Treasury missed security controls in giving DOGE system access, GAO finds

Congress’ watchdog reported on Tuesday that the Treasury Department gave a Department of Government Efficiency associate access to the government’s payment systems last year without fully following all of its own security controls — and the DOGE team didn’t always hew to Treasury’s protocols, either. 

The findings are among the first reports the Government Accountability Office has released about DOGE’s work, and GAO is working on more audits focused on DOGE access to government systems, a spokesperson confirmed with Nextgov/FCW on Tuesday.

The new report on Treasury zeroes in on atypical access to the government’s payment systems given to DOGE associates. 

DOGE access to sensitive government data and systems across agencies has been a flashpoint since the early days of Trump’s second term. DOGE associates said in court testimony earlier this year that pushing for high-level access to government systems was “operating procedure” for the group.

At Treasury, soon after Trump took office last year, individuals on billionaire Elon Musk’s team reportedly began pressing for officials to hand over system access to DOGE employee Tom Krause so that the department could freeze foreign aid payments. A top Treasury official was eventually pushed out of his job after refusing to provide access to the systems.

GAO found that Treasury handed over access to view, copy and print data from the Bureau of Fiscal Service’s three payment systems to an unnamed DOGE associate, who could also see the systems’ source code. 

But that member of Musk’s team never completed required security training while working at the department or signed Treasury’s “rules of behavior” policy for IT security while working there.

GAO doesn’t name this DOGE employee in its report, but other details provided by the watchdog match with public reporting on Marko Elez, like the day he resigned, Feb. 6, 2025, following reporting about his racist social media posts. He later went on to work for DOGE at other agencies.

At one point, Treasury accidentally briefly gave that same DOGE employee the ability to make changes in one of those systems, something GAO said was due in part to the agency’s lax procedures and the fact that the access being requested was changed several times before it was approved. The DOGE employee didn’t use the system during this time, GAO says. According to reporting on court records, this was also Elez.

GAO also found that Treasury’s data loss prevention tools didn’t track or block Elez from improperly sending unencrypted information on foreign aid to two DOGE associates at the General Services Administration. Elez did this without getting agency approval for sharing the information on U.S. Agency for International Development payments. 

Treasury didn’t discover that incident until it conducted a forensic review of the laptop after Elez had left the department. The department didn’t find the incident sooner in part because its tools aren’t set up to look for information being sent to other government agencies, the report says. 

GAO included several recommendations regarding the department’s IT security processes in the audit, only some of which Treasury formally agreed with.

The top Democrat on the Ways and Means Committee, Rep. Richard Neal, D-Mass., said in a statement that “GAO has confirmed our worst fears,” and called on the Treasury to implement all of GAO’s recommendations. 

Among those the department didn’t formally agree or disagree with is one urging it to conduct exit interviews and get signatures on post-employment documentation from those with access to sensitive payment systems who leave the department without doing so — including the DOGE employee discussed in the report with access to systems.

The watchdog will be issuing additional reports on DOGE access to Treasury payment systems, it says in the report. The topic has also been working its way through the courts. A district court judge granted a preliminary injunction limiting DOGE access to Treasury systems with sensitive information last year, although that was later modified to allow some access to systems.

GAO also released another report Tuesday on DOGE’s access to systems at the NLRB. Just over a year ago, a whistleblower in the agency said that DOGE had extracted troves of data from the agency using secretive methods during March 2025. 

The NLRB’s inspector general has an ongoing investigation into the whistleblower’s declaration, the office confirmed to Nextgov/FCW. 

GAO’s new report, however, focuses only on the period after DOGE was detailed into the agency in mid-April, so “to not overlap with the NLRB Inspector General’s Investigation.”

Whistleblower Aid, which is representing the NLRB whistleblower, noted the significance of GAO beginning its review period after their client’s disclosed events took place.

“Because the GAO did not investigate any matters that fell within the timeframe disclosed by our client — in fact scoping it out of their investigation — the report cannot address our client's detailed accounts,” Whistleblower Aid told Nextgov/FCW. “Accordingly, the timeframe investigated by the GAO has no relationship to the wrongdoing witnessed by the whistleblower in February to early April 2025.”

GAO found that the DOGE team asked for access to NLRB systems, but didn’t use the access it was granted. DOGE didn’t even pick up NLRB laptops before their detail agreements expired in July, according to GAO.