Federal Cybersecurity DOGE GAO Report
What GAO Has Confirmed: A Timeline
| Date | Event | Source |
|---|---|---|
| Jan. 20, 2025 | DOGE created by executive order; Treasury DOGE team deployed to BFS | Executive Order 14158; GAO-26-108131 |
| Jan.–Feb. 2025 | DOGE employee accesses 3 BFS payment systems; source code access confirmed | GAO-26-108131 |
| Feb. 6, 2025 | DOGE employee resigns from Treasury (matches Marko Elez, per public reporting) | GAO-26-108131; public court records |
| Feb. 2025 | Unencrypted USAID PII file (350 individuals) transmitted without BFS approval | GAO-26-108131 |
| Feb. 2025 | Treasury OIG opens audit of BFS system access | Treasury OIG; The Hill |
| Mar. 2025 | DOGE engineers visit NLRB; whistleblower Daniel Berulis files disclosure with Congress | NPR; Congressional disclosure |
| Apr. 11, 2025 | GAO’s Treasury audit window closes | GAO-26-108131 |
| Apr. 16, 2025 | DOGE formally detailed to NLRB; GAO’s NLRB audit window opens | GAO NLRB report, Apr. 2026 |
| Apr. 24, 2025 | NLRB DOGE accounts created — never activated | GAO NLRB report, Apr. 2026 |
| Jul. 25, 2025 | NLRB DOGE detailee agreements expire; dormant accounts disabled | GAO NLRB report, Apr. 2026 |
| Sept. 25, 2025 | Senate HSGAC Democrats release report on SSA, GSA, OPM; SSA 65% breach risk cited | HSGAC Minority Report (Peters) |
| Dec. 16, 2025 | GAO Comptroller General Dodaro warns Senate: CISA cuts leave U.S. “very vulnerable” | Senate HSGAC hearing |
| Dec. 2025 | CISA workforce: ~2,400 employees, down from 3,400 at FY2025 start (−29%) | NYT; Federal News Network |
| Apr. 28, 2026 | GAO releases Treasury report (GAO-26-108131) and NLRB report | GAO |
| May 2026 | NLRB OIG investigation into March 2025 period ongoing | FedScoop; OIG |
On April 28, 2026, the Government Accountability Office released two reports examining the Department of Government Efficiency’s access to federal computer systems. Together, they are the most authoritative public accounting to date of what DOGE actually did — and did not do — inside federal agencies between January and July 2025. The Treasury report (GAO-26-108131) confirmed that a DOGE employee accessed three Bureau of Fiscal Service payment systems without completing required security training, sent unencrypted personal data outside the agency without approval, and left the department with an active interim security clearance that GAO says still permitted access to sensitive payment systems. The NLRB report found no evidence of system access during the formal agreement period — but the audit’s start date was two days after the events the original whistleblower had alleged.
This article is a primary-source analysis of both GAO reports, the September 2025 Senate HSGAC Democratic report on SSA, GSA, and OPM, and the documented restructuring of the Cybersecurity and Infrastructure Security Agency. It does not rely on secondary coverage. Where Axis Intelligence has performed original analysis — cross-referencing findings, calculating net risk deltas, identifying structural gaps in what each investigation actually covers — that analysis is labeled as such.
Table of Contents
The Treasury Report: What GAO-26-108131 Actually Confirmed
The GAO’s Treasury report is based on an audit of DOGE team access to Bureau of the Fiscal Service payment systems between January 20 and April 11, 2025 — a window of just under three months. The BFS is not a peripheral agency. It processes federal income tax refunds, Social Security and benefits payments, federal employee salaries, and vendor payments for most federal entities. It is, in functional terms, the central plumbing of U.S. government finance.
Access: What the DOGE Employee Could Do
GAO confirmed that one DOGE employee received access to three BFS payment systems. That access included the ability to view, copy, and print data across all three systems. It also included read access to the source code of those systems.
