DOGE, Treasury Systems Access, and the Security of Federal Payments

Executive Summary

Granting non-career staff administrative level access to federal payment systems creates audit, segregation of duties, and insider risk concerns that the existing Treasury control environment was not designed to absorb at speed. This article walks through the specific control gaps and the compensating measures that are realistically available.

One of the most consequential and contested aspects of the Department of Government Efficiency's early operations was the granting of administrative access to Treasury Department payment systems to individuals who were not career civil servants and who did not hold the standard background investigations and security clearances that such access historically required. The systems in question process federal payments, tax refunds, Social Security disbursements, and the vast flow of funds between the federal government and its contractors and grantees. The access debate is fundamentally a security debate, even when it is framed in political terms.

What Those Systems Actually Do

The Bureau of the Fiscal Service operates the systems that disburse roughly six trillion dollars annually. These systems include the Payment Automation Manager, the Secure Payment System, and the interfaces that connect to the Federal Reserve's wire transfer infrastructure. They are not consumer banking applications. They are mainframe-based systems with custom protocols, strict audit trails, and multi-layered approval chains that were designed over decades to prevent unauthorized disbursement, fraud, and error.

The security model for these systems has historically relied on a combination of technical controls and procedural controls. Technical controls include role-based access, privileged access management, and session logging. Procedural controls include separation of duties, where no single individual can both initiate and approve a payment, and background investigations that must be completed before privileged access is granted.

How the Access Model Changed

The DOGE appointees who received access were added to administrative roles that had not previously existed for their positions. The process bypassed several of the procedural controls that had been in place. Background investigations were either not completed or were completed on an expedited basis that did not match the standard timeline. The individuals in question had broad read access to payment records and, in some configurations, the ability to modify payment files before they were submitted for final processing.

The Treasury Department's inspector general and several congressional committees raised concerns about whether the access grants complied with the Federal Information Security Management Act and with the specific security controls defined in the system's authorization package. The authorizing official for the system, the senior executive who bears personal responsibility for the security of the system, reportedly was not consulted before the access was provisioned.

The Technical Risks

The risks of broad administrative access to payment systems are not theoretical. They have been demonstrated repeatedly in both public and private sector breaches.

Insider threat is the most direct concern. An individual with administrative access can, depending on the specific role configuration, view sensitive payment data including bank account numbers, redirect payments to different accounts, or modify payment amounts. The controls that prevent this are the procedural ones: separation of duties, dual control, and audit review. When those procedures are bypassed or compressed, the technical controls alone are insufficient.

Supply chain and lateral movement are the second concern. Administrative accounts are high value targets for external adversaries. If an attacker compromises the credentials of an administrator, the attacker gains the same broad access that the administrator holds. Nation state actors have demonstrated sustained interest in Treasury systems. The addition of new administrative accounts with potentially different security practices expanded the attack surface.

Audit integrity is the third concern. Payment systems rely on audit logs to detect fraud, to reconstruct incidents, and to satisfy legal and regulatory requirements. If an administrator has the ability to modify or delete logs, the audit function is compromised. The ability to review whether logs were modified becomes a separate and more difficult problem.

The Organizational Fallout

Career Treasury officials faced an unprecedented situation. The employees who understood the systems best were being asked to grant access to individuals they did not know, without the documentation they normally required, and in some cases under implicit or explicit threat of termination if they refused. Several career officials resigned rather than comply. Their departure further degraded the institutional knowledge that would be needed to assess whether the access grants had introduced vulnerabilities.

The morale effect extended beyond Treasury. Employees at other agencies watched the Treasury situation and drew conclusions about whether their own systems would be subject to similar access grants, and whether their own objections would be respected. The cumulative effect on the federal cybersecurity workforce, already strained by reductions, was significant.

What a Defensible Model Would Require

A defensible approach to administrative access for non-career officials would include several elements that were absent in this case.

Background investigations completed to the standard required for the sensitivity level of the data, not expedited or waived. Role-based access limited to the minimum necessary for the specific function, not broad administrative privileges. Separation of duties maintained, so that no individual could both modify payment files and approve their submission. Pre and post access briefings on legal obligations, insider threat rules, and audit expectations. A formal risk acceptance memo signed by the authorizing official that documents any deviation from standard controls and the compensating measures in place.

None of these measures are exotic. They are the baseline for any federal system handling high value financial data. Their absence in this case is what made the access grants a security event rather than a routine administrative action.

Sources and Citations

1. Department of the Treasury, Bureau of the Fiscal Service, system of records notices and security documentation for payment systems.
2. Government Accountability Office, Financial Audit of the Bureau of the Fiscal Service, fiscal year 2024.
3. NIST SP 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations.
4. Federal court filings and orders in litigation concerning DOGE access to Treasury payment systems, 2025.
5. Inspector General of the Department of the Treasury, audit and oversight reports, 2024 and 2025.