Lessons from CISA’s Cyber Incident | CISA
Skip to main content
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Staying Secure at Eventsno-cost Cyber ServicesSecure by design Secure Your BusinessReport A Cyber Issue
Share:
Blog
Lessons from CISA’s Cyber Incident
Released<br>July 09, 2026
By Preston Werntz, Acting Chief Information Officer; Brad Libbey, Acting Chief Information Security Officer
Related topics:
Cybersecurity Best Practices<br>Cyber Threats and Response
Sharing experiences from incident response activities help other organizations learn from such experiences and enables them to take necessary precautions to prevent similar incidents from happening in their environments. For years, CISA has said this type of information exchange is critical to identifying trends and contributing to broader national awareness. Now, it is our turn.<br>On Friday, May 15, CISA began an internal incident response when an investigative reporter inquired about internal CISA Amazon AWS GovCloud Keys and other information being made available in a public repository. The reporter received this information from a security researcher whose company continuously scans public code repositories.<br>Incident Response<br>Within moments of receiving this information, CISA’s Office of the Chief Information Officer (OCIO) took swift and comprehensive action to mitigate any exposure to CISA’s cloud resources and code repositories.<br>Stop the Bleeding. CISA immediately and quickly worked to eliminate public exposure and prevent any further harm.<br>The reported public repository was taken offline and a copy was saved for later analysis. This repository was not part of CISA’s official GitHub but rather was a personal repository owned by a contractor.<br>CISA’s development environment was taken offline and associated credentials were reset.<br>The individual who exposed the keys had their system access revoked.<br>Understand Scope. By analyzing the copy of the public repository and associated cybersecurity telemetry, CISA found that:<br>The individual had uploaded copies of a CISA build and deployment repository to their personal GitHub account for the purpose of creating cloud infrastructure autonomously. This repository included CISA’s Infrastructure As Code and build code.<br>Additionally, the individual copied both admin and build credentials into their public repository.<br>Assess Impact. During the forensic investigation, CISA analysis of the log files determined that:<br>Leaked credentials were not used outside of CISA ‘s environments.<br>No customer or mission data was exposed.<br>Corrective Actions. CISA swiftly implemented appropriate measures:<br>All credentials across all the environments where the individual was an administrator were rotated, not just the exposed credentials.<br>CISA tuned the allow and deny lists for its code repositories.<br>CISA limited user ability to upload to public code repositories.<br>After completion of these actions, CISA’s development environment was brought back online.<br>Reflection<br>Following an incident, it is important to conduct a “hot wash” and prepare an after-action report to reinforce effective practices and identify areas for growth.<br>What Worked Well<br>Take External Reporting Seriously. It is important to take cybersecurity tips and external reporting seriously. In this instance, a security researcher, through an investigative reporter, notified CISA and continued to share information with the agency throughout the incident. We are thankful for their collaboration.<br>Adopt Zero Trust Principles. This incident highlighted the effectiveness of applying granular Zero Trust principles to not only production systems but to development environments as well. Maintaining strong visibility and alerting across all environments was key to CISA’s successful incident response and for detecting any future unusual activity early.<br>Enhance Logging Capabilities. CISA’s SOC had the logs necessary to successfully investigate the incident. Furthermore, continuous improvement of logging capabilities remains a key element of a strong security program. To that end, CISA strategically identified further logging opportunities while conducting the incident response and has since implemented those additions to enhance visibility.<br>What Can Be Strengthened<br>Tighten Controls on Public Repositories. CISA users had the ability to upload to public repositories. Following review of our Zero Trust tooling, CISA determined the best way to monitor and manage uploads was to leverage our endpoint detection and response (EDR) solution. This approach enables CISA developers to pull code from public repositories while reducing the risk of uploading intellectual property or sensitive content to public repositories.<br>Monitor for...