How the WIMWIG Act differs from CISA 2015

With the Cybersecurity Information Sharing Act of 2015 (CISA 2015) set to expire on September 30, 2025, Congress is advancing the Widespread Information Management for the Welfare of Infrastructure and Government Act (WIMWIG Act) as its proposed successor. While the WIMWIG Act reportedly builds upon the foundational framework established by CISA 2015, it is said to introduce reforms and modernizations that reflect the current cybersecurity landscape.

Understanding CISA 2015

The Cybersecurity Information Sharing Act of 2015 was a legislation that addressed a gap in America's cybersecurity defense. Prior to CISA 2015, organizations were hesitant to share cyber threat information with government agencies or other private entities due to concerns about liability, antitrust violations, and regulatory complications. CISA 2015 established a voluntary framework that provided liability protections for companies sharing cyber threat indicators and defensive measures with federal agencies and other private sector entities.

According to cybersecurity expert Cynthia Kaiser, senior vice-president of the Ransomware Research Center at Halcyon Security and former deputy assistant director for cyber policy at the FBI's cyber division, CISA 2015 has served as the backbone of cyber defense over the past decade, as reported by Computer Weekly. The law has helped ward off cyber attacks by providing timely intelligence to potential victims and enabling multinational law enforcement operations targeting cyber criminality.

The original law created a structured environment where beneficial cyber activities—including sharing of threat indicators, deployment of defensive measures, and network monitoring for cyber purposes—were deemed lawful and encouraged. As defined in Section 102(4) of CISA 2015, a "cybersecurity purpose" means "the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability." 

Central to CISA 2015's success was its liability protection framework. Section 106 of the Act established that "No cause of action shall lie or be maintained in any court against any private entity" for sharing cyber threat indicators when conducted in accordance with the Act's provisions. This protection was complemented by antitrust exemptions outlined in Section 104(e), which specified that "it shall not be considered a violation of any provision of antitrust laws for 2 or more private entities to exchange or provide a cyber threat indicator or defensive measure." The voluntary nature of participation was explicitly protected under Section 108(i), which states that "Nothing in this title shall be construed to subject any entity to liability for choosing not to engage in the voluntary activities authorized in this title."

The Act also incorporated privacy safeguards, requiring under Section 104(d)(2) that entities "review such cyber threat indicator to assess whether such cyber threat indicator contains any information not directly related to a cybersecurity threat" and remove personal information before sharing. However, as specified in Section 111 of CISA 2015, these protections were designed with a sunset provision, making the Act "effective during the period beginning on the date of the enactment of this Act and ending on September 30, 2025."

The WIMWIG Act

The WIMWIG Act reportedly represents a strategic evolution of the CISA 2015 framework rather than a complete overhaul. The extension, dubbed the Widespread Information Management for the Welfare of Infrastructure and Government, or WIMWIG, Act, is proposed to extend the law another ten years, providing stability and continuity for existing cybersecurity information sharing programs. According to reports from the Computer Weekly, about the WIMWIG Act, the effective period would be extended by striking "2025" and inserting "2035," ensuring continuity through 2035.

However, the WIMWIG Act is said to be far more than a simple reauthorization. The Widespread Information Management for the Welfare of Infrastructure and Government Act reportedly not only extends the current mechanism and liability protections that are central to the ability of the private sector to share information with the government, but it is also expected to hold federal agencies more accountable for their role in the information sharing ecosystem.

Proposed differences and reforms

Artificial intelligence integration

One of the proposed modernizations in the WIMWIG Act is its reported incorporation of artificial intelligence capabilities. The new legislation is said to specifically authorize the use of "artificial intelligence that is developed or strictly deployed for cybersecurity purposes," according to reports about the WIMWIG Act. 

Computer Weekly reports that the WIMWIG Act is said to include updated definitions to encompass emergent cyber attack tactics, techniques and procedures, including artificial intelligence, which have advanced since 2015. The reported integration of AI tools marks a departure from CISA 2015's more traditional approach to information sharing, potentially positioning the United States to leverage cutting-edge technology in its collective defense efforts. These AI-enhanced capabilities are designed to accelerate threat recognition and improve the speed and accuracy of information sharing between stakeholders.

Enhanced accountability measures

While CISA 2015 focused primarily on enabling information sharing through the liability protections established in Section 106 and the voluntary participation framework outlined in Section 108(i), the WIMWIG Act reportedly includes expectations for federal agencies to be more active and responsible participants in the information sharing system. This shift reflects lessons learned over the past decade about the importance of ensuring that government entities are active and responsible participants in the information sharing system, rather than recipients of private sector intelligence.

The WIMWIG Act reportedly includes enhanced outreach requirements, with expectations for "targeted engagement, to ensure Federal and non-Federal entities, particularly small or rural owners or operators of critical infrastructure" are properly informed and supported in their cybersecurity information sharing efforts, according to reports about the WIMWIG Act.

