top of page
shield_v5.png

You.Know

The Agency That Wrote the Rules Forgot to Follow Them

  • Writer: Christie Vazquez
    Christie Vazquez
  • May 20
  • 4 min read

This month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) was found to have left sensitive data — passwords, access credentials, and internal system information — exposed in a publicly accessible online location for six months. CISA's mission is to help organizations prevent exactly this kind of failure.


The file was called "Private-CISA." It was publicly accessible.


I wish I could say this surprised me. It didn't.


What Happened

In May 2026, researchers discovered that a contractor working on behalf of CISA and the Department of Homeland Security had left sensitive government information openly accessible online since November 2025. The contractor, a firm called Nightwing based in Virginia, was responsible for managing the data on the agency's behalf.


What was exposed amounted to a set of keys to government systems. Login credentials, access information, and internal documentation that would give an outsider a detailed picture of how the agency operates behind the scenes. To make matters worse, the contractor had also turned off the platform's own built-in warnings designed to flag when sensitive information is about to be made public.


Researchers confirmed the access information was still active at the time of discovery. An outside firm found the exposure and notified CISA, which took the information offline within 26 hours. There is no confirmed evidence that anyone used it maliciously, but six months is a long time, and certainty is not possible.


Context Worth Noting

CISA is the federal agency responsible for protecting the systems Americans depend on every day — power grids, water systems, financial networks, hospitals, and communications infrastructure. Its congressionally mandated mission spans three areas: cybersecurity, physical infrastructure security, and emergency communications.


Since most of the country's critical infrastructure is privately owned, CISA's effectiveness depends heavily on trust. It sets the standards, issues warnings, and responds when things go wrong. It is the nation's primary civilian line of defense when it comes to protecting critical systems from attack.


What researchers found in the exposed data was, in essence, a list of things CISA tells everyone else not to do. The contractor disabled the platform's own protections. Passwords were left in the open. Sensitive access information was stored carelessly. Every one of these is something CISA's own published standards explicitly warn against.


Having spent my career in and around government, I've seen this pattern before. Agencies invest significant effort in developing standards and policy frameworks for others to follow — and then, through a combination of contractor reliance, stretched resources, and the quiet assumption that the rules are more urgent for everyone else, fail to hold their own operations to the same bar. This is not unique to CISA, and it is not new. But it is worth saying plainly: this incident is less an accident and more an illustration of something structural.


Good policies do not enforce themselves. That is especially true when the work is being done by outside contractors, and when internal oversight is limited.

CISA's current circumstances add to the concern. The agency has lost approximately one-third of its workforce through budget reductions, and proposed cuts exceeding $420 million would further reduce the programs and people most likely to catch this kind of failure before it becomes public.


Questions to Ask Your Information Security Team This Week

The most productive conversations I've had with security leadership haven't started with technical questions — they've started with questions about accountability and visibility. These three are worth raising:

  1. Do we know everything our contractors are doing on our behalf?

    • This exposure didn't come from CISA's own systems. It came from a contractor's account. Ask whether your agreements with vendors require them to tell you what tools and accounts they're using on your behalf — and whether anyone is checking.

  2. Are our own protections actually on, and would we know if they weren't?

    • Most systems include built-in safeguards designed to catch mistakes. Ask whether those are active, and whether your security team gets notified if someone turns them off.

  3. If a contractor exposed our information today, how long before we'd know?

    • CISA's exposure lasted six months before an outside firm found it. Ask honestly what your detection capability looks like. If the answer is "we'd find out when someone told us," that's where the conversation needs to go.


The Bottom Line

CISA will investigate and will issue updated guidance, guidance worth reviewing when it arrives. But the more immediate question is this: if an agency whose entire purpose is protecting others from this kind of failure can go six months without detecting it in their own house, what does that say about the assumptions we're making in ours?


In my experience, the gap between the standards we set and the practices we actually maintain is most visible in the places we're least inclined to look. This incident is a good reason to look.

Sources: GitGuardian research blog, KrebsOnSecurity, CSO Online, TechRepublic, Security Boulevard, Biometric Update — May 2026


The views expressed are my own. This post was written with the assistance of AI.


 
 
bottom of page