The US federal cybersecurity agency, CISA (Cybersecurity and Infrastructure Security Agency), has revealed a significant lapse in its incident response preparedness. In a post-mortem report published last Friday, the agency admitted it did not possess a pre-prepared playbook to handle a cybersecurity incident that occurred in May of this year. This forced CISA staff to develop a response plan in real-time during the early stages of the breach.
The incident came to light after an investigative journalist notified CISA that a contractor had publicly exposed sensitive keys and credentials crucial for accessing US government systems. According to independent cybersecurity journalist Brian Krebs, a security researcher from GitGuardian initially discovered the exposed passwords in a publicly accessible GitHub repository, uploaded by a CISA contractor employee. The researcher attempted to alert the contractor without success, leading them to contact Krebs, who then informed CISA.
Upon being notified, CISA acted to take the repository offline and subsequently revoked and replaced all exposed credentials to prevent potential misuse. While the agency did not specify the exact duration of the delay caused by the absence of a playbook, it acknowledged that having to construct one during an active incident meant valuable time was lost. CISA stressed the importance of having playbooks ready for all anticipated needs to ensure swift and effective responses to security incidents.
The agency confirmed that no customer or mission-critical data was exposed as a result of the incident, and expressed gratitude to both the security researcher and the journalist for their intervention. CISA also admitted that its existing channels for security researchers to report potential incidents were not clearly defined. Since the breach, the agency has implemented changes aimed at making it easier and quicker for researchers to communicate with them.
This incident highlights broader challenges within CISA, which has been operating without a permanent director since President Donald Trump's second term began in January 2025. The agency has also reportedly faced significant workforce reductions, including cuts, furloughs, and layoffs affecting approximately a third of its staff since the start of the current presidential administration.