CISA admits it had to build its incident response playbook during an active security breach

The Cybersecurity and Infrastructure Security Agency (CISA) has acknowledged that staff were forced to build the agency’s incident response playbook during the early stages of an active security breach, according to a postmortem report released Friday.

The revelation came after a CISA contractor employee uploaded sensitive credentials, including AWS GovCloud passwords, to a publicly accessible GitHub repository. The leak was discovered by a security researcher at the cyber firm GitGuardian, who alerted the contractor directly and received no response. The researcher then contacted independent security journalist Brian Krebs, who escalated the issue to CISA.

CISA took the compromised repository offline, revoked and replaced all exposed credentials, and confirmed that no customer or mission data was compromised. But the agency’s own post-incident report acknowledged a critical organizational shortfall: “CISA’s staff had to spend time building [a playbook] during the early stages of the incident.”

The agency said it has since prepared playbooks for “all anticipated needs” to avoid scrambling in real time during future incidents. It did not disclose how much the missing playbook delayed the response.

Reporting gaps

CISA also acknowledged that its channels for allowing security researchers to notify the agency of potential incidents “were not well defined.” The discovery and escalation depended entirely on a third-party security firm and an independent journalist rather than a direct researcher reporting mechanism. CISA said it has made changes to streamline researcher reporting.

Organizational context

The incident and the subsequent admission come at a difficult time for the agency. CISA has been without a permanent director since President Trump’s second term began in January 2025. The agency has suffered cuts, furloughs, and layoffs affecting roughly one third of its workforce, according to a February 2026 Nextgov report.

The postmortem’s admission that one of the US government’s primary cyber defense agencies lacked a basic incident response playbook, and had to write one while the incident was underway, has drawn criticism from security researchers who say it reflects deeper structural problems at the agency.

Sources: US cybersecurity agency CISA had to build its incident playbook during the incident, agency reveals (TechCrunch, July 10, 2026)

Scroll to Top