National security, now featuring grievance management and the administrative leave of anyone who has ever touched a scheduling app.
There’s a particular kind of chaos that only exists inside agencies that handle sensitive intelligence. It’s not loud. It’s not cinematic. It’s the quiet kind where people stop sending emails and start communicating through pauses, raised eyebrows, and the ancient federal art of “Let’s talk about this in person, far away from printers.”
That’s where CISA is right now.
The Cybersecurity and Infrastructure Security Agency is dealing with an internal blowup that reads like a workplace farce until you remember this is a national security agency whose entire job is to reduce risk, prevent breaches, and keep the country’s critical infrastructure from getting turned into a headline. The story begins, as so many modern government calamities do, with a leader who wanted access to something sensitive and did not enjoy being told “no.”
It escalates into a polygraph. It detonates into retaliation. And it ends, at least for now, with the most Washington outcome imaginable: people who schedule meetings are being treated like they launched a coup.
Here’s the verified chronology as it has been reported.
Madhu Gottumukkala is serving as acting director of CISA. He’s an appointee linked to Homeland Security Secretary Kristi Noem’s political network, and he is running the agency without Senate confirmation. That “acting” status matters because it sets the mood. Acting leaders often operate like time is short, oversight is annoying, and accountability is a future person’s problem.
Gottumukkala sought access to extremely sensitive intelligence programs that another U.S. intelligence agency shares with CISA under strict rules. This is not “can I read the briefing.” This is “can I be read into a compartment with unique protections and high consequence.” Access of that kind is governed by need-to-know and by the originating agency’s conditions, and those conditions can include a counterintelligence polygraph.
It’s important to understand what a polygraph represents in this world. It’s not a party trick. It’s not a truth serum. It’s a security gate wrapped in a ritual. In national security bureaucracy, a polygraph is less about perfection and more about risk tolerance. It’s used to assess whether someone can be trusted with certain compartments, certain “read-ins,” and certain programs that are shared only with people who meet specific criteria.
In early June, reporting indicates that Gottumukkala’s initial request for access was denied by a senior CISA official. The rationale was reportedly that there wasn’t an urgent need-to-know, and that even the agency’s prior deputy director had not viewed this program. That detail matters because it suggests the access he wanted was not standard for the role and was not part of the normal operating pattern.
But the push didn’t stop. Gottumukkala reportedly continued pressing for access and signaled he was willing to take a polygraph to satisfy the requirement. That decision is the pivot point. Because in July, he sat for a polygraph that multiple current and former officials say he was not required to take, and then he failed.
The failure became the center of gravity. Not in a “we need to assess access risk and manage this responsibly” way, but in a “who can we blame for the existence of this test” way.
Shortly after, at least six career staffers involved in scheduling or coordinating the polygraph were placed on paid administrative leave and put under investigation. The allegation from DHS leadership and Noem allies, as described in official statements and reporting, is that the polygraph was “unsanctioned” and improperly arranged by staff, and that staff misled incoming leadership about whether the test was necessary.
This is where the story goes from troubling to absurd.
In normal adult governance, if a leader chooses to sit for a high-stakes security test, the primary responsibility for that decision rests with the leader. Even in the most bureaucracy-soaked environment, you don’t typically handle a failed trust gate by treating your administrative staff like they forged the gate out of spite. Scheduling is not command authority. Coordinating is not coercion. A calendar invitation is not a coup plot.
So what does “unsanctioned” mean in this context.
That’s the bureaucratic mechanics at the center of the dispute. In the intelligence world, “sanctioned” is not a mystical quality. It’s a chain-of-authority question. Who has the authority to request a polygraph. Who controls the program and the requirement. Who signs off. Which agency’s security office manages it. What documentation exists for the request. What conditions trigger it. And most critically, whether the polygraph is a formal prerequisite for access to a compartment, or a discretionary step someone opted into for reasons that may now be politically inconvenient.
The reporting suggests that the polygraph was connected to access to an exceptionally sensitive program shared with CISA, and that the originating agency required the polygraph for anyone being read into that program. That would mean the test wasn’t a random detour, it was tied to a compartmented access decision. If that’s correct, then calling it “unsanctioned” becomes less a factual description and more a political framing, an attempt to treat the test as illegitimate so the failed result can be rhetorically waved away.
Because a failed polygraph raises uncomfortable questions in any security environment, even among people who know polygraphs are imperfect. At minimum, it creates a problem: if the origin agency requires it for access, a failure can block access. If leadership then tries to preserve access anyway, it creates a bigger problem: trust. Other agencies share sensitive programs with CISA because they believe CISA will handle them responsibly. If that trust is shaken, sharing can narrow. Collaboration can freeze. Damage can ripple outward.
