CISA Built Its Incident Playbook Mid-Crisis, Agency Reveals

▼ Summary
– In May, CISA lacked a prepared response plan after a contractor exposed sensitive U.S. government system credentials in a public GitHub repository.
– CISA’s postmortem report stated staff had to build a playbook during the incident, emphasizing the need for pre-prepared response plans.
– Security journalist Brian Krebs reported the exposure after a GitGuardian researcher failed to get a response from the contractor.
– CISA only took the repository offline and replaced credentials after Krebs contacted the agency directly.
– CISA acknowledged its researcher notification channels were poorly defined and has since made changes to improve them.
In May, the U.S. federal cybersecurity agency CISA admitted it lacked a pre-existing incident response plan when an investigative journalist notified the agency that a contractor had accidentally exposed sensitive credentials for accessing government systems online. The revelation came through a postmortem report released Friday, detailing how staff were forced to build a response playbook mid-crisis rather than deploying a ready-made one.
CISA, a division of the Department of Homeland Security responsible for defending federal networks and securing critical infrastructure, acknowledged in the report that its team “had to spend time building [a playbook] during the early stages of the incident.” The agency emphasized the need to prepare playbooks for “all anticipated needs” so organizations can respond swiftly to security incidents instead of improvising under pressure. It remains unclear how much the missing playbook delayed CISA’s response, and a spokesperson did not respond to TechCrunch’s request for comment.
The incident began when independent cybersecurity journalist Brian Krebs reported in May that a security researcher from the firm GitGuardian had discovered a trove of exposed passwords stored in a publicly accessible GitHub repository. The repository had been uploaded by an employee of a CISA contractor. According to Krebs, the researcher attempted to notify the contractor but received no response. Only after Krebs contacted CISA directly did the agency act, taking the repository offline and revoking and replacing all exposed credentials to prevent potential abuse.
CISA confirmed that no customer or mission data was compromised during the incident and thanked both the researcher and the reporter for their assistance. The agency noted that its channels for security researchers to report potential incidents “were not well defined,” and it has since implemented changes to streamline and accelerate researcher communications.
This incident comes amid broader challenges for CISA, which has operated without a permanent director since the start of President Donald Trump’s second term in January 2025. The agency has also faced significant workforce reductions, including cuts, furloughs, and layoffs affecting roughly a third of its staff since Trump took office.
(Source: TechCrunch)




