Bymsoftnews 2 min read

Congress Demands Answers From CISA After Contractor Posts Secrets to Public GitHub

Lawmakers in both chambers are pressing the agency for details on a contractor's release of AWS GovCloud keys and other internal data.

Congress Demands Answers From CISA After Contractor Posts Secrets to Public GitHub

*Lawmakers in both chambers are pressing the agency for details on a contractor's release of AWS GovCloud keys and other internal data.*

Congress is seeking formal responses from the Cybersecurity and Infrastructure Security Agency after a contractor placed agency credentials and additional materials on a public GitHub repository. The inquiry coincides with CISA's ongoing work to revoke the exposed access tokens.

The contractor's action occurred on an account tied to CISA work. It included AWS GovCloud keys along with a broader set of agency records. KrebsOnSecurity first reported the exposure earlier this week, prompting the current round of questions from Capitol Hill.

CISA has not completed the process of invalidating every credential that appeared in the repository. Agency staff continue to audit and rotate the affected items while lawmakers request timelines and explanations for how the material reached a public site.

Details of the disclosure

The published content covered both production credentials and supporting files. No technical description of the repository contents beyond the presence of the keys and the volume of other records has been released by CISA. The agency has confirmed the contractor acted without authorization to make the material public.

Congressional response

Members from both the House and Senate have sent inquiries to CISA leadership. The letters ask for briefings on the scope of the data, the timeline for credential revocation, and any internal controls that failed to prevent the posting.

Why it matters

Government contractors routinely hold keys that protect critical infrastructure systems. When those keys surface on an open platform, the window for misuse remains open until every token is rotated or revoked. The episode shows that existing review steps for contractor repositories did not catch the exposure before it became public, leaving agencies to manage the consequences after the fact.

---

Sources:

{
  "excerpt": "Lawmakers demand answers from CISA after a contractor posted AWS GovCloud keys and agency data to a public GitHub account.",
  "suggestedSection": "security",
  "suggestedTags": ["cisa", "data-leak", "government-security"],
  "imagePrompt": "A dim government server room with open cabinet doors revealing tangled cables and scattered access cards on the floor. One card lies face-up beside a blank laptop screen. muted color palette, cinematic lighting, 16:9"
}

No comments yet

Continue reading