CISA, the federal agency tasked with writing breach-disclosure rules that, per CISA’s NPRM analysis, will soon bind more than 300,000 critical-infrastructure operators, had its own cloud credentials exposed for months after a contractor published AWS GovCloud administrative keys and plaintext passwords to a public GitHub repository. The agency that plans to enforce 72-hour incident reporting under CIRCIA struggled to contain the breach and invalidate the leaked credentials, according to KrebsOnSecurity.
What was in Private-CISA
In November 2025, a CISA contractor created a public GitHub repository named “Private-CISA.” The repo contained AWS GovCloud administrative keys, plaintext passwords stored in a CSV file, authentication tokens, and internal build and deployment documentation, according to KrebsOnSecurity. Gizmodo described the leak as “the worst leak that I’ve witnessed”.
The contractor, employed by Nightwing according to Gizmodo’s reporting, disabled GitHub’s built-in push protection, the feature that blocks publishing secrets to public repositories. Commit logs reviewed by outside experts confirmed the protection was deliberately turned off.
The repository included credentials granting access to multiple internal CISA systems at high privilege levels.
Discovery and containment timeline
The public repository was detected and CISA was notified. As of May 23, 2026, CISA was still struggling to contain the breach and invalidate the leaked credentials, KrebsOnSecurity reported. The gap between detection and complete credential rotation is the critical detail: any party that cloned the repo during the exposure window had the material to access CISA’s build and deploy infrastructure at high privilege levels.
CISA’s public statement, issued after KrebsOnSecurity’s story broke on May 18, 2026, read: “Currently, there is no indication that any sensitive data was compromised as a result of this incident.” The agency has not disclosed the duration of exposure, when internal notification occurred, or whether it has completed a full access audit of the affected accounts.
Congressional reaction and the staffing context
Sen. Maggie Hassan (D-NH) sent a letter to Acting Director Nick Andersen on May 19, 2026, demanding answers to a dozen questions about the leak’s scope, notification timeline, and remediation. Rep. Bennie Thompson (D-MS) and Rep. Delia Ramirez (D-IL) sent a separate letter the same day, citing concerns about “diminished security culture” at the agency.
The staffing backdrop matters. CISA has lost more than one-third of its staff and nearly all senior leaders since January 2025 due to forced retirements, buyouts, and resignations, according to KrebsOnSecurity. A DHS funding lapse in early 2026 disrupted operations including planned CIRCIA stakeholder town halls, per Bright Defense’s analysis. The agency responsible for setting the security standard for federal civilian networks has been operating with a depleted workforce for most of the period the repository sat public.
CIRCIA’s proposed standard vs. CISA’s own response
CISA’s proposed CIRCIA rule would require covered entities to report substantial cyber incidents within 72 hours and ransom payments within 24 hours. The rule would cover more than 300,000 entities across 16 critical infrastructure sectors, by CISA’s estimate. The May 2026 final rule target is at risk; Fisher Phillips notes that “recent federal appropriations disruptions could alter that timeline,” and CISA’s own page shows stakeholder town halls postponed with dates listed as TBD.
Map CISA’s own incident response against the standard it intends to enforce. A contractor created a public repository containing high-privilege cloud credentials in November 2025. After the breach was detected and reported, CISA could not complete credential rotation within the 72-hour window it proposes to mandate for everyone else. As of late May, KrebsOnSecurity reported the agency was still working to invalidate the exposed credentials. A covered entity under CIRCIA that followed this timeline would be in violation of the 72-hour reporting requirement before it had finished rotating credentials.
The credibility gap and enforcement implications
Enforcement depends on credibility. When the agency writing breach-reporting rules cannot meet its own disclosure timelines, two things follow. Covered entities under CIRCIA will cite the Private-CISA episode in every enforcement action where they argue their response was reasonable under the circumstances. The federal government’s own cybersecurity agency cannot demonstrate timely, complete incident handling, which undermines the authority behind any enforcement action.
CISA’s statement that it has “no indication” of data compromise, issued without a disclosed audit scope or methodology, is precisely the kind of response CIRCIA would require covered entities to improve upon.
What security teams should take from this
For organizations building CIRCIA compliance workflows, the Private-CISA episode illustrates three concrete problems with breach disclosure that no policy framework fully solves.
Credential rotation takes longer than disclosure windows allow. CISA had high-privilege cloud credentials exposed and struggled to invalidate them, even with full control of the affected infrastructure and no evidence of active exploitation, per KrebsOnSecurity. Organizations with more complex environments, shared services, and cross-account trust relationships should expect key rotation to take longer than any reporting window allows. Build the rotation process first; the reporting template is the easy part.
External detection is the norm, not the exception. An external party, not CISA’s own monitoring, detected the exposed repository. CIRCIA reporting starts the clock when a covered entity “reasonably believes” an incident has occurred. For many organizations, that clock starts when someone outside the organization tells them about it.
Public statements without disclosed evidence are insufficient. CISA’s “no indication of compromise” line is technically defensible but substantively empty without an accompanying audit scope and methodology. CIRCIA-covered entities will need to provide more than an assertion of non-impact. Build the audit trail alongside the incident response, not after it.
Frequently Asked Questions
What specific credential remained unrotated more than a week after CISA was notified?
An RSA private key granting access to a GitHub app on the CISA-IT organization with full control over all code repositories, including private repos, CI/CD pipelines, and admin settings. More than a week after GitGuardian notified CISA, this key was still active, meaning anyone who cloned the repo could have persisted access to CISA’s entire code infrastructure even after other credentials were rotated.
How would CIRCIA be enforced against organizations that miss the 72-hour window?
CIRCIA enforcement runs through requests for information, subpoenas, and DOJ referral. False statements in CIRCIA reports carry up to 5 years of imprisonment, or 8 years if the incident is terrorism-related. Covered entities that cannot demonstrate a good-faith effort to meet the clock face a different regulatory posture than those that simply fail to report.
How many entities fall under CIRCIA and when does the final rule take effect?
CISA’s NPRM estimates 316,244 entities across 16 critical infrastructure sectors. The May 2026 final-rule target has slipped with no confirmed replacement date. CISA postponed stakeholder town halls due to the DHS appropriations lapse, and until the final rule publishes, covered entities have no binding compliance deadline.
What internal systems did the exposed credentials actually authenticate to?
Philippe Caturegli of Seralys confirmed the credentials authenticated to three AWS GovCloud accounts, including CISA’s ‘Landing Zone DevSecOps’ environment and an internal code artifactory. This is the agency’s build and deployment pipeline, not a sandbox or test environment, which is why GitGuardian assessed it as the worst leak its researchers had witnessed.