That’s why this episode has ricocheted across an agency already under extreme stress.
CISA has been living inside mission whiplash and political pressure for years. It’s expected to defend critical infrastructure, coordinate with industry, handle cyber incidents, and manage the delicate balance between public transparency and classified collaboration. It’s also been caught in the crossfire of partisan narratives about what the agency should be allowed to say, what it should focus on, and how “cybersecurity” is framed in public discourse. Add attrition, burnout, and constant threat churn, and you get an organization where trust is not a soft value. Trust is operational infrastructure.
Now imagine what it does to morale when career staff see colleagues put on paid leave for coordinating a process that leadership either requested or accepted.
You don’t have to be a cynic to understand the chilling effect. People start avoiding tasks. They start refusing to touch sensitive coordination work. They start documenting everything like they’re preparing for a deposition, because they might be. They stop volunteering for anything near leadership’s ego. And in a national security agency, that kind of internal fear becomes a risk multiplier.
There’s also the leadership fitness question, the one that everyone in the building can sense even if nobody wants to be the person who says it out loud.
If an acting director is pushing for extraordinary access beyond what predecessors used, chooses to sit for a high-stakes security test, fails, and then triggers administrative punishment for the people who coordinated the process, that’s not just messy. It’s a governance red flag. It suggests a leader who treats security systems as personal obstacles rather than institutional safeguards. It suggests a leader who responds to inconvenient outcomes by hunting for scapegoats. It suggests a leader operating on grievance, not competence.
And because this is Washington, the public-facing narrative has split into competing storylines.
One storyline says the polygraph was improper, arranged without proper authorization, and that staff misled leadership. In that version, the suspensions are accountability.
The other storyline, described by current and former officials in reporting, is that Gottumukkala chose to sit for the polygraph, that it was tied to access requirements for a sensitive program, and that the “unsanctioned” claim is a cover for the far more alarming issue: an acting leader failed a trust test and the institution is now trying to protect him by punishing the people nearest the paperwork.
If you want a quick way to tell which storyline feels more plausible, ask yourself a simple question. In the federal government, who gets punished when something becomes politically embarrassing. The person with authority, or the person with a calendar.
The near-term decision points are blunt.
Will the staff suspensions stand, or will they collapse under internal review once it becomes clear who authorized what and why. Will the Inspector General or congressional oversight bodies intervene to demand documentation about the polygraph’s origin, the decision to put staff on leave, and the rationale behind calling the exam “unsanctioned.” Will the agency produce a clear paper trail that explains who ordered the test, whether the originating intelligence agency required it for read-in, and whether anyone attempted to bypass standard compartments and access controls.
And then comes the question nobody can avoid forever: does Gottumukkala retain access and authority despite the failed test.
That matters not only for his personal status but for CISA’s relationships with other agencies. If partners believe the agency is being run through political loyalty and narrative management, they will share less. They will slow cooperation. They will create new friction points. And in cybersecurity, friction is vulnerability.
CISA is not a normal agency. It operates in an ecosystem where trust and speed are everything. Cyber incidents move fast. Threat actors don’t wait for committees. Critical infrastructure attacks don’t pause for leadership drama. The agency’s ability to respond depends on internal confidence and external partnerships, and both are weakened when leadership behaves like a grievance machine.
There is a reason professionals treat national security systems as boring and procedural. Boring is safe. Boring is accountable. Boring means you don’t have to reinvent basic trust protocols because somebody’s ego got bruised.
This episode is the opposite of boring.
It’s a demonstration of what happens when the logic of the security state gets replaced by the logic of political theater. Instead of competence, you get blame. Instead of trust, you get investigations. Instead of clear authority, you get semantic battles over whether something was “sanctioned,” as if the real issue is the label and not the fact that a national security agency is being run in a way that makes career staff afraid of their own inboxes.
The final insult is that this is happening at a time when the public needs CISA to be the calm adult in the room. Cyber threats aren’t slowing down. Infrastructure vulnerabilities aren’t getting simpler. Foreign actors aren’t suddenly becoming polite. And yet the agency is being pulled into a story where the central drama is not a threat actor but an acting director and a polygraph.
The country’s cyber defense should not be a workplace sitcom with classified attachments.
Fine Print for an Agency That Needs to Trust Itself
If you treat a polygraph failure as a public relations problem instead of a security governance problem, you’re not protecting the mission, you’re protecting the narrative. If you respond by suspending the staff who coordinated the process, you’re not correcting wrongdoing, you’re teaching the agency to fear its own procedures. A national security agency can survive mistakes. It cannot survive leadership that punishes competence and rewards scapegoating. That’s how you end up defending the country with half the room afraid to touch the keyboard.