Source code access is categorically different from data access, and GAO’s language here is important. When you can read source code, you can understand how a system is architecturally organized, where its validation logic sits, what assumptions its security controls make, and — if the system has vulnerabilities — where they are. This is not a theoretical risk. According to Axis Intelligence’s analysis, source code access to a payment system that disburses a majority of federal payments represents a reconnaissance capability that would be the explicit objective of a sophisticated nation-state intrusion, not a routine administrative review.
In addition, the GAO found that the BFS employee was inadvertently granted temporary access to create, modify, and delete data for one of the three systems. GAO found no evidence this access was used to make any changes before it was revoked.
The Security Control Failures: Four Areas, Three Unaddressed
GAO identified 14 applicable IT security controls across four categories — managing system access, protecting sensitive information, training, and data loss prevention. The bureau addressed only one of the four areas adequately. The failures in the remaining three:
Training: The DOGE employee never completed required security training before being granted access to sensitive payment systems. This is not a procedural technicality. Federal Information Security Modernization Act (FISMA) requirements and NIST SP 800-53 both specify that individuals with access to sensitive systems must complete security awareness training before access is granted, not concurrently or after. The training requirement exists precisely because access without understood obligations creates unmonitored risk.
Rules of behavior: The employee never signed BFS’s “rules of behavior” policy for IT systems — the document that defines what a user may and may not do, establishes post-employment obligations, and creates a documented record of the user’s understanding of their legal obligations. GAO found the employee was “never informed of or agreed to their post-employment data protection requirements at the time of their departure from the agency.”
Post-employment access: Because no exit interview was conducted and no post-employment documentation was signed, the departing employee left Treasury while retaining an interim security clearance that GAO says still permitted access to “multiple BFS systems containing sensitive federal payment information.” GAO stated directly: the bureau has “less assurance that these individuals will appropriately protect this sensitive information” until it establishes exit procedures for unexpected departures.
Data loss prevention: BFS’s data loss prevention tools were not configured to identify and block unencrypted payment information transmitted to external parties. This configuration failure is what allowed the next incident to occur.
The Unencrypted Data Transmission
The most concretely documented violation in GAO-26-108131 is the transmission of an unencrypted Excel file containing personally identifiable information for 350 individuals — USAID payment recipients — from a DOGE team member at Treasury to two DOGE associates at the General Services Administration.
The file was sent without BFS approval. The employee did not encrypt the data. The employee did not obtain authorization before sending agency data externally. BFS’s data loss prevention tools did not flag or block the transmission. The bureau did not discover the incident until it conducted a forensic review of the employee’s laptop after the employee had already departed.
BFS officials, reviewing the incident after the fact, characterized the disclosure of personally identifiable information as “low risk” because the file did not include Social Security numbers, addresses, or dates of birth for the listed individuals. That characterization warrants scrutiny. According to Axis Intelligence’s analysis, USAID payment recipient data — which identifies individuals receiving U.S. government foreign aid payments — can constitute sensitive national security information in contexts where the individuals’ identities are not public. The “low risk” conclusion was reached by BFS, not by GAO, and GAO’s report does not endorse it.
GAO’s Recommendations and Treasury’s Response
GAO issued recommendations in four areas: defining minimum screening requirements for DOGE team access to payment systems; strengthening security training requirements before access is granted; updating BFS processes for reviewing emails containing unencrypted payment information; and establishing exit interview and post-employment documentation procedures for individuals with access to sensitive payment systems who leave unexpectedly.
Treasury agreed with the recommendations on screening, training, and email review. On the exit interview and post-employment documentation recommendation — the one directly relevant to the employee who left without signing required documentation — the department neither agreed nor disagreed, citing ongoing process reviews.
GAO stated explicitly that this report “represents the preliminary results of our ongoing work reviewing DOGE access to Treasury systems.” Additional reports are expected.
The NLRB Report: What GAO Found, and What It Couldn’t Cover
The second GAO report released April 28 addresses DOGE’s access to National Labor Relations Board systems. The finding — that GAO found no evidence DOGE team staff accessed NLRB systems during the formal agreement period — has been characterized both as a vindication of DOGE and as a structurally incomplete audit. Both characterizations are partially correct, and the distinction matters.
