CISA got hacked in May and improvised its response as the attack unfolded.
The US Cybersecurity and Infrastructure Security Agency disclosed in a postmortem report that it had no prepared incident response plan when a security incident struck in May. Staff had to build a playbook during the early stages of the breach itself, the agency acknowledged. CISA released the findings on a Friday — a classic timing choice for news an organization would prefer fewer people read. The incident involved a GitHub credential leak, according to the report.
The irony here is hard to overstate. CISA's core mission is advising federal agencies and private organizations on exactly this kind of preparedness. The agency publishes guidance, issues alerts, and runs exercises designed to help others avoid the precise failure it just admitted to itself. When the defender-in-chief is winging it during an active incident, it raises fair questions about whether its advice has always been practice-what-you-preach material.
This is not the first time CISA has faced scrutiny over its own security posture — in 2024, attackers breached two of its systems via a vulnerability in Ivanti software. Two incidents in two years at the agency charged with keeping federal networks clean is a pattern, not a fluke.