Incident & Breach Response
,
Security Operations
CISA Lauded for Fast Response, Transparency and Detailing Security Recommendations
Lock down public code repositories, monitor those repos for secrets, and if they get exposed, have a well-tested incident response playbook at the ready.
See Also: Converged SOC & NOC: How Agentic AI Is Transforming Security Operations
Those are among the “lessons from CISA’s cyber incident” learned and shared by the United States’ cybersecurity agency based on what worked and what needed improvement when its secrets ended up exposed in a public-facing GitHub repository.
As the U.S. Cybersecurity and Infrastructure Security Agency learned firsthand: “It is not a matter of ‘if,’ but ‘when’ a cybersecurity incident will happen to your organization.”
CISA’s “when” started Nov. 13, 2025, when a public GitHub repository named “Private-CISA” began exposing 844 megabytes of data, including some still valid “plaintext passwords, AWS tokens and Entra ID SAML certificates,” as well as documentation and personal files, secrets-scanning service GitGuardian said.
Researchers at the firm began attempting to notify CISA on May 14 and succeeded the next day.
Elapsed time between initial notification and mitigation: 26 hours. “Seeing the repository taken down so fast was a relief. Credit to CISA for moving fast – most of our disclosures take far longer, and some are never fixed,” said Guillaume Valadon, cybersecurity researcher at GitGuardian.
Two months later, CISA has publicly shared what it learned from the incident, warts and all, when Valadon lauded for its transparency, saying it’s “exactly the incident communication we should expect from every organization.”
In its “after-action report,” CISA said what worked well included taking seriously the researcher’s warning about the data exposure – and the importance of thanking them later, which it did. Also, having robust zero trust controls and logging enabled its security operations center to quickly trace the credential exposure to a single individual, who was a contractor, and confirmed that the “leaked credentials were not used outside of CISA’s environments.”
As part of its response, the agency temporarily took its development environment offline and reset all access credentials. It revoked access credentials issued to the individual who was responsible.
The agency’s digital forensic investigation found: “The individual had uploaded copies of a CISA build and deployment repository to their personal GitHub account for the purpose of creating cloud infrastructure autonomously. This repository included CISA’s Infrastructure As Code and build code.” In addition, “the individual copied both admin and build credentials into their public repository.”
The reporting process could have been smoother: GitGuardian said that by May 13, its automated secrets-finding system had already contacted the GitHub commit author nine times, warning about the information exposure.
On May 14 at 4:14 PM CET, researchers directly reported the data leak exposure to U.S. CERT Coordination Center’s portal. They also tapped their professional network to try and reach officials. By the morning of Friday, May 15, having only received an automated “message received” confirmation from CERT/CC and with the weekend fast approaching, they enlisted the help of investigative journalist Brian Krebs, leading to the agency speaking directly with the researchers at 16:00 CET that day.
Eight hours later, the leaky repository was offline. While CISA moved fast, Valadon said getting the report into the hands of leadership still took “an unnecessarily complicated path,” and urged all organizations to “make it trivial” to file security alerts.
Many major businesses and government agencies globally use security.txt, a standard that boils down to placing a text file on a website in an obvious location, that lists contact points for security researchers to report security flaws, and which is both human- and machine-readable. Free tools can help generate this file.
Coincidence or not, a joint advisory issued Wednesday by CISA and the National Security Agency, together with British, Dutch and Japanese cybersecurity agencies, calls on organizations to establish a coordinated vulnerability disclosure program with security researchers.
One of its central recommendations: “use a security.txt file to provide security researchers with clear instructions for reporting vulnerabilities,” which might involve email, web platforms or through an agency such as CISA.
Valadon said that while that’s a good first step, organizations should also go further: “put reporting instructions in several prominent places and make sure a report about your own infrastructure does not land in a product-bug queue.”
CISA has committed to simplifying the ability to report incidents to it and has added a security.txt file to its domain.
Other lessons learned by CISA included discovering that it had no security playbook for responding to a GitHub or other cloud data leak, and it needed to first create one as part of its response, adding time. The agency said it also discovered needing to tighten controls for how public code repositories can be used, and it has begun scanning its code repositories for any signs that secrets have crept in and recommended all organizations do the same.
The agency said it’s also in the process of consolidating development environments to enforce better security guardrails, as well as refining and testing its playbooks to facilitate faster credential changes ahead of the next emergency. “The complexity of CISA’s systems and interconnections with federal and industry partners caused CISA’s key rotation to take longer than anticipated. Drawing on this experience, CISA encourages others to maintain mature and well-tested key-management capabilities,” it said.
