US News
CISA says lack of response plan worsened federal cyber breach
In a Sept. 23, 2025 advisory on the case, the Cybersecurity and Infrastructure Security Agency said it had “missed” an opportunity to get ahead of a federal cyber incident because it had not built and exercised an incident response plan before the breach unfolded. The agency’s plan did not support a quick response, did not let it promptly bring in third parties, and did not give those responders the resources they needed.
The incident came to light only after endpoint detection and response alerts flagged potential malicious activity. By then, attackers had already exploited CVE-2024-36401 in a GeoServer about three weeks earlier. During that same period, the intruders also gained initial access to a second GeoServer and moved laterally to two other servers.
Cyber incidents can damage U.S. national security interests, foreign relations, the economy, public confidence, civil liberties, and health and safety. Organizations should have clear, executable incident response plans and should maintain, practice, and update them regularly.

Under Executive Order 14028, CISA published federal incident and vulnerability response playbooks. Those federal playbooks give federal civilian executive branch agencies standard procedures to identify, coordinate, remediate, recover, and track mitigations. They were built from lessons learned in earlier incidents and industry best practices to strengthen response practices and operational procedures across both public and private sectors.
Its Cyber Storm series brings together public and private participants to simulate a significant cyber incident affecting the nation’s critical infrastructure.
Sources
- [1]techcrunch.com
- [2]cisa.gov