Article Title: CISA Chief’s ChatGPT Use Raises Security Concerns
In August 2025, Madhu Gottumukkala, the acting director of the Cybersecurity and Infrastructure Security Agency (CISA), uploaded sensitive contracting documents labeled for official use only into the public version of ChatGPT. This action triggered multiple automated security alerts designed to prevent data exfiltration from federal networks, as reported by four Department of Homeland Security (DHS) officials.
Background and Context
Upon assuming his role in May 2025, Gottumukkala obtained special permission from CISA’s Chief Information Officer to use ChatGPT, an AI language model developed by OpenAI. At that time, ChatGPT was restricted for other DHS staff due to security concerns. The sensitive documents were uploaded in early August 2025, leading to repeated cybersecurity sensor warnings within the first week. Although the files were not classified, they contained sensitive contracting information not intended for public dissemination.
Security Implications
CISA’s security systems detected the unauthorized uploads, prompting senior DHS officials to initiate an internal review to assess potential national security risks. Gottumukkala discussed the incident with DHS leaders, including then-acting general counsel Joseph Mazzara and Chief Information Officer Antoine McCord. He also met with CISA’s CIO Robert Costello and chief counsel Spencer Fisher to address the handling of for official use only (FOUO) materials.
DHS policy mandates investigations into such exposures, evaluating causes, and considering actions ranging from retraining to security clearance revocation. An anonymous official criticized Gottumukkala’s actions, stating, He forced CISA’s hand into making them give him ChatGPT, and then he abused it. The outcome of the internal review remains undisclosed.
Risks of Public AI Platforms
Public versions of ChatGPT share user inputs with OpenAI, which has over 700 million active users. This practice poses risks, as sensitive data could be used to train models accessible to adversaries, including state-backed hackers from Russia and China—precisely the threats CISA aims to counter.
CISA spokesperson Marci McCarthy stated that Gottumukkala used ChatGPT with DHS controls in place under a short-term and limited exception, last accessing it in mid-July 2025. She emphasized the agency’s commitment to AI, aligning with President Trump’s executive order.
Alternative Secure Tools
In contrast, approved DHS tools, such as the internal DHSChat, store data on federal networks, offering a more secure environment for handling sensitive information. All federal employees receive training on managing sensitive documents, underscoring the importance of adhering to established protocols.
Scrutiny of Leadership
Gottumukkala’s tenure has faced scrutiny. Six career staff members were placed on leave following his unsanctioned counterintelligence polygraph failure. In testimony, he denied the failed test premise. Additionally, he attempted to remove CIO Robert Costello but was blocked by appointees, as reported by Politico.
Conclusion
This incident highlights the critical importance of adhering to established security protocols when handling sensitive information, especially within federal agencies tasked with safeguarding national security. The use of public AI platforms for processing sensitive data poses significant risks, necessitating strict compliance with security measures and the use of approved tools to prevent potential breaches.
