CISA’s Public GitHub Leak: Compliance Implications and Required Actions

On May 14, 2026, security researcher Guillaume Valadon discovered that CISA’s private GitHub account hosted a repository named “Private‑CISA” that was inadvertently public. The repo contained plain‑text passwords, private keys, tokens and configuration files with names such as external-secret-repo-creds.yaml and AWS-Workspace-Firefox-Passwords.csv. The repository remained exposed for roughly six months before CISA removed it on May 15, 2026.

---

1. Regulatory Action Triggered

Regulation	Effective Date	What the Incident Violates	Required Response
Federal Information Security Modernization Act (FISMA) – 2023 amendment	30 Nov 2023	Failure to protect “information system” assets and to implement adequate insider‑threat controls.	Immediate incident reporting to OMB, risk assessment, and corrective action plan within 30 days.
NIST SP 800‑53 Rev. 5 – AC‑20 (Use of External Information Systems)	15 Jun 2022	Storing secrets in a public code repository constitutes an “uncontrolled external system”.	Enforce multi‑factor authentication, restrict external repository creation, and conduct quarterly audits.
NIST SP 800‑171 CMMC Level 3 (for federal contractors)	30 Sep 2022	Contractor‑owned GitHub account used for federal data without required security controls.	Require contractors to adopt FedRAMP‑authorized CI/CD pipelines and encrypt all secrets at rest.
Executive Order 14176 – Secure Software Development (2024)	1 Jan 2024	Absence of automated secret‑scanning and lack of documented “how‑to‑disable‑secret‑scanning” guide.	Deploy automated secret‑scanning (GitHub Advanced Security or open‑source equivalents) and enforce policy that disables cannot be documented.
OMB Memorandum M‑22‑09 – Cloud‑First Policy	1 Oct 2022	Exposure of cloud‑provider credentials (AWS, Azure, JFrog Artifactory) violates cloud‑access governance.	Rotate all exposed keys, implement short‑lived credentials, and enable Cloud Access Security Broker (CASB) monitoring.

---

2. What the Leak Requires CISA to Do

1. Immediate Containment and Credential Rotation
   • Rotate every AWS access key, Azure service principal, JFrog token, and GitHub personal access token listed in the repo.
   • Re‑issue all TLS certificates and SAML signing keys stored in ENTRA ID - SAML Certificates/.
2. Formal Incident Reporting
   • File a FISMA breach report to the Office of Management and Budget (OMB) within 72 hours of discovery, as required by OMB Circular A‑130.
   • Submit a Cyber Incident Report (CIR) to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) Incident Response Team, referencing the exact files and timestamps.
3. Root‑Cause Analysis and Remediation Plan
   • Conduct a NIST‑aligned risk assessment (RMF Step 4 – Assess) to identify why the repository was public and why secret‑scanning was disabled.
   • Produce a Corrective Action Plan (CAP) that includes:
     • Enforcing organization‑wide GitHub policies that block creation of public repos for any federal account.
     • Deploying automated secret‑scanning tools (e.g., GitHub Advanced Security, TruffleHog) across all code bases.
     • Implementing a secrets‑management solution such as HashiCorp Vault or AWS Secrets Manager for all production credentials.
4. Policy and Training Updates
   • Update the agency’s Secure Software Development Lifecycle (SDLC) policy to require that all code commits be scanned for secrets before merge.
   • Deliver mandatory training for all contractors and staff on secret handling, emphasizing that personal GitHub accounts may not be used for federal code.
5. Third‑Party Oversight
   • Verify that any contractors who contributed to the repository are compliant with CMMC Level 3 requirements.
   • Require contractors to sign an updated Data Protection Addendum that includes breach‑notification timelines consistent with the Federal Information Security Modernization Act.

---

3. Compliance Timeline

Deadline	Action	Responsible Party
Day 0 (May 15, 2026)	Repository taken offline; all exposed credentials revoked.	CISA Incident Response Team
Day 2	Initial FISMA breach report filed with OMB and DHS.	CISA Office of the CIO
Day 7	Full forensic analysis completed; list of all compromised assets finalized.	Internal Audit & Risk Management
Day 15	Rotation of all cloud and artifact‑registry keys; deployment of automated secret‑scanning on all repos.	Cloud Operations & DevSecOps
Day 30	Submission of Corrective Action Plan to OMB; update of SDLC policy and contractor agreements.	Chief Information Security Officer (CISO)
Day 60	Completion of mandatory training for 100 % of staff and contractors.	Human Resources & Training Division
Day 90	Independent audit of secret‑management controls; audit report to OMB.	External Auditor (FedRAMP‑authorized)

---

4. Lessons for Federal Agencies

• Never use personal accounts for federal code. The mixed‑identity pattern observed (CISA contractor email + personal Yahoo address) is a known high‑risk vector.
• Automated secret scanning is mandatory. The presence of a “how‑to‑disable‑secret‑scanning” document demonstrates a policy gap that the 2024 Executive Order explicitly forbids.
• Version‑control hygiene matters. Backups such as Backup-April-2026/ should never be committed to a Git history; instead, use encrypted, off‑site storage.
• Rapid disclosure channels work. Valadon’s escalation through CERT/CC and direct contact with a journalist accelerated CISA’s response; agencies should maintain a clear internal escalation path for third‑party disclosures.

---

5. Next Steps for Stakeholders

• Contractors: Review all GitHub accounts linked to federal projects; migrate any code to agency‑controlled organizations and enable mandatory secret scanning.
• Agency Leaders: Allocate budget for a dedicated secrets‑management platform and for periodic external audits to satisfy OMB and CMMC requirements.
• Policy Makers: Consider tightening the definition of “public repository” in federal procurement clauses to include automatic revocation of any token found in a public commit.

---

The CISA incident underscores that even the nation’s premier cyber‑defense agency must treat secret management as a core control, not an afterthought. By aligning remediation actions with FISMA, NIST SP 800‑53, and the 2024 Executive Order, CISA can restore confidence and demonstrate compliance with the highest federal security standards.