What the Audit Found
Two DOGE staffers were formally detailed to the NLRB beginning April 16, 2025, under agreements running through July 25, 2025. GAO reviewed system access logs for that period. Accounts for seven NLRB HR systems — covering personnel records, payroll, and hiring databases — were created April 24. GAO found no logins during the entire formal agreement period. The laptop computers issued to the DOGE staffers were never picked up. The accounts were deactivated when the agreements expired.
The finding is unambiguous for the period GAO examined: during the formal detailing agreement, the two assigned DOGE staffers did not access NLRB systems.
What the Audit Didn’t Cover — and Why
The whistleblower at the center of the NLRB controversy, NLRB IT staffer Daniel Berulis, alleged that DOGE personnel arrived at NLRB headquarters in the first week of March 2025 — before the formal agreement existed. Berulis alleged in his official disclosure to Congress that these visitors demanded “tenant owner level” accounts with essentially unrestricted read, copy, and alter permissions. He alleged they instructed IT staff not to implement tracking on the accounts. He documented what he described as an unusual spike in outbound network traffic from NLRB’s NxGen case management system — a system containing union organizing data, witness testimony, and proprietary corporate information from ongoing investigations.
Berulis also documented that, in the minutes following the alleged DOGE access, someone with a Russian IP address attempted to log into NLRB systems using one of the newly created DOGE account credentials — with the correct username and password. Those attempts were blocked.
GAO’s audit window opened on April 16, 2025 — the date the formal agreement began. GAO stated explicitly that it scoped its review to avoid overlapping with an ongoing NLRB Office of Inspector General investigation into the March period. The NLRB OIG investigation into Berulis’s allegations remains open as of this writing.
According to Axis Intelligence’s analysis, this audit structure reveals a systemic gap in federal oversight coverage: the formal agreement mechanism that triggers GAO’s audit authority can be circumvented by accessing systems before formal agreements are established. GAO can only audit what it has authority to audit. The March 2025 period, when the most serious allegations occurred, falls outside both GAO’s completed review and the coverage of the NLRB’s own internal investigation (which found no breach but was conducted before Berulis’s full forensic documentation was available).
The NLRB OIG investigation may resolve this gap. Until it does, the question of what happened at the NLRB in March 2025 remains formally open.
The CISA Crisis: Threat Surface Expanded, Detection Capacity Shrank
While DOGE was gaining access to federal payment systems, federal employment databases, and Social Security infrastructure, the agency responsible for protecting federal cybersecurity was losing a third of its workforce.
The Cybersecurity and Infrastructure Security Agency entered fiscal year 2025 with approximately 3,400 employees. By December 2025, that number had fallen to approximately 2,400 — a reduction of roughly 1,000 workers, representing a 29% workforce contraction in under 12 months, per reporting from The New York Times and Federal News Network. The reductions came through a combination of layoffs, voluntary buyouts, and early retirements.
The budget impact compounded the workforce impact. CISA’s operating budget was cut by $135 million in June 2025 — significantly less than the $495 million (18%) reduction the Trump administration had initially proposed, but still a material operational reduction. Private-sector contracts with threat-hunting partners Nightwing and Peraton were terminated, removing dedicated personnel from ongoing threat-hunting operations.
CISA’s election security office was eliminated entirely. The agency’s Computer Security Incident Response Center — which provides incident support to agencies experiencing active cyber events — saw contractor staffing reductions. Sean Plankey, the administration’s nominee to lead CISA, withdrew his nomination, leaving the agency without confirmed leadership during a period of significant restructuring.
In December 2025, outgoing GAO Comptroller General Gene Dodaro — completing a 15-year tenure as the nation’s chief auditor — testified before the Senate HSGAC Subcommittee on Border Management, Federal Workforce and Regulatory Affairs. His final public message was unambiguous: daily pressure from state and non-state actors had left the U.S. in a “very vulnerable” position, and cybersecurity and critical infrastructure protection were not receiving attention matching the severity of threats. The warning was directed specifically at the consequences of CISA staffing reductions.
