FBI lawyers outline legal safeguards for private‑to‑government cyber threat sharing as CISA 2015 faces lapse
February 18, 2026 | Federal Bureau of Investigation (FBI), Department of Justice (DOJ), Executive, Federal
This article was created by AI summarizing key points discussed. AI makes mistakes, so for full details and context, please refer to the video of the full meeting. Please report any errors so we can fix them. Report an error »
Kristen Grimes, chief of the FBI’s cyber law unit, said the Cybersecurity Information Sharing Act of 2015 (CISA 2015) provides a suite of legal protections that incentivize near‑real‑time sharing of cyber threat indicators between industry and the federal government.
"CISA 2015 . . . allows for the sharing of cyber threat information between and among the private sector and the government," Grimes said, adding that the statute defines covered data as "cyber threat indicators and defensive measures" and requires removal of personally identifiable information before sharing.
Why it matters: Brett Leatherman, assistant director of the FBI Cyber Division, said rapid sharing of indicators in incidents such as Salt Typhoon was critical to containment and attribution. The protections Grimes listed — exemptions for attorney‑client privilege, trade secrets, antitrust liability relief, FOIA exemptions and limits on regulatory use — reduce legal risk that might otherwise deter companies from sharing timely data.
Grimes cautioned that even if CISA 2015 were to lapse, other statutory and policy tools still protect companies that engage with the FBI. "We don't share with regulators for regulatory purposes," she said, describing an FBI practice of directing regulators to seek information from victims or their counsel rather than using industry disclosures the FBI received for regulatory action. She also cited FOIA exemptions and trade‑secret treatment the bureau can assert to protect shared information.
What companies can do: Both Grimes and Leatherman encouraged organizations to talk to FBI legal teams and field offices before incidents occur. "Come and talk with us," Grimes said, noting the cyber law unit’s outreach to CISOs and legal counsel.
The takeaway: CISA 2015 formalizes protections that reduce private‑sector legal exposure when sharing cyber threat indicators. But the FBI emphasizes additional legal and procedural safeguards — and early, voluntary engagement with FBI teams — as ways to preserve confidentiality even if the statute is not in force.
Next steps: Grimes recommended pre‑incident conversations between companies' CISOs and legal teams and FBI field offices. Leatherman pointed listeners to fbi.gov/wintershield for operational mitigations the FBI is promoting during its current campaign.
"CISA 2015 . . . allows for the sharing of cyber threat information between and among the private sector and the government," Grimes said, adding that the statute defines covered data as "cyber threat indicators and defensive measures" and requires removal of personally identifiable information before sharing.
Why it matters: Brett Leatherman, assistant director of the FBI Cyber Division, said rapid sharing of indicators in incidents such as Salt Typhoon was critical to containment and attribution. The protections Grimes listed — exemptions for attorney‑client privilege, trade secrets, antitrust liability relief, FOIA exemptions and limits on regulatory use — reduce legal risk that might otherwise deter companies from sharing timely data.
Grimes cautioned that even if CISA 2015 were to lapse, other statutory and policy tools still protect companies that engage with the FBI. "We don't share with regulators for regulatory purposes," she said, describing an FBI practice of directing regulators to seek information from victims or their counsel rather than using industry disclosures the FBI received for regulatory action. She also cited FOIA exemptions and trade‑secret treatment the bureau can assert to protect shared information.
What companies can do: Both Grimes and Leatherman encouraged organizations to talk to FBI legal teams and field offices before incidents occur. "Come and talk with us," Grimes said, noting the cyber law unit’s outreach to CISOs and legal counsel.
The takeaway: CISA 2015 formalizes protections that reduce private‑sector legal exposure when sharing cyber threat indicators. But the FBI emphasizes additional legal and procedural safeguards — and early, voluntary engagement with FBI teams — as ways to preserve confidentiality even if the statute is not in force.
Next steps: Grimes recommended pre‑incident conversations between companies' CISOs and legal teams and FBI field offices. Leatherman pointed listeners to fbi.gov/wintershield for operational mitigations the FBI is promoting during its current campaign.
View the Full Meeting & All Its Details
This article offers just a summary. Unlock complete video, transcripts, and insights as a Founder Member.
✓
Watch full, unedited meeting videos
✓
Search every word spoken in unlimited transcripts
✓
AI summaries & real-time alerts (all government levels)
✓
Permanent access to expanding government content
30-day money-back guarantee
