CISA Data Leak Sparks Congressional Inquiry Over AWS Security

In the high-stakes world of federal cybersecurity, there is perhaps no agency more scrutinized—or more trusted to protect the United States’ digital infrastructure—than the Cybersecurity and Infrastructure Security Agency (CISA). As the primary entity lecturing the private sector on “Secure by Design” principles and mandating ironclad security hygiene, CISA is expected to be an impenetrable shield. Yet, the devastating revelation of a massive CISA data leak has shattered this assumption, sending shockwaves through Capitol Hill and the broader cyber defense community. At its core, the incident represents one of the most egregious administrative failures in the history of federal IT security, exposing a stark disconnect between public mandates and internal operational realities.

The security crisis began to unfold publicly on May 18, 2026, but its roots trace back to November 13, 2025. For roughly six months, a public GitHub repository named “Private-CISA” sat completely exposed to the open internet. It was not the product of a highly sophisticated, zero-day exploit launched by a nation-state adversary. Instead, it was a textbook case of systemic human error and severe security neglect, orchestrated by a third-party administrator employed by the Dulles, Virginia-based government IT contractor, Nightwing. By the time the repository was secured, approximately 844 megabytes of highly sensitive federal cloud architecture and cryptographic secrets had been laid bare for 183 days.

Anatomy of the CISA Data Leak: What Was Exposed?

The “Private-CISA” repository was far more than an accidental dump of generic scripts. To security researchers who analyzed the exposure, it read like an administrative roadmap to CISA’s internal software-deployment pipelines and cloud hosting environments. The 844 MB archive contained a catastrophic mix of production credentials, system configurations, and internal infrastructure backups. Specifically, the exposed database and code tree included:

• AWS GovCloud Administrative Keys: Highly privileged access tokens to three distinct Amazon Web Services GovCloud accounts. These specialized cloud environments are reserved for sensitive, high-integrity government data and federal workloads.
• Plaintext Password Sheets: Most shockingly, the repository hosted an unencrypted CSV file, explicitly named AWS-Workspace-Firefox-Passwords.csv, containing plaintext usernames and passwords for critical internal agency systems.
• SAML Certificates and Identity Data: Active Entra ID SAML certificates and digital identity tokens used to secure Microsoft identity management systems.
• Infrastructure-as-Code (IaC) Files: Kubernetes manifests (including files inside directories labeled Kubernetes-Important-Yaml-Files/), ArgoCD application files, and Terraform infrastructure bundles.
• Software Supply Chain Assets: Plaintext credentials to CISA’s internal “Artifactory”. This centralized repository holds the code packages and dependencies CISA utilizes to build, test, and deploy its software.
• Landing Zone Secrets: Authentication keys and configurations for “LZ-DSO,” CISA’s Landing Zone DevSecOps development and operations environment.

According to Philippe Caturegli, founder and CEO of the cybersecurity consulting firm Seralys, the severity of the CISA data leak cannot be overstated. Caturegli validated that the leaked AWS GovCloud administrative tokens were active at the time of discovery. With “minimal recon,” any malicious actor utilizing these keys could have gained total administrative access to CISA’s S3 storage buckets, EC2 virtual servers, and secrets managers. This level of compromise essentially gives an intruder the ability to bypass all perimeter security controls.

The Fatal Bypasses: Defeating Automated Safeguards

While accidental credential leaks occur with relative frequency in modern enterprise environments, the technical metadata of this specific incident reveals a far more troubling reality: the security safeguards were intentionally stripped away. GitHub ships with an automated defense mechanism known as “Push Protection,” which scans code commits in real-time for recognizable patterns of secret keys, API tokens, and SSH credentials, blocking the upload if a secret is found.

In this case, the Nightwing contractor did not simply overlook a warning. Commit logs in the “Private-CISA” repository confirmed that the administrator explicitly executed commands to manually disable GitHub’s built-in automated secrets detection to push the sensitive data. Rather than utilizing a secure, localized password manager or an enterprise-grade vault, the contractor appeared to treat the public GitHub repository as a personal, ad-hoc cloud-synchronization folder. By committing code using both professional, CISA-associated email addresses and personal accounts, the administrator bypassed federal data boundaries entirely to ease the process of working across different physical locations or devices.

