The acting head of the federal government’s top cyber defense agency triggered an internal cybersecurity warning last summer after uploading sensitive government documents into a public version of ChatGPT, according to four Department of Homeland Security officials familiar with the incident.
The uploads were traced to Madhu Gottumukkala, the interim director of the Cybersecurity and Infrastructure Security Agency (CISA), who has led the agency in an acting capacity since May. Cybersecurity monitoring systems detected the activity in August and automatically flagged it as a potential exposure to sensitive government material, prompting a broader DHS-level damage assessment, the officials said.
Sensitive CISA Contracting Documents Uploaded into Public AI Tool
None of the documents uploaded into ChatGPT was classified, according to the officials, all of whom were granted anonymity due to concerns about retaliation. However, the materials included CISA contracting documents marked “for official use only,” a designation reserved for sensitive information not intended for public release.
One official said there were multiple automated alerts generated by CISA’s cybersecurity sensors, including several internal cybersecurity warnings during the first week of August alone, as reported by The Politico. Those alerts are designed to prevent either the theft or accidental disclosure of sensitive government data from federal networks.
Following the alerts, senior officials at DHS launched an internal review to assess whether the uploads caused any harm to government systems or operations. Two of the four officials confirmed that the review took place, though its conclusions have not been disclosed.
Madhu Gottumukkala Received Special Permission to Use ChatGPT
The incident drew heightened scrutiny inside the DHS because Gottumukkala had requested and received special authorization to use ChatGPT shortly after arriving at CISA earlier this year, three officials said. At the time, the AI tool was blocked for most DHS employees due to concerns about data security and external data sharing.
Despite the limited approval, the uploads still triggered automated internal cybersecurity warnings. Any data entered into the public version of ChatGPT is shared with OpenAI, the platform’s owner, and may be used to help generate responses for other users. OpenAI has said ChatGPT has more than 700 million active users globally.
By contrast, AI tools approved for DHS use, such as the department’s internally developed chatbot, DHSChat, are configured to ensure that queries and documents remain within federal networks and are not shared externally.
“He forced CISA’s hand into making them give him ChatGPT, and then he abused it,” one DHS official said.
In an emailed statement, CISA Director of Public Affairs Marci McCarthy said Madhu Gottumukkala “was granted permission to use ChatGPT with DHS controls in place,” describing the usage as “short-term and limited.” She added that the agency remains committed to “harnessing AI and other cutting-edge technologies” in line with President Donald Trump’s executive order aimed at removing barriers to U.S. leadership in artificial intelligence.
The statement also appeared to dispute the timeline of events, saying Gottumukkala, “last used ChatGPT in mid-July 2025 under an authorized temporary exception granted to some employees,” and emphasizing that CISA’s default policy remains to block ChatGPT access unless an exception is approved.
DHS Review Involved Senior Leadership and Legal Officials
After the activity was detected, Gottumukkala met with senior DHS officials to review the material he uploaded into ChatGPT, according to two of the four officials. DHS’s then-acting general counsel, Joseph Mazzara, participated in assessing potential harm to the department, one official said. Antoine McCord, DHS’s chief information officer, was also involved, according to another official.
In August, Gottumukkala also held meetings with CISA Chief Information Officer Robert Costello and Chief Counsel Spencer Fisher to discuss the incident and the proper handling of “for official use only” material, the officials said.
Federal employees are trained in the proper handling of sensitive documents. DHS policy requires investigations into both the “cause and effect” of any exposure involving official-use-only materials and mandates a determination of whether administrative or disciplinary action is appropriate.
Possible actions can range from retraining or formal warnings to more serious steps, such as suspension or revocation of a security clearance, depending on the circumstances.
The Internal Cybersecurity Warning Adds to Turmoil at CISA
Gottumukkala’s tenure at CISA has been marked by repeated controversy. Earlier this summer, at least six career staff members were placed on leave after Gottumukkala failed a counterintelligence polygraph exam that he pushed to take, a test DHS later described as “unsanctioned.” During congressional testimony last week, Gottumukkala twice told Rep. Bennie Thompson (D-Miss.) that he did not “accept the premise of that characterization” when asked about the failed test.
Gottumukkala was appointed deputy director of CISA in May by DHS Secretary Kristi Noem and has served as acting director since then. President Trump’s nominee to permanently lead CISA, DHS special adviser Sean Plankey, remains unconfirmed after his nomination was blocked last year by Sen. Rick Scott (R-Fla.) over concerns related to a Coast Guard shipbuilding contract. No new confirmation hearing date has been set.
As CISA continues to defend federal networks against cyber threats from adversarial nations such as Russia and China, the ChatGPT incident has renewed internal concerns about the use of public AI platforms and how internal cybersecurity warnings are handled when they involve the agency’s own leadership.
Source link