CISA Has Not Finalized Plans for Automated Cyber Threat Information Sharing Beyond Cybersecurity Act of 2015 Expiration

Title Full

Date Issued

Monday, September 29, 2025

Submitting OIG

Department of Homeland Security OIG

Agencies Reviewed/Investigated

Department of Homeland Security

Report Number

OIG-25-46

Report Description

The Cybersecurity and Infrastructure Security Agency (CISA) met requirements of the Cybersecurity Information Sharing Act of 2015. However, CISA has not finalized its plans for the continued use of Automated Indicator Sharing (AIS). Without finalizing this plan, CISA could be hindered in how it shares information on cyber threats, which would reduce its ability to protect the Nation’s critical infrastructure from cyber threats.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

External Entity

https://www.oig.dhs.gov/sites/default/files/assets/2025-09/OIG-25-46-Sep25.pdf

External Link

https://www.oig.dhs.gov/sites/default/files/assets/2025-09/OIG-25-46-Sep25.pdf

Open Recommendations

This report has 1 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use	Additional Details
1	No	$0	$0
We recommend the Director of CISA evaluate Automated Indicator Sharing and its associated costs and benefits to determine whether to maintain the system’s information-sharing capabilities beyond September 30, 2025.