Discovery, Remediation, and Response Lag

The exposure was first identified on May 14, 2026, by Guillaume Valadon, a senior security researcher at the defense-focused cybersecurity firm GitGuardian. GitGuardian’s public monitoring platforms flag leaked secrets across the open web, and they had spent weeks attempting to contact the repository owner. Having sent nine automated “Good Samaritan” warnings to the personal account with zero response, Valadon realized the gravity of the situation. “I honestly believed that it was all fake before analyzing the content deeper,” Valadon noted. “This is indeed the worst leak that I’ve witnessed in my career”.

Recognizing the immediate threat to national security, Valadon bypassed the unresponsive contractor, escalating the vulnerability directly to the CERT Coordination Center (CERT/CC) and notifying federal contacts alongside investigative journalist Brian Krebs. On May 15, 2026, approximately 26 hours after the direct escalation, the repository was taken offline.

However, the remediation of the administrative keys themselves was marked by a troubling lag. Despite the repository being deleted on May 15, researchers verified that the exposed AWS GovCloud administrative keys remained active and valid for up to 48 hours after CISA was notified. This delay in credential rotation—the very first step in standard incident response protocols—has drawn sharp criticism from threat intelligence experts.

Capitol Hill Demands Answers: The Congressional Inquiry

The political fallout from the CISA data leak was swift and bipartisan, bringing immediate pressure from lawmakers who oversee national security and federal cyber defenses. For a government agency tasked with enforcing cyber standards across federal departments, having its own keys left on the open web for six months was deemed unacceptable.

On May 19, 2026, Senator Maggie Hassan (D-NH) sent a blistering formal letter to CISA’s Acting Director, Nick Andersen, demanding a classified briefing by June 5. Hassan pointed out that the lapse “raises serious questions about how such a security lapse could occur at the very agency charged with helping to prevent cyber breaches”. Her letter pressed for answers to twelve highly detailed questions regarding CISA’s contractor-vetting procedures, cloud architecture guidelines, and internal secret rotation policies.

The following day, on May 20, 2026, the leadership of the House Homeland Security Committee launched their own parallel inquiry. Committee Ranking Member Bennie Thompson (D-MS) and Cyber Subcommittee Ranking Member Delia Ramirez (D-IL) demanded an immediate staff-level briefing from CISA leadership. Lawmakers have focused heavily on the role of third-party vendors, demanding accountability regarding corrective actions taken against Nightwing personnel and asking what automated systems CISA utilizes to monitor contractor-owned repositories.

The Myth of “No Compromise” and the Threat of Persistence

In response to the growing political storm, CISA issued a standard damage-control statement. A spokesperson stated:

“Currently, there is no indication that any sensitive data was compromised as a result of this incident. While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.”

However, modern threat intelligence professionals view this statement with immense skepticism. Because the credentials were left completely open for 183 days, assuming no one found them is considered highly naive. Sophisticated nation-state adversaries, including Advanced Persistent Threats (APTs) from Russia, China, and North Korea, continuously ingest the public GitHub API “firehose” in real-time. They systematically index and archive every leaked secret before developers can delete them, building massive repositories of historic leaks for future exploitation.

The primary concern is not a destructive attack, but rather silent, persistent lateral movement. Because the credentials granted access to CISA’s internal code Artifactory, an adversary could have quietly altered software packages or established backdoor access within federal networks. As a result, every time CISA builds or deploys a new software tool, they would inadvertently distribute the adversary’s backdoor across federal departments. If an APT has established persistence, finding and purging them could take months of deep forensic investigation, making this leak an active national security threat for the foreseeable future.

The Road Ahead: Reforming Federal Secret Management

The Nightwing incident highlights a fundamental flaw in how the federal government handles cloud credentials: a reliance on static secrets. In modern cloud environments, keeping hardcoded access keys and plaintext passwords in static files is an obsolete practice that invites catastrophe. Security experts argue that this incident must be a catalyst for sweeping reforms:

1. Elimination of Static Secrets: Federal agencies must mandate a transition to ephemeral, short-lived credentials. Technologies such as OpenID Connect (OIDC) and dynamic secrets engines should replace long-lived AWS IAM access keys entirely.
2. Contractor Security Monitoring: Agencies like CISA must deploy external attack surface management (EASM) tools that continuously scan the public internet and code repositories for any assets associated with their domains, contractors, or employees.
3. Enforcement of Hard Push Protection: Push protection must be strictly managed at an enterprise level, stripping individual contractors of the ability to manually override or disable secret-scanning blocks.

If CISA is to maintain its credibility as the nation’s cybersecurity referee, it must first get its own house in order. The “Private-CISA” leak is a stark reminder that even the most advanced cyber-defense agencies are only as secure as their weakest, most negligent third-party contractor.