Key facts
- CISA, the federal cybersecurity agency, lacked a prepared incident response playbook in May.
- Sensitive keys and credentials for accessing U.S. government systems were publicly exposed by a contractor's employee.
- The agency had to develop its playbook during the initial phase of the incident.
- No customer or mission data was compromised, according to CISA.
- CISA has since updated its procedures for security researchers to report potential incidents.
The U.S. federal cybersecurity agency CISA revealed that it did not have a prepared response plan for handling a cybersecurity incident in May. The agency had to develop its incident playbook during the early stages of the breach, which occurred after a contractor's employee publicly exposed sensitive keys and credentials for accessing U.S. government systems on GitHub.
Independent cybersecurity journalist Brian Krebs reported that a security researcher alerted him to the exposed passwords. After Krebs contacted CISA, the agency took the repository offline and revoked the compromised credentials. CISA stated that no customer or mission data was exposed and thanked the researcher and reporter for their assistance. The agency also acknowledged that its channels for security researchers to report potential incidents were not well-defined and has since made changes to improve these processes.
CISA has been operating without a permanent director since January 2025 and has experienced workforce reductions affecting approximately one-third of its staff since President Donald Trump took office.
