US Agency Lacked Incident Response Playbook During Hack
The US Cybersecurity and Infrastructure Security Agency (CISA) revealed in a postmortem report on Friday that it did not have a prepared response plan for handling a cybersecurity incident when one hit in May. CISA staff “had to spend time building [a playbook] during the early stages of the incident,” the agency said, recommending that organizations prepare playbooks for “all anticipated needs” rather than improvising in real time.
The Incident Unfolded as Follows:
- A security researcher at cyber firm GitGuardian discovered an employee of a CISA contractor had uploaded passwords, AWS GovCloud keys, and other sensitive credentials to a publicly accessible GitHub repository.
- The researcher attempted to alert the contractor but received no response.
- Cybersecurity journalist Brian Krebs subsequently contacted CISA, leading the agency to take the repository offline and revoke the exposed credentials.
CISA confirmed no customer or mission data was exposed and praised the researcher and reporter for their assistance. However, it acknowledged that its channels for allowing security researchers to report potential incidents “were not well defined” and has made improvements to these pathways. The agency did not mention any delays caused by the absence of a prepared playbook.
Notably, CISA is currently utilizing Anthropic’s Mythos AI to audit government code for vulnerabilities, making the lack of basic incident preparedness even more striking.
Irony Strikes Again:
The admission comes as CISA has been without a permanent director since January 2025, with cuts, furloughs, and layoffs affecting around a third of its workforce during that period.
With state-sponsored threat actors employing AI to identify zero-day vulnerabilities on an industrial scale, the front-line defense agency found itself crafting a response plan on the fly.
By: Ana Maria Constantin (Digital Marketing Expert, Product Manager, and Branding & Identity Specialist)