When the Cyber Watchdog (CISA) Can’t Watch Itself.

A contractor for CISA, the Cybersecurity and Infrastructure Security Agency, maintained a public GitHub repository called, almost comically, “Private-CISA.”

Inside it: administrative credentials to three AWS GovCloud accounts. Plaintext passwords in a CSV file. Tokens. Build logs. Terraform code. Kubernetes manifests. The actual blueprint of how CISA builds and ships software.

A GitGuardian researcher called it “the worst leak I’ve witnessed in my career.” 

Let that sink in. The agency that lectures every Fortune 500 company on security posture had a contractor using passwords like “platformname2025” and explicitly disabling GitHub’s secret-scanning protection. Not a sophisticated nation-state attack. Not a zero-day exploit. Someone turned off the smoke alarm and started a fire.

Here’s where it stops being a “tech story” and becomes a leadership story.

This isn’t about one careless contractor. One person can make one mistake. Leadership is what determines whether that mistake gets caught in 10 minutes or 6 months. And the answer here was: nobody noticed. No internal scanning. No credential rotation alerts. No review of contractor GitHub activity. The keys remained valid for 48 hours after the repository was finally pulled down, because rotation wasn’t ready either.

Three uncomfortable truths every executive should sit with:

1. Your security posture is whatever your weakest contractor does on a Tuesday night. Vendor risk isn’t a checkbox on a procurement form. If you don’t know what your contractors are committing to public repos, you don’t know your attack surface.

2. “We have policies” is not the same as “we have controls.” CISA almost certainly had policies against this. Policies don’t run in production. Automated scanning, least- privilege access, and key rotation do.

3. Culture beats compliance, every time. When someone feels comfortable disabling a security feature to make their workflow easier, and nobody questions it for six months, that’s not a tooling problem. That’s a culture that treats security as friction instead of foundation.

The most damning detail isn’t technical. It’s that this contractor was reportedly using the repo to sync files between a work laptop and a home computer. A convenience hack. The oldest story in security.

CISA’s response? “No indication sensitive data was compromised.” Maybe. This is just a crappy response and honestly lazy. 

If the agency teaching America how to defend itself can’t model basic operational security, the rest of us need to ask harder questions about our own houses.

Audit your repos. Rotate your keys. Question your assumptions. And stop pretending culture is HR’s problem.