CISA Built Incident Response Plan During Active Breach, Postmortem Reveals

CISA staff spent the early days building their response strategy from scratch
The federal cybersecurity agency lacked a prepared incident response plan when a contractor exposed government credentials in May.

In May, the United States government's own cybersecurity guardian — CISA, the agency charged with teaching the nation how to weather digital storms — was caught without an umbrella. A contractor's carelessly exposed credentials sat open on GitHub until a researcher and a journalist, not internal systems, sounded the alarm. The agency's subsequent admission that it had no incident response playbook is less a confession of one failure than a mirror held up to a universal human tendency: we prepare for the crises we imagine, rarely for the ones that actually arrive.

  • A security researcher discovered exposed government passwords sitting publicly on GitHub, uploaded by a CISA contractor — the digital equivalent of leaving a master key on a park bench.
  • Neither the contractor nor CISA's own reporting channels responded; it took journalist Brian Krebs calling the agency directly before anyone moved to pull the credentials offline.
  • CISA's postmortem revealed the agency had no incident response playbook, forcing staff to invent their crisis procedures in real time while the breach was still unfolding.
  • The irony is institutional and acute: the federal body that instructs others on breach preparedness was itself improvising, exposing a gap between the advice CISA gives and the readiness it kept.
  • No customer data or mission-critical information was confirmed stolen, and both the researcher and Krebs received public thanks — but the near-miss has forced a reckoning with how the agency receives outside warnings.
  • CISA has since clarified researcher notification channels and pledged to build anticipatory playbooks, reforms that are sensible but arrived only after public embarrassment made them unavoidable.

In May, a GitGuardian security researcher found something alarming in plain sight: passwords and access keys belonging to a CISA contractor, sitting openly in a public GitHub repository. The researcher tried to report it through normal channels and reached no one. It was only after independent journalist Brian Krebs called CISA directly that the repository came down and the credentials were revoked.

When CISA released its postmortem, the admission inside was striking. The agency had no prepared incident response playbook — no documented procedures for handling exactly the kind of breach it exists to help others prevent. Staff improvised their response strategy from scratch while the incident was still active.

The irony is difficult to overstate. CISA is the federal government's designated authority on critical infrastructure defense, the organization that publishes guidance telling other institutions how to prepare before a crisis, not during one. Its own postmortem now includes that very advice, delivered as institutional self-correction.

Fortunately, no customer data or mission-critical information appears to have been stolen. CISA publicly credited the researcher and Krebs with preventing a potentially far worse outcome. But the incident also revealed that the agency's channels for receiving vulnerability reports from outside researchers were poorly defined — unclear enough that the initial warning never reached anyone with authority to act.

Since May, CISA has moved to fix both problems. It has streamlined how researchers can report potential breaches, and it has committed to developing response playbooks before incidents occur rather than during them. The changes are sensible. They are also the kind of reforms that, in hindsight, required a public stumble and a journalist's phone call to finally put in place.

In May, a security researcher at GitGuardian stumbled onto something that should never have been visible to the world: a trove of passwords and access keys sitting in plain sight on GitHub, uploaded by someone working for a contractor to the Cybersecurity and Infrastructure Security Agency. The researcher tried to reach the contractor directly. No one answered. It took a call from independent journalist Brian Krebs to CISA itself before anyone moved to take the repository offline and revoke the exposed credentials.

When CISA released its postmortem report on Friday, the agency made an uncomfortable admission. It had no playbook. No prepared response plan. No documented procedures for what to do when a cybersecurity incident landed on its desk. Instead, according to the report, CISA staff spent the early days of the breach building their response strategy from scratch, improvising as they went.

The irony cuts deep. CISA is the federal government's designated defender of critical infrastructure and federal networks. It's the agency that tells other organizations how to prepare for breaches, how to respond quickly, how to minimize damage. Yet when its own contractor exposed sensitive keys and credentials used to access U.S. government systems, CISA itself was caught without a plan.

The agency did not disclose how much time the missing playbook cost them in response speed. A spokesperson declined to comment when asked about the delay. What CISA did say, in its postmortem, was that organizations should prepare response procedures for "all anticipated needs" before an incident occurs, not during one. The statement reads like institutional self-correction delivered with a straight face.

The exposure itself, fortunately, did not result in the theft of customer data or mission-critical information, CISA said. The researcher and Krebs, by alerting the agency, had prevented what could have been a far worse outcome. CISA thanked them both publicly. But the incident exposed something more systemic: the agency's own channels for receiving security reports from researchers were poorly defined. When the GitGuardian researcher tried to report the problem through normal channels, the path was unclear enough that the message never reached anyone who could act.

Since the May incident, CISA has made changes. The agency has clarified and streamlined how security researchers can notify it of potential breaches. It has committed to developing response playbooks in advance rather than during active incidents. These are the kinds of procedural fixes that sound obvious in hindsight but apparently required a public exposure and a journalist's intervention to implement.

The postmortem serves as a reminder that even the agencies tasked with defending the nation's digital infrastructure are vulnerable to the same gaps in preparation that plague private organizations. The difference is that when CISA stumbles, the stakes involve access to federal systems. The question now is whether the changes the agency has announced will be enough to prevent the next breach from catching it equally flat-footed.

CISA staff had to spend time building a playbook during the early stages of the incident
— CISA postmortem report
It is important to prepare playbooks for all anticipated needs to ensure organizations are ready to respond rather than scrambling to improvise
— CISA postmortem report
A Conversa do Hearth Outra perspectiva sobre a história
Inventor

So CISA had no playbook at all? Not even a draft?

Model

That's what the postmortem says. They had to build one while the incident was unfolding. It's like discovering your fire department has no evacuation procedures while the building is already burning.

Inventor

How did a contractor's passwords end up on GitHub in the first place?

Model

Someone working for a CISA contractor uploaded them to a public repository. The researcher who found them tried to contact the contractor directly, but got no response. It took a journalist calling CISA to actually get action.

Inventor

Did the exposed credentials actually get used to breach anything?

Model

CISA says no customer or mission data was compromised. But that's partly luck—the researcher and journalist moved fast enough to prevent worse damage.

Inventor

What does CISA say it's doing differently now?

Model

They've made their reporting channels clearer so researchers can actually reach them. And they're building response playbooks in advance instead of improvising during incidents. Basic stuff, really, but apparently it needed to happen.

Inventor

Is this embarrassing for an agency that tells everyone else how to do cybersecurity?

Model

Deeply. CISA's whole job is to help federal agencies and critical infrastructure prepare for breaches. Being caught without its own playbook undermines that credibility.

Quer a matéria completa? Leia o original em Yahoo ↗
Fale Conosco FAQ