defense · KrebsOnSecurity
A CISA contractor with administrative access intentionally published AWS GovCloud keys and plaintext credentials to dozens of internal CISA systems on a public GitHub account called "Private-CISA," according to KrebsOnSecurity reporting in May 2026. The contractor disabled GitHub's built-in protections against publishing sensitive credentials. The repository, created in November 2025, remained public until discovered. CISA acknowledged the leak but initially stated there was no indication sensitive data was compromised. However, security researchers identified exposed RSA private keys granting access to CISA's GitHub enterprise account and CI/CD pipelines, and noted that CISA took over a week to begin invalidating leaked credentials after being notified by GitGuardian.
This incident carries significant implications for organizations subject to CMMC, SOC2, and NIST 800-171 frameworks. Defense contractors handling CUI should review their own credential management practices and developer access controls, particularly around code repositories and CI/CD pipeline security. SaaS and software teams should assess whether they have adequate monitoring and automated controls to prevent secrets from being committed to repositories, and whether access revocation procedures can execute rapidly at scale. The incident underscores that administrative access should be paired with real-time detection and rapid secret rotation capabilities. An Omniware engagement can scope credential management maturity and remediation priorities specific to your industry and compliance posture.
Source: KrebsOnSecurity - https://krebsonsecurity.com/2026/05/lawmakers-demand-answers-as-cisa-tries-to-contain-data-leak/
Source: KrebsOnSecurity
All briefings