According to Axis Intelligence’s analysis of publicly documented workforce and access changes, the 2025 federal cybersecurity posture involves a structural paradox: the number of people and systems with authorized access to sensitive federal data increased (DOGE deployments across Treasury, BFS, SSA, OPM, GSA, DHS), while the workforce responsible for monitoring, detecting, and responding to anomalous access in those systems simultaneously shrank. You cannot increase the threat surface and reduce the sensor coverage without increasing net risk — regardless of whether any specific access event is later characterized as intentional or accidental.
The International Monetary Fund has projected a 175% increase in cybercrime losses from 2022 to 2027. The IMF made that projection before the 2025 federal cybersecurity workforce reductions were documented.
The Senate HSGAC Report: What Congress Found at SSA, OPM, and GSA
Three weeks before the GAO reports, the Senate Homeland Security and Governmental Affairs Committee’s Democratic minority — led by Ranking Member Gary Peters (D-MI) — released its own investigative findings on September 25, 2025. The report drew on staff site visits, whistleblower disclosures, court filings, and media accounts to document DOGE activity at the Social Security Administration, the General Services Administration, and the Office of Personnel Management.
The HSGAC report is partisan in origin — it was produced by the minority, not the full committee — and should be read with that context. It is not a GAO audit. It does not carry the methodological standards of a nonpartisan investigation. However, it cites primary sources — including whistleblower disclosures on file with the committee, SSA’s own internal risk assessments, and court filings — that are independently verifiable and have not been publicly refuted by the agencies described.
SSA: The 65% Catastrophic Breach Risk Assessment
The HSGAC report’s most significant finding involves the Social Security Administration. According to committee staff, SSA’s own internal risk assessment — produced by SSA itself, not by critics — documented up to a 65% probability of a catastrophic breach of the systems that DOGE personnel were accessing. That assessment was made while DOGE staff were reportedly copying Social Security data into a new cloud environment without verified security controls.
SSA’s Chief Information Security Officer, Joe Cunningham, reportedly told DOGE personnel directly that SSA policy prohibits the use of production data in unsecured cloud environments because of the heightened security risks. The HSGAC report documents this communication in Exhibit C, drawing on whistleblower disclosures provided to the committee.
The data in question is not administrative: Social Security systems contain names, Social Security numbers, dates of birth, addresses, banking information, disability determinations, and earnings histories for hundreds of millions of Americans. A catastrophic breach of that dataset would represent the most significant personal data exposure in U.S. history, surpassing the 2015 OPM breach (21.5 million records) by at least an order of magnitude.
SSA’s public spokesperson told CyberScoop at the time of the report’s release that there are “no DOGE employees at SSA, only agency employees” — a statement that addresses formal employment status rather than operational access.
OPM: Denial, Contradiction, and Court Records
The HSGAC report documents that OPM leadership, during the committee staff’s site visit, denied the presence of DOGE personnel at the agency — a denial that directly contradicted OPM’s own statements in federal court filings. The discrepancy between what agency officials told congressional staff and what those same officials had represented to a federal court is documented in the report with citation to specific filings.
OPM maintains personnel records for the entire federal civilian workforce. Its databases contain security clearance information, employment history, performance evaluations, and personal identifying information for current, former, and prospective federal employees. The 2015 OPM breach — attributed to Chinese state-sponsored actors — is still considered the most damaging federal data breach in history for its counterintelligence implications. The personnel records DOGE reportedly accessed at OPM are the same category of data.
GSA: Taken Over, Not Monitored
At GSA, the HSGAC report found that DOGE personnel took physical control of the administrator’s office. Senior GSA officials, during the committee staff visit, “could not inform staff on DOGE employee adherence to privacy and cybersecurity policy, guidance, and existing statute.” The agency could not confirm whether DOGE personnel had followed required procedures because it had no visibility into their activities.
GSA is the federal government’s centralized procurement and real estate agency. It also hosts Login.gov, the federal government’s shared authentication platform used by dozens of agencies. GSA’s IT systems include vendor contracts, federal building data, and shared technology infrastructure used across agencies.
The FISMA Framework: Legal Requirements vs. Documented Reality
The Federal Information Security Modernization Act (FISMA), first enacted in 2002 and modernized in 2014, establishes the legal framework for federal cybersecurity. It requires agencies to implement risk-based security controls, conduct regular assessments, authorize systems before operation, and maintain continuous monitoring. NIST Special Publication 800-53 provides the specific control catalog that agencies must implement.
