Security/ security · government · cisa · incident-response

CISA Had No Incident Playbook When It Got Hacked

The agency that tells organizations how to respond to breaches was writing its own response plan in real time during a May security incident.

CISA got hacked in May and improvised its response as the attack unfolded.

The US Cybersecurity and Infrastructure Security Agency disclosed in a postmortem report that it had no prepared incident response plan when a security incident struck in May. Staff had to build a playbook during the early stages of the breach itself, the agency acknowledged. CISA released the findings on a Friday — a classic timing choice for news an organization would prefer fewer people read. The incident involved a GitHub credential leak, according to the report.

The irony here is hard to overstate. CISA's core mission is advising federal agencies and private organizations on exactly this kind of preparedness. The agency publishes guidance, issues alerts, and runs exercises designed to help others avoid the precise failure it just admitted to itself. When the defender-in-chief is winging it during an active incident, it raises fair questions about whether its advice has always been practice-what-you-preach material.

This is not the first time CISA has faced scrutiny over its own security posture — in 2024, attackers breached two of its systems via a vulnerability in Ivanti software. Two incidents in two years at the agency charged with keeping federal networks clean is a pattern, not a fluke.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →