CISA, the U.S. cybersecurity agency, revealed it had no prepared response plan when a contractor exposed sensitive government credentials on GitHub in May. Staff had to build their incident playbook on the fly during the early stages of the breach.
Why CISA’s missing playbook matters
Think of a playbook like a fire drill: without one, teams waste critical time figuring out what to do while the problem grows. CISA, tasked with protecting federal networks, admitted this gap delayed its response to a leak of passwords and access keys for U.S. government systems.
The exposure was discovered by a GitGuardian researcher, who alerted journalist Brian Krebs after the contractor failed to respond. Only after Krebs contacted CISA did the agency take the GitHub repository offline and revoke the compromised credentials.
Lessons learned and next steps
CISA confirmed no mission-critical data was exposed but acknowledged its channels for reporting vulnerabilities were unclear. The agency has since streamlined how security researchers can flag incidents. However, CISA remains without a permanent director and has faced workforce cuts since early 2025.
The incident underscores a broader challenge: even top cybersecurity agencies can be caught off guard. For now, CISA is urging organizations to pre-build playbooks for all anticipated needs—so they’re not scrambling when the next breach hits.