The GAO-26-108131 findings, taken against this legal framework, identify not just procedural failures but potential statutory noncompliance:
FISMA Section 3554(a)(1)(A) requires each agency to develop, document, and implement an information security program — including risk-based controls before granting system access. BFS granted access to three payment systems without implementing 11 of the 14 identified applicable controls.
FISMA Section 3554(a)(2) requires agencies to ensure compliance with security requirements for all individuals with access to agency information systems. The DOGE employee who received access never completed required training or signed the rules of behavior document. This is a direct violation of the compliance requirement as written.
Privacy Act of 1974 (5 U.S.C. § 552a) restricts the disclosure of personally identifiable information from federal systems of records. The unencrypted transmission of 350 individuals’ USAID payment recipient data to two associates at a different agency without BFS approval raises Privacy Act compliance questions that BFS’s “low risk” characterization does not resolve.
The Center for Democracy and Technology’s senior policy analyst Quinn Anex-Ries, quoted in Federal News Network following the GAO report’s release, framed the implications directly: “Despite Treasury’s conclusion that one DOGE employee would be in a position to cause ‘inestimable damage’ to security interests, the agency couldn’t be bothered to get a signed access agreement from the employee or comply with other baseline safeguards.”
Electronic Privacy Information Center attorney John Davisson described the result as predictable: “that employee promptly broke the law and disclosed sensitive, unencrypted personal data to speed along the destruction of USAID.”
According to Axis Intelligence’s analysis of the legal framework, the GAO findings document a situation where the statutory requirements existed, the agency knew they existed, and they were not implemented. The question of whether this constitutes a FISMA violation has not been adjudicated, and GAO is not a law enforcement body. But the elements that would constitute noncompliance are documented in GAO’s own report text.
The Axis Intelligence Net Risk Assessment
Every investigation into DOGE’s federal cybersecurity impact has been bounded — by audit window, by agency scope, by the distinction between formal and informal access, by ongoing investigations that preclude parallel review. No single document gives a complete picture. According to Axis Intelligence’s synthesis of GAO-26-108131, the GAO NLRB report, the HSGAC Democratic report, CISA workforce data, and FBI IC3 2024 reporting, the net federal cybersecurity risk change from the 2025 restructuring period can be characterized across five dimensions:
Confirmed access failures (Treasury/BFS): One confirmed instance of access without required controls, one confirmed instance of unauthorized data transmission, one confirmed instance of post-departure security clearance exposure. These are documented, not alleged.
Unresolved access questions (NLRB, SSA, OPM): The NLRB OIG investigation into March 2025 remains open. SSA’s 65% catastrophic breach risk assessment was made while operations were ongoing. OPM denied DOGE presence to congressional staff while simultaneously acknowledging it in federal court.
Structural exposure increase: DOGE personnel were deployed across at minimum Treasury, BFS, SSA, GSA, OPM, DHS, and NLRB. Each deployment represented an expansion of privileged access beyond the agencies’ normal access management frameworks. GAO’s own reports note that access was granted at a “pace that drew immediate scrutiny from oversight bodies.”
Detection capacity reduction: CISA’s workforce fell 29% during the same period. Threat-hunting contract staff were eliminated. The CISA CSIRT contractor support for incident response was reduced. The agencies experiencing expanded access had simultaneously reduced their external monitoring support.
Ongoing litigation: Federal courts have been the primary venue for constraining DOGE access in real time. A district court granted a preliminary injunction limiting DOGE access to Treasury payment systems; that injunction was later modified. Multiple other cases remain active. The courts have been faster to respond than congressional oversight mechanisms, but injunctions address access going forward, not the data already accessed.
The net assessment: the federal government’s sensitive data exposure increased in 2025, monitoring capacity decreased, and the audit record — while more complete than it was — still contains documented gaps corresponding to the periods and agencies where the most serious allegations were made.
