Treasury Missed Security Controls in Giving DOGE System Access, GAO Finds

The GAO’s latest audit shines a spotlight on a growing governance challenge: how federal agencies balance rapid policy implementation with robust cybersecurity safeguards. By allowing a DOGE associate—linked to former Treasury official Marko Elez—to view, copy, and even temporarily edit code within the Bureau of Fiscal Service’s payment platforms, Treasury sidestepped its own training and behavior‑policy requirements. This breach illustrates a broader trend of political pressure overriding standard IT controls, especially when high‑profile figures like Elon Musk’s team seek to influence aid disbursements.

Beyond the immediate procedural lapses, the incident raises systemic concerns about data‑loss‑prevention (DLP) capabilities across the government. The watchdog found that unencrypted foreign‑aid data was transmitted to other agencies without detection, highlighting gaps in monitoring tools that are supposed to flag cross‑agency data flows. Such weaknesses could be exploited by malicious actors or result in inadvertent leaks of sensitive information, eroding public trust and potentially compromising national security. Lawmakers, including Rep. Richard Neal, are now demanding full implementation of GAO’s recommendations, signaling heightened congressional scrutiny of federal IT risk management.

Looking ahead, Treasury’s partial acceptance of GAO’s recommendations suggests a need for more decisive action. Strengthening exit‑interview protocols, enforcing mandatory security certifications, and upgrading DLP systems are essential steps to prevent repeat incidents. As the government continues to digitize critical financial operations, establishing clear, enforceable security baselines will be pivotal in safeguarding the integrity of U.S. payment systems and maintaining confidence among international partners and taxpayers alike.