The agency’s own postmortem, published July 10, says the quiet part out loud: incident responders “had to spend time building” a playbook mid-crisis, after a contractor left admin keys to AWS GovCloud sitting exposed on GitHub. Lessons from CISA’s Cyber Incident reads like the agency grading its own homework, and the grade isn’t clean.

The repository, “Private-CISA,” sat public from November 13, 2025 until GitGuardian researcher Guillaume Valadon flagged it on May 14, 2026. The contractor didn’t answer him, so Valadon went to a reporter instead. The repo came down within 26 hours of direct notice, six months after it first went live.

That reporter, Brian Krebs, is the one who actually got CISA moving. The agency also admits its own intake channels for outside researchers “were not well defined,” a detail buried deeper in the report than the playbook gap but arguably worse: the agency that federal networks lean on to report vulnerabilities almost missed its own.

The old assumption in federal incident response was that you write the playbook once and pull it off the shelf when needed. This postmortem sets a different bar: build for scenarios you haven’t seen yet, because the agency setting cybersecurity standards for the rest of government just proved it hadn’t. CISA has run without a permanent director since January 2025 and has lost close to a third of its staff to budget cuts. No mission data was exposed, CISA says. The playbook gap still got fixed live, on the clock.

Worth auditing your own GitHub intake and secrets-scanning playbook this quarter, before you’re the one improvising.

Rebecca Lauren