CISA said it "missed" an opportunity to get ahead of the security incident by not creating a response plan ahead of time.