What Happens Next: Investigations Still Open
As of the publication of this article, the following oversight processes remain active or unresolved:
GAO Treasury follow-on reports: GAO explicitly stated that the April 28 report represents “preliminary results of ongoing work.” Additional reports covering Treasury payment system access are expected.
NLRB OIG investigation: The NLRB’s Office of Inspector General is investigating the March 2025 period — the period covered by Berulis’s whistleblower disclosure and specifically excluded from GAO’s audit to avoid overlap. No public timeline for completion has been announced.
Court cases: Multiple federal lawsuits challenging DOGE’s access to agency data remain active in various stages of litigation. Some have produced discovery that has not been made public.
CISA leadership: The agency remains without a Senate-confirmed director. The nominee withdrew. CISA’s operational posture, including its ability to provide effective support to agencies that experienced expanded access under DOGE, is constrained by both the leadership vacancy and the workforce reductions.
GAO 2025 High-Risk List: Federal information security has been on GAO’s High-Risk List since 1997. The 2025 list, released in February 2025, characterized federal cybersecurity and IT modernization as areas exhibiting “serious failures.” The 2027 update will reflect whether the conditions documented in 2025 improved, worsened, or remained static.
Why This Matters Beyond the Politics
Every competent cybersecurity analysis eventually separates the policy question (was this the right policy) from the security question (did this increase or decrease the risk of unauthorized data access or system compromise). Those are different questions with different answers.
The GAO reports answer the security question, not the policy question. GAO found that the Bureau of the Fiscal Service failed to implement required security controls before granting access to its payment systems. That finding is independent of whether DOGE’s efficiency mission is a legitimate policy goal. FISMA applies regardless of the requester’s stated purpose.
The significance for any organization — federal or private — is in the pattern, not the politics. When access is granted faster than controls can be implemented, when data loss prevention tools are not configured to catch unauthorized transmissions, when users leave without completing post-employment documentation, and when the monitoring agency has simultaneously lost a third of its workforce — the risk profile has changed. The question is not whether it is possible to construct a scenario in which no harm resulted. The question is whether the environment in which access occurred met the legal and operational standards designed to make harm unlikely.
According to Axis Intelligence’s reading of GAO-26-108131, the answer is no — at Treasury, in the period GAO examined. The question remains open for every other agency DOGE accessed during the same period.
FAQ: Federal Cybersecurity and DOGE — What GAO Found
What did the GAO find about DOGE’s access to Treasury systems?
GAO report GAO-26-108131, released April 28, 2026, found that a DOGE employee had access to three Bureau of Fiscal Service payment systems between January and February 2025. The employee had access to view, copy, and print data, plus source code access. BFS failed to implement three of four IT security control areas before granting access. The employee never completed required security training and never signed the required rules of behavior document.
Was any data changed or stolen at Treasury?
GAO found no evidence that the DOGE employee used inadvertent create/modify/delete access to alter any payment system data. However, GAO confirmed that the employee did transmit an unencrypted Excel file containing personally identifiable information for 350 USAID payment recipients to two DOGE associates at GSA — without BFS authorization. BFS did not discover this incident until a forensic review of the employee’s laptop after their departure.
What is the NLRB DOGE situation?
A second GAO report released April 28, 2026 found no evidence that DOGE team staffers accessed NLRB systems during the formal agreement period of April 16 to July 25, 2025. However, the GAO audit’s start date was two days after the period during which NLRB IT whistleblower Daniel Berulis alleged the most serious access and data exfiltration occurred. The NLRB OIG is separately investigating the March 2025 period. The GAO audit addresses the question of whether DOGE accessed systems during the formal agreement — not whether access occurred before the agreement began.
What happened to CISA’s workforce in 2025?
CISA’s workforce dropped from approximately 3,400 employees at the start of fiscal year 2025 to approximately 2,400 by December 2025 — a 29% reduction. The budget was cut by $135 million. Private-sector threat-hunting contracts with Nightwing and Peraton were terminated. The CISA election security office was eliminated. The agency’s CISA director nomination was withdrawn. Outgoing GAO Comptroller General Gene Dodaro warned in December 2025 that CISA staffing cuts had left the U.S. in a “very vulnerable” cybersecurity posture.
Did DOGE violate FISMA?
