, transportation systems—all rely on information sharing to defend against sophisticated threats. Many are operated by small entities with limited cybersecurity budgets.

The Response: Too Little, Too Late?

Industry Sounds the Alarm

Multiple coalitions have pleaded for action:

The Protecting America’s Cyber Networks Coalition—including the U.S. Chamber of Commerce and dozens of industry associations—urged Congress to cleanly reauthorize CISA 2015 before expiration, warning that if it lapses, the U.S. will face a more complex and dangerous security environment.

Banking industry groups, including the American Bankers Association and Bank Policy Institute, sent a joint letter emphasizing that the expiration of these protections risks creating a chilling effect on critical information exchange, leaving us all more vulnerable to nation-state attacks and cybercriminals.

The American Public Power Association and other groups urged Congress to extend the expiration date, noting that this voluntary information sharing framework has been instrumental in strengthening collective defense against cybersecurity threats that continue to grow in sophistication and severity.

Proposed Legislation Stalled

Lawmakers have floated successors like the WIMWIG Act (Widespread Information Management for the Welfare of Infrastructure and Government), which aims to extend CISA through 2035 and enhance data privacy while expanding scope to critical infrastructure. A bipartisan pair of senators introduced a bill to simply extend CISA for another 10 years.

But with Congress mired in budget battles and a potential government shutdown looming, these bills have stalled. Time has run out.

CISA’s Justification Falls Flat

CISA claimed the funding cuts would “save taxpayers approximately $10 million a year, focus CISA’s work on mission critical areas, and eliminate redundancies,” and that MS-ISAC services are redundant with other services offered directly by CISA.

Yet CISA did not respond to questions about whether federal dollars previously funneled to CIS services would instead fund existing state and local infosec efforts, or clarify how cutting funding to programs that aim to boost local governments’ digital defenses will improve cybersecurity resiliency.

MS-ISAC officials disputed the redundancy claims as “not necessarily true,” noting that MS-ISAC is the only initiative offering cyber threat intelligence, incident response support, and real-time information sharing programs not performed by the federal government.

This Is Not Partisan. This Is National Security.

Let’s be absolutely clear: protecting critical infrastructure, businesses, and citizens from cyberattacks is not a left-versus-right issue.

Cyberattacks don’t care about political affiliation:

  • When ransomware hits a hospital, patients of all political persuasions are affected
  • When attackers target election infrastructure, they threaten democracy itself
  • When nation-states position themselves to disrupt power grids or water systems, everyone suffers

The Cybersecurity Information Sharing Act passed in 2015 with bipartisan support from both parties. Industry groups spanning banking, technology, energy, and public infrastructure all agree on its importance.

Yet here we are, allowing these critical programs to die through a combination of politics, timing, and what can only be described as negligence.

What Happens Now?

The Immediate Future

For Organizations: CISOs face urgent questions about how to handle threat information sharing immediately after September 30, 2025, without the legal protections previously provided by CISA. Many will likely reduce or halt voluntary sharing out of abundance of caution regarding legal liability.

For State and Local Governments: Current MS-ISAC members see their benefits expire as of October 1 unless they sign up for paid membership by September 30. Many small jurisdictions simply won’t be able to afford it, leaving them blind to threats.

For Threat Actors: They’re celebrating. Every day that passes without these protections is a day American defenses are weaker, coordination is reduced, and opportunities for successful attacks increase.

The Path Forward

Congress must act urgently to:

  1. Reauthorize the Cybersecurity Information Sharing Act either as a clean extension or as part of comprehensive legislation that addresses modern threats while maintaining critical liability protections
  2. Restore funding for MS-ISAC or establish an alternative mechanism that ensures state and local governments—particularly small and under-resourced entities—have access to threat intelligence and incident response capabilities
  3. Enable use of cyber grant funds for MS-ISAC membership by amending the State and Local Cybersecurity Grant Program restrictions
  4. Commit to bipartisan cooperation on cybersecurity issues, recognizing that national security transcends politics

What We Can Do

For IT and Security Professionals:

  • Continue sharing threat information where legally permissible
  • Document the impact of these losses on your organization’s security posture
  • Engage with industry associations advocating for renewal
  • Make the case to leadership about the risks created by this lapse

For Government Officials:

  • Contact your representatives and senators
  • Share specific examples of how MS-ISAC and CISA protections have helped your jurisdiction
  • Join or support coalitions pushing for restoration of these programs

For Citizens:

  • Understand that this affects services you depend on daily
  • Demand that elected officials treat cybersecurity as the bipartisan national security priority it is
  • Support adequate funding for cybersecurity at all levels of government

The Bottom Line

We risk dismantling years of progress in collaborative cyber defense at the precise moment we need it most.

The threat landscape has never been more dangerous. Nation-state adversaries are positioning for major attacks on critical infrastructure. Ransomware groups are targeting hospitals, schools, and municipalities with impunity. Supply chain attacks are growing in sophistication and scale.

And we’re responding by… eliminating the programs that help us defend against these threats?

This makes no sense from any perspective:

  • Not from a security perspective
  • Not from an economic perspective (the cost of breaches far exceeds the cost of these programs)
  • Not from a governance perspective
  • Not from a common-sense perspective

Letting these programs die—whether through politics, timing, or neglect—leaves the United States objectively weaker at a time when our adversaries are getting bolder and more sophisticated.

Cybersecurity does not care about political lines. Neither should our defenses.

The question now is whether Congress will recognize the severity of this mistake before the damage becomes irreversible, or whether we’ll learn this lesson the hard way—through major successful attacks that could have been prevented if only we had maintained the very systems designed to stop them.

September 30, 2025, should be remembered as a cautionary tale: the day America chose not to defend itself, even though the threats were clear, the solutions were available, and experts across the political spectrum were begging for action.

We can do better. We must do better. And we need to start now.

Update Required: Congress must act immediately to restore these critical cybersecurity capabilities. Contact your representatives and demand action on CISA reauthorization and MS-ISAC funding restoration.

The clock is ticking. Every day of delay is a day our adversaries gain ground.