Infrastructure focus

The WIMWIG Act reportedly demonstrates an enhanced focus on protecting critical infrastructure through targeted information sharing. According to reports, the legislation is said to "provide one-time read-ins, as appropriate, to select individuals identified by non-Federal entities that own or operate critical infrastructure." This provision suggests a more targeted approach to information sharing with personnel at critical infrastructure entities compared to CISA 2015's broader framework.

As reported by Computer Weekly, the act is expected to ensure private sector organizations—especially small to medium-sized enterprises—receive more information through mechanisms such as one-time read-ins for at-risk organizations such as critical infrastructure operators, and directs federal bodies to provide technical assistance to the private sector on a voluntary basis.

Modernized defensive measures and threat response

The WIMWIG Act reportedly expands the scope of defensive measures that can be shared and implemented under the liability protections. By inserting "and defensive measures" after certain provisions, the legislation is said to broaden the types of cybersecurity actions that receive legal protection, reflecting the evolved understanding of what constitutes effective cyber defense since CISA 2015's original definition in Section 102(7).

The legislation also is reported to address contemporary threats more directly. According to reports about the WIMWIG Act, reporting requirements are said to now specifically include "prepositioning activities, ransomware" among the cybersecurity threats that must be documented and analyzed, reflecting the current threat landscape where ransomware attacks and advanced persistent threat positioning have become critical concerns.

Enhanced inter-agency coordination

The WIMWIG Act reportedly strengthens coordination between federal agencies by enabling the "rapidly providing other Federal entities, including Sector Risk Management Agencies, awareness of a cybersecurity threat" that may impact their information systems. This provision is expected to ensure that specialized sector-focused agencies receive timely threat intelligence relevant to their areas of responsibility.

Computer Weekly notes that the act is also said to enhance Congress's oversight and the effectiveness of the Automated Indicator Sharing programme—a real-time data-sharing capability developed by the Department of Homeland Security.

Urgent timeline and global implications

The stakes for passing the WIMWIG Act are high given the September 30, 2025 deadline. Computer Weekly reports that cybersecurity experts are expressing concerns about even a brief lapse in the legislation. Breach counsel lawyers have indicated they would likely have to change the advice they give to companies when considering whether to contact the federal government if the act lapses.

The global implications extend beyond U.S. borders. According to Computer Weekly, if CISA 2015 were to lapse without continuity in place, the security sector could expect to see worldwide impacts. The timely threat information and updates coming from federal agencies such as CISA would begin to ease off, potentially affecting joint international advisories like the recent Salt Typhoon bulletin co-signed by the US and British authorities, along with counterparts across Europe and in Australia, Canada and New Zealand.

Bipartisan support and industry endorsement

The Widespread Information Management for the Welfare of Infrastructure and Government Act (WIMWIG), cleared committee unanimously, 25-0, demonstrating rare bipartisan consensus on cybersecurity policy. This unanimous support reflects the nature of cybersecurity information sharing and the recognition that effective cyber defense goes beyond politics.

Representative Andrew Garbarino, chairman of the House Homeland Security Committee, emphasized the urgency, stating that "failing to ensure the relevance and efficacy of one of the federal government's most foundational cyber security tools" would threaten both networks and homeland security, as reported by Computer Weekly.

Stakeholders from across industry sectors have reportedly endorsed this legislation, indicating broad private sector support for the proposed reforms in the WIMWIG Act. Computer Weekly reports that stakeholders have endorsed the legislation because it reportedly preserves essential privacy and liability protections from CISA 2015, clarifies the law's language to better address the evolving threat landscape, and ensures private-sector insight is properly captured. This industry backing is important for the success of any information sharing framework, as voluntary participation by private entities remains essential for the system's effectiveness, building on the foundation established by CISA 2015's voluntary framework protected under Section 108(i).

Continuity and change

The updated text reportedly keeps the core framework that encourages private-sector sharing of cyber threat indicators with the government and peers, ensuring that the proven elements of CISA 2015 remain intact. Computer Weekly notes that the WIMWIG Act is said to clarify some areas around liability protections that were left somewhat vague by CISA 2015, providing the broader interpretation that experts believe companies should have. This reportedly includes maintaining the fundamental liability protections established in Section 106, the antitrust exemptions from Section 104(e), and the voluntary participation principles from Section 108(i). This approach is expected to provide stability for organizations that have built their cybersecurity information sharing programs around the CISA 2015 framework while introducing necessary modernizations.

The WIMWIG Act's reported approach of preserving successful elements while introducing targeted reforms represents a legislative strategy that acknowledges both the successes of CISA 2015 and the evolving nature of cybersecurity threats.

FAQs

What industries are most affected by the WIMWIG Act?

Critical infrastructure sectors such as energy, healthcare, and telecommunications are expected to see the biggest impact.

How will small businesses be supported under the WIMWIG Act?

The Act emphasizes outreach and technical assistance for small and rural operators of critical infrastructure.

Does the WIMWIG Act change privacy safeguards from CISA 2015?

The legislation maintains CISA 2015’s privacy requirements but expands oversight to ensure stronger compliance.

How is artificial intelligence expected to be used in cybersecurity under the WIMWIG Act?

AI tools will be authorized to enhance real-time threat detection and data analysis across networks.