Facebook
Britain's News Portal
Around The Clock
BREAKING
Loading latest headlines…

US Cyber Agency Built Incident Playbook During Live Breach, Report Reveals

The US federal cybersecurity agency CISA admitted it lacked a prepared response plan during a May security incident, forcing staff to improvise a playbook in real-time. This oversight led to delays in addressing the exposure of sensitive government system credentials.

  • CISA had no pre-existing incident response plan for a May 2026 cybersecurity breach.
  • Staff had to create a response playbook during the live incident, causing delays.
  • Sensitive keys and credentials for US government systems were exposed by a contractor.
  • A security researcher and journalist alerted CISA after the contractor failed to respond.
  • The agency has since improved its channels for researchers to report vulnerabilities.

The US federal cybersecurity agency, CISA (Cybersecurity and Infrastructure Security Agency), has revealed a significant lapse in its incident response preparedness. In a post-mortem report published last Friday, the agency admitted it did not possess a pre-prepared playbook to handle a cybersecurity incident that occurred in May of this year. This forced CISA staff to develop a response plan in real-time during the early stages of the breach.

The incident came to light after an investigative journalist notified CISA that a contractor had publicly exposed sensitive keys and credentials crucial for accessing US government systems. According to independent cybersecurity journalist Brian Krebs, a security researcher from GitGuardian initially discovered the exposed passwords in a publicly accessible GitHub repository, uploaded by a CISA contractor employee. The researcher attempted to alert the contractor without success, leading them to contact Krebs, who then informed CISA.

Upon being notified, CISA acted to take the repository offline and subsequently revoked and replaced all exposed credentials to prevent potential misuse. While the agency did not specify the exact duration of the delay caused by the absence of a playbook, it acknowledged that having to construct one during an active incident meant valuable time was lost. CISA stressed the importance of having playbooks ready for all anticipated needs to ensure swift and effective responses to security incidents.

The agency confirmed that no customer or mission-critical data was exposed as a result of the incident, and expressed gratitude to both the security researcher and the journalist for their intervention. CISA also admitted that its existing channels for security researchers to report potential incidents were not clearly defined. Since the breach, the agency has implemented changes aimed at making it easier and quicker for researchers to communicate with them.

This incident highlights broader challenges within CISA, which has been operating without a permanent director since President Donald Trump's second term began in January 2025. The agency has also reportedly faced significant workforce reductions, including cuts, furloughs, and layoffs affecting approximately a third of its staff since the start of the current presidential administration.

Why this matters: This incident underscores the critical importance of robust cybersecurity preparedness, not just for government agencies but for all organisations. Failures in incident response can lead to significant data breaches, reputational damage, and operational disruption.

What this means for you: What this means for you: This incident serves as a stark reminder for UK businesses and consumers about the pervasive threat of cyberattacks. It highlights the need for organisations to have clear, tested incident response plans, and for individuals to be vigilant about their online security, as supply chain vulnerabilities can impact anyone.

Related Articles

Get the news that matters.

Join thousands of readers getting the best of British news straight to their inbox.