CISA revealed it lacked an incident response playbook during a real breach
Original: US cybersecurity agency CISA had to build its incident playbook during the incident, agency reveals
Why This Matters
The lapse exposes critical preparedness gaps at the agency tasked with defending U.S. federal cyber infrastructure.
U.S. cybersecurity agency CISA admitted in a postmortem report released July 10, 2026, that it had no prepared incident response playbook when a contractor exposed sensitive government credentials on a public GitHub repository in May, forcing staff to build one in real time.
CISA, the Homeland Security unit responsible for defending federal networks and critical infrastructure, revealed in a postmortem report that its staff "had to spend time building [a playbook] during the early stages of the incident." The incident began when security researcher at GitGuardian discovered exposed passwords in a publicly accessible GitHub repository uploaded by an employee of a CISA contractor. After the contractor did not respond to the researcher's alerts, independent journalist Brian Krebs contacted CISA directly, prompting the agency to take the repository offline and revoke and replace all exposed credentials. CISA stated that no customer or mission data was compromised, and it thanked the researcher and reporter for their assistance. The agency acknowledged that its channels for security researcher notifications "were not well defined" and said it has since made changes to improve contact procedures. CISA did not disclose how long the missing playbook delayed its response. The agency has been without a permanent director since January 2025 and has lost approximately one-third of its workforce due to cuts, furloughs, and layoffs under the Trump administration.