CISA's ChatGPT Blunder: Leadership Hypocrisy in the Heart of U.S. Cyber Defense

CISA Leader Uploaded 'For Official Use Only' Files to ChatGPT, Prompting DHS Review

The revelation that Madhu Gottumukkala, acting director of the Cybersecurity and Infrastructure Security Agency (CISA), uploaded sensitive government contracting documents marked "For Official Use Only" (FOUO) into a public version of ChatGPT last summer is more than an embarrassing lapse—it's a glaring indictment of judgment at the top of America's premier civilian cyber defense organization. Reported by Politico on January 27, 2026, the incident triggered multiple automated security alerts in early August 2025, prompting a Department of Homeland Security (DHS) review to assess potential national security risks from unintentional data exposure.

Gottumukkala, appointed under President Trump and previously South Dakota's CIO under Kristi Noem, had personally requested—and received—a temporary exception in May 2025 to access ChatGPT, even as the tool remained blocked agency-wide due to well-founded fears of data leakage to third-party AI providers like OpenAI. Access ended by mid-July, but the damage was done: sensitive but unclassified files—detailing contracts and potentially operational details—were fed into a public model where inputs could be retained, trained on, or accessed by others.

CISA's public affairs response emphasized that the use was "short-term and limited" with "DHS controls in place," yet it sidesteps the core issue: why the head of an agency tasked with safeguarding federal networks and critical infrastructure against exactly this kind of mishandling would bypass those very safeguards. Internal sources described it bluntly—one official claimed Gottumukkala "forced CISA's hand" for access, then "abused it." The irony is thick: CISA leads efforts to educate on AI risks, issues guidance on secure generative AI use, and warns relentlessly about data exfiltration via cloud tools. Yet its interim leader apparently treated public ChatGPT as a convenient work assistant.

This isn't isolated. The episode follows prior controversies, including reports of Gottumukkala failing a counterintelligence polygraph (which he reportedly pushed for others), leading to staff suspensions rather than his own accountability. Democratic critics, like House Homeland Security Ranking Member Bennie Thompson, have seized on it as part of broader leadership turbulence at CISA, questioning fitness for a role protecting against foreign adversaries like China and Russia—who would relish any glimpse into U.S. contracting or internal processes.

The broader implications are sobering. In an era of rapid AI adoption, federal agencies must balance innovation with ironclad data hygiene. Exceptions for leaders set dangerous precedents—if the cyber chief can upload FOUO materials to an unrestricted model, what message does that send to rank-and-file employees? Public versions of ChatGPT are not designed for sensitive government work; even controlled enterprise versions carry risks. This incident underscores the urgent need for stricter, uniform AI governance policies across DHS and beyond—no one-off waivers for political appointees.

For taxpayers and allies relying on CISA's vigilance, the fallout erodes trust at a critical time. Cyber threats are escalating, yet the agency charged with leading the response appears mired in self-inflicted wounds. Gottumukkala's tenure has been marked by staffing shakeups and scrutiny; this latest episode demands transparency on the DHS review's findings and concrete reforms to prevent recurrence.

America's cyber defenses deserve leaders who practice what they preach. Until then, incidents like this remind us: the biggest vulnerabilities often start at the top.