CISA Chief’s Use of Public ChatGPT Raises Security Concerns
In August 2025, Madhu Gottumukkala, the acting director of the Cybersecurity and Infrastructure Security Agency (CISA), uploaded sensitive contracting documents labeled for official use only into the public version of ChatGPT. This action triggered multiple automated security alerts designed to prevent data exfiltration from federal networks, as reported by four Department of Homeland Security (DHS) officials.
Gottumukkala, who assumed the interim role in May 2025, had obtained special permission from the agency’s Chief Information Officer to use ChatGPT shortly after his appointment. At that time, the AI tool was blocked for other DHS staff. The uploads occurred in early August 2025, with cybersecurity sensors flagging them multiple times within the first week. Although the files were not classified, they contained sensitive contracting information not intended for public release.
CISA’s security systems detected the activity, prompting senior DHS officials to initiate an internal review to assess potential risks to national security. Gottumukkala discussed the incident with DHS leaders, including then-acting general counsel Joseph Mazzara and Chief Information Officer Antoine McCord. He also met with CISA’s CIO Robert Costello and chief counsel Spencer Fisher in August to address the handling of for official use only (FOUO) material.
DHS policy mandates investigations into such exposures, evaluating causes, and considering actions ranging from retraining to security clearance revocation. An anonymous official criticized Gottumukkala, stating, He forced CISA’s hand into making them give him ChatGPT, and then he abused it. The outcome of the review remains undisclosed.
Public ChatGPT shares user inputs with OpenAI, which has over 700 million active users. This raises concerns about sensitive data being used to train models accessible to adversaries, including state-backed hackers from Russia and China—precisely the threats CISA aims to counter.
CISA spokesperson Marci McCarthy stated that Gottumukkala used ChatGPT with DHS controls in place under a short-term and limited exception, last accessing it in mid-July 2025. She emphasized the agency’s commitment to AI, aligning with President Trump’s executive order.
In contrast, approved DHS tools, such as the internal DHSChat, store data on federal networks. All federal employees receive training on handling sensitive documents.
Gottumukkala’s tenure has faced scrutiny. Six career staff members were placed on leave after his unsanctioned counterintelligence polygraph failure. In testimony, he denied the failed test premise. Recently, he attempted to oust Costello but was blocked by appointees, as reported by Politico.
