GAO finds Treasury skipped security rules for DOGE payment access

The Bureau of Fiscal Service gave the DOGE employee access to three payment systems: the Payment Automation Manager (PAM), the Secure Payment System (SPS), and the Intra-Governmental Payment and Collection (IPAC) system. PAM processes approximately 1.2 billion domestic payments annually on behalf of federal agencies. It handles essentially all domestic U.S. government payments, including Social Security checks, federal employee salaries, and vendor contracts.

SPS allows agencies to securely certify and submit payments to the Fiscal Service, with a strictly enforced separation of duties requiring two separate authorized users for each transaction. IPAC manages fund transfers between federal agencies. Together, these three systems sit at the core of how the U.S. government moves money.

The DOGE employee at Treasury has been identified in court filings and news reporting as Marko Elez, a 25-year-old software engineer. Elez began working at the Treasury Department on January 21, 2025, as part of the DOGE effort to cut federal spending and identify fraud. He resigned on February 6, 2025, after the Wall Street Journal linked him to a deleted social media account that had posted racist content.

GAO's report referred to Elez only as a "DOGE associate" and did not name him directly. The access he received and the security failures surrounding it are the subject of the April 28 report and at least one forthcoming GAO follow-up.

The Bureau of Fiscal Service granted Elez access to view, copy, and print data from all three payment systems. It also let him see the systems' source code. However, BFS never required him to complete the security training mandated for anyone handling sensitive payment data, and he never signed Treasury's rules-of-behavior document that all users must acknowledge before receiving system access.

GAO said these omissions violated BFS's own IT security protocols. Government Executive reported that BFS did not hold Elez accountable for any of these violations during his time at the department.

At one point during Elez's tenure at Treasury, BFS accidentally granted him temporary write access that would have allowed him to create, modify, and delete data in one of the three payment systems. This level of access went far beyond the read-only permission he was supposed to have. GAO found no evidence that Elez made any changes to that system's data before BFS caught the error and revoked the elevated access.

The mistake occurred partly because the access request was changed several times before BFS approved it. GAO said the repeated modifications reflected a lack of controls in BFS's access-granting process.

Despite having only read-level system access, Elez sent an unencrypted Excel file to two DOGE associates at the General Services Administration without obtaining agency approval. The file contained personally identifiable information, including the first and last names of 350 individuals listed to receive USAID payments. Sharing payment recipient data outside Treasury in unencrypted form violated federal data handling rules.

Treasury's data loss prevention tools — systems designed specifically to detect and block unauthorized data transfers — failed to flag or stop the transmission. GAO found that the tools didn't track the transfer at all. BFS also never held Elez accountable for the violation.

The legal fight over DOGE's Treasury access began within weeks of Elez's arrival. A coalition of labor unions sued to block the access, and U.S. District Judge Colleen Kollar-Kotelly issued a temporary restraining order barring DOGE personnel from accessing any BFS payment record or system. The Trump administration later agreed to restrict additional DOGE staff from the payment systems.

Elez had already resigned by the time the court order took effect. His departure preceded the most active phase of the legal battle, but the access he received during his three-week tenure at Treasury is what the April 28 GAO report examined.

Treasury Secretary Scott Bessent publicly defended the DOGE team's presence at Treasury in February 2025, telling Bloomberg Television that the unit consisted of trained professionals. The GAO report released more than a year later found those assurances were inaccurate for at least one DOGE member — Elez completed no required training before receiving access.

In comments on GAO's draft report, Treasury agreed with three of the four recommendations. The department did not formally agree or disagree with the fourth, which asked BFS to conduct exit interviews and collect signed post-employment documentation from staff who leave without completing standard departure procedures.

GAO issued four formal recommendations to Treasury. The first asks BFS to define minimum screening requirements before granting any user access to payment data. The second requires BFS to strengthen mandatory training so no user can access sensitive systems before completing it. The third directs BFS to update its process for reviewing outgoing emails that contain unencrypted payment information so monitoring tools actually flag them.

The fourth recommendation asks Treasury to conduct exit interviews and collect signed post-employment documentation from departing staff who had payment system access but left without completing standard procedures. Treasury's partial non-response on this point means the accountability gap created by Elez's abrupt departure remains unaddressed. Federal News Network reported that sources called the April 28 report just the tip of the iceberg given how many DOGE associates accessed federal agencies.

GAO's ongoing review extends beyond the access Elez received. The April 28 report examined only one DOGE employee's access to one set of Treasury systems during a three-week window in early 2025. GAO stated it is still examining broader patterns of DOGE access across the department and will issue additional reports. Congressional oversight advocates argue the security failures GAO documented at Treasury likely replicate patterns at other agencies where DOGE teams operated.

The Bureau of Fiscal Service doesn't decide what gets paid or to whom — it executes payments as directed by other agencies. But the access Elez received gave him visibility into payment records across the entire federal government, including sensitive foreign aid disbursements through USAID, making BFS one of the highest-risk entry points in the entire federal data infrastructure.