1. United States
2. Maine
3. Letter

I am writing as a deeply concerned constituent regarding recent reporting that Madhu Gottumukkala, the acting Director of the Cybersecurity and Infrastructure Security Agency (CISA), uploaded sensitive government documents into the commercial AI platform ChatGPT. This is not a partisan issue. It is a matter of judgment, competence, and basic national security responsibility. What makes this incident especially troubling is that Mr. Gottumukkala reportedly requested and received special permission from CISA’s Office of the Chief Information Officer to use ChatGPT shortly after arriving at the agency this past May. At the same time, the application was blocked for other Department of Homeland Security employees due to security concerns. In other words, the individual charged with protecting critical infrastructure and cybersecurity systems was granted an exception to rules imposed on everyone else — and then appears to have misused that access. ChatGPT and similar tools explicitly warn users not to upload sensitive or confidential information. Any federal employee should understand that limitation. A senior cybersecurity official certainly should. The fact that this occurred after special approval was granted raises serious questions about internal controls, leadership vetting, and accountability at CISA. I am struggling to understand how behavior like this can be reconciled with the responsibilities of a federal cyber leadership role. If a lower-level employee had done the same thing, discipline would likely have been swift. When senior officials engage in this conduct, the consequences and risks are far greater. I am asking for clarity on what documents were involved, what risks were created, what accountability measures are being pursued, and what steps Congress is taking to ensure that no senior official is permitted to override security safeguards without meaningful oversight. Cybersecurity failures at the top undermine public trust and put our infrastructure, data, and privacy at risk. I expect seriousness and accountability from those entrusted with protecting this country’s digital systems, and I hope you do as well.