U.S.

CISA admits it lacked a response plan for May cybersecurity incident

CISA said its staff had to build a response playbook mid-incident after a contractor exposed sensitive keys in a public GitHub repository.

Marcus Williams··1 min read
Published
Listen to this article0:00 min
CISA admits it lacked a response plan for May cybersecurity incident
Photo illustration

The repository, called Private-CISA, had been publicly accessible for months, from November 2025 until May 2026. It contained plaintext passwords, AWS GovCloud credentials, tokens and other internal files, and the exposed material was about 844 MB. GitGuardian researcher Guillaume Valadon found the repository, alerted Brian Krebs after the owner did not respond, and Krebs then contacted CISA. The repository was a personal repository owned by a contractor, not part of CISA's official GitHub presence. The development environment was taken offline, associated credentials were reset, and the individual who exposed the keys had their system access revoked. No customer or mission data was exposed. CISA had to build a response playbook during the early stages of the May cybersecurity incident.

Cyber incidents can affect national security, foreign relations, the economy, public confidence, civil liberties, health and safety. Federal playbooks give civilian agencies standard procedures to identify, coordinate, remediate, recover and track mitigations after incidents and vulnerabilities.

AI-generated illustration
AI-generated illustration

In a September 23, 2025 advisory on another incident response engagement, CISA found that a federal civilian executive branch agency had not promptly remediated vulnerabilities, had not tested or exercised its incident response plan, and had not continuously reviewed endpoint detection and response alerts. Threat actors had exploited CVE-2024-36401 in GeoServer about three weeks before the alerts, then moved laterally to two other servers.

CISA released an updated draft National Cyber Incident Response Plan in December 2024, the first update since 2016, after more than 150 experts from 66 organizations across government and industry helped develop it. The draft covered cyber incidents that could affect public health and safety, national security or economic security.

Its channels for researchers to report potential incidents were not well defined, and the agency has since changed those channels.

This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.

Did this article answer your question?

Discussion

More in U.S.