TL;DR
CISA admitted it had no prepared playbook for a cybersecurity incident. A contractor leaked government credentials on GitHub. A journalist had to alert the agency.
CISA's postmortem reveals staff had to build a response plan in real time after a contractor exposed AWS keys and passwords on a public GitHub repository.
CISA admitted it had no prepared playbook for a cybersecurity incident. A contractor leaked government credentials on GitHub. A journalist had to alert the agency.
The US Cybersecurity and Infrastructure Security Agency revealed in a postmortem report on Friday that it did not have a prepared response plan for handling a cybersecurity incident when one hit in May. CISA staff “had to spend time building [a playbook] during the early stages of the incident,” the agency said, recommending that organisations prepare playbooks for “all anticipated needs” rather than improvising in real time.
The incident began when a security researcher at cyber firm GitGuardian discovered that an employee of a CISA contractor had uploaded passwords, AWS GovCloud keys, and other sensitive credentials to a publicly accessible GitHub repository. The researcher tried to alert the contractor but received no response. Only after cybersecurity journalist Brian Krebs contacted CISA did the agency take the repository offline and revoke the exposed credentials.
CISA said no customer or mission data was exposed and thanked the researcher and reporter for their help. The agency acknowledged that its channels for allowing security researchers to report potential incidents “were not well defined” and has made changes to improve contact pathways. It did not say how long the missing playbook delayed its response. CISA is simultaneously using Anthropic’s Mythos AI to audit government code for vulnerabilities, making the admission that it lacked basic incident preparedness for its own security all the more striking.
The agency has been without a permanent director since the start of Trump’s second term in January 2025. Cuts, furloughs, and layoffs have affected about a third of its workforce since then. The irony is hard to miss: the federal agency tasked with defending government networks and advising critical infrastructure on cybersecurity preparedness did not have the incident response document it tells every other organisation to maintain. State-sponsored threat actors are deploying AI to find zero-day vulnerabilities at industrial scale, and the agency on the front line of that defence was building its response plan on the fly.
Get the most important tech news in your inbox each week.