Skip to main content
CybersecurityIncident Response

CISA Bolsters Protections After Major Credential Leak

Cybersecurity team works in operations center with daylight and system dashboard.

"Sharing experiences from incident response activities help other organizations learn from such experiences and enables them to take necessary precautions to prevent similar incidents from happening in their environments," wrote Preston Werntz, acting chief information officer, and Brad Libbey, acting chief information security officer, in CISA’s forensic blog post.

How CISA discovered and halted the leak on May 15

On May 15, CISA learned that a contractor had leaked privileged Amazon AWS GovCloud Keys to a public GitHub repository. The agency’s immediate actions, as described in its forensic report, included taking the repository and the developer environment offline and revoking the access of the individual responsible for the leak. Those steps were followed by an analysis of the repository to determine the scope of exposed materials.

What the forensic analysis showed about damage and containment

CISA examined repository contents and log files to determine whether the leaked credentials had been used outside the agency. According to the report, log analysis showed none of the leaked credentials were used outside of CISA, and no customer or mission data was exposed. The agency credited taking the report seriously, having robust logging capabilities, and employing zero‑trust principles for aiding containment and investigation.

Operational changes CISA committed to after the incident

The blog post lays out several concrete operational changes CISA is implementing or planning:

  • Rotate all secrets — CISA reported that it rotated every secret after the incident and developed a plan to improve secrets management going forward.
  • Use endpoint detection and response (EDR) to monitor and manage uploads to public repositories — the agency resolved to apply EDR capabilities to the problem of accidental or intentional pushes of sensitive material to public code hosts.
  • Build incident playbooks in advance — CISA noted it had to create a GitHub‑related playbook during the incident and recognized the need to build playbooks for a range of incident types ahead of time.
  • Make it easier to report vulnerabilities related to CISA — the agency determined it would simplify reporting channels, acknowledging it is already adept at receiving vulnerability information that is less agency‑specific because of its hub role in national cyber risk communications.

Researcher reaction and the question of secrets scanning

Guillaume Valadon, a security researcher with GitGuardian who uncovered the leak, praised CISA’s evaluation in an email to CyberScoop. “I think that it is really good. CISA managed to explain what happened, what worked well and what needs to be improved,” he said. Valadon highlighted one particular takeaway: CISA’s public recognition of secrets scanning and the call to simplify relations with researchers. He said that recognition — advocating for secrets scanning and easing researcher interactions — is something his team has long discussed and that he was “proud to read that it is recognized by CISA.”

How security teams, policymakers, and researchers are likely to respond

  • Security teams and technologists: They will be watching CISA’s move to extend endpoint detection and response to monitor repository uploads and will note the agency’s decision to rotate all secrets and plan improved secrets management. Those are operational steps teams can map to their own controls.
  • Policymakers and regulators: The incident already “drew congressional scrutiny,” and CISA’s forensic report — including admissions about gaps and a set of remediation actions — provides specific items (secrets rotation, playbooks, reporting channels) that could inform oversight or guidance discussions.
  • Security researchers: Valadon’s reaction signals that at least some external researchers see CISA’s post as a positive step toward embracing secrets scanning and simplifying researcher‑agency interactions; researchers will likely look for clearer reporting mechanisms and public commitment to scanning tools or standards.

CISA framed its disclosure as a learning opportunity: “For years, CISA has said this type of information exchange is critical to identifying trends and contributing to broader national awareness. Now, it is our turn,” Werntz and Libbey wrote. The agency’s forensic report documents containment and remediation already completed, and lists specific operational changes it will adopt — secret rotation, EDR for repository monitoring, playbook development, and simplified reporting — leaving the public a clear ledger of what CISA identifies as next steps and inviting others to adopt similar practices.

Original report: https://cyberscoop.com/cisa-credential-leak-forensic-report/