GAO-26-108131 documents that BFS failed to implement FISMA-required IT security controls before granting DOGE team access. The DOGE employee did not complete required security training (a FISMA compliance requirement) and did not sign the rules of behavior document. The unauthorized transmission of unencrypted PII raises Privacy Act compliance questions. GAO is not a law enforcement body and did not make a legal determination; the report documents noncompliance with applicable standards without adjudicating statutory violations.
What data was accessible through the BFS payment systems?
BFS systems process federal income tax refunds, Social Security benefit payments, veteran benefit payments, federal employee salaries, and vendor payments for most federal entities. The three systems the DOGE employee accessed also held source code that describes the architecture, logic, and control structure of those payment systems.
What did the Senate find about SSA and OPM?
The Senate HSGAC Democratic report (September 25, 2025) cited SSA’s own internal risk assessment warning of up to a 65% probability of catastrophic breach of systems DOGE was accessing. At OPM, leadership denied DOGE’s presence to congressional staff while simultaneously acknowledging it in federal court filings. At GSA, DOGE personnel occupied the administrator’s office and senior officials could not confirm adherence to cybersecurity policies.
Is the GAO investigation of DOGE complete?
No. GAO stated explicitly that the Treasury report released April 28, 2026 represents “preliminary results of ongoing work.” Additional Treasury reports are expected. The NLRB OIG investigation into the March 2025 period remains open. Multiple federal court cases related to DOGE data access remain active.
What is source code access and why does it matter?
Source code access to a government payment system means being able to read the programming instructions that make the system work — its architecture, business logic, security control implementation, and validation procedures. Unlike data access (which exposes specific records), source code access provides a map of the system’s vulnerabilities and mechanisms. For a system that processes a majority of federal payments, source code access without proper authorization and monitoring represents a reconnaissance capability of significant concern, both for external adversaries and for anyone with the intent to manipulate the system.
What should federal employees and contractors know?
GAO’s operational lesson in this report is clear: access control rules exist to protect both the data and the individuals involved. If you are a federal employee or contractor asked to provision access without completed training or signed rules of behavior, you are creating a compliance exposure for your agency. Document the request in writing. Note what controls were requested to be skipped and why. GAO’s findings suggest that career staff who followed proper procedures would have been in a defensible position; those who didn’t are now named in a public audit report.
How does this affect ordinary Americans?
BFS systems handle tax refunds, benefits payments, and government salaries for millions of Americans. SSA systems hold Social Security, disability, and earnings data for virtually every U.S. worker. OPM systems hold detailed personnel records for millions of federal employees, including security clearance data. If any of these systems were compromised — whether during the DOGE access period or by foreign adversaries who may have obtained access credentials — the personal and financial consequences for the individuals whose data was in those systems would be significant. No confirmed breach of public data has been documented to date. What has been documented are the conditions under which a breach would have been possible and, in some cases, difficult to detect.
Methodology and Sources
This article is based exclusively on the following primary sources:
- GAO-26-108131 — Department of Government Efficiency: Treasury Needs to Fully Implement Data Protection Controls. Published April 28, 2026. GAO.gov.
- GAO NLRB Report — Department of Government Efficiency: DOGE Team Staff Did Not Access NLRB IT Systems During Formal Agreement Period. Published April 28, 2026. GAO.gov.
- Senate HSGAC Minority Report — Peters, Gary. DOGE: Operating Unchecked, Likely Violating Federal Privacy and Security Laws. Senate Homeland Security and Governmental Affairs Committee Democratic Staff. Published September 25, 2025.
- GAO High-Risk List 2025 — Published February 2025. GAO.gov.
- GAO Testimony — Gene Dodaro, Comptroller General, before Senate HSGAC Subcommittee. December 16, 2025.
- FISMA — Federal Information Security Modernization Act, 44 U.S.C. § 3551 et seq.
- NIST SP 800-53 — Security and Privacy Controls for Information Systems and Organizations.
- Workforce figures: New York Times, Federal News Network, CISA official statements.
Where Axis Intelligence has performed cross-source synthesis, applied legal framework analysis, or calculated original risk assessments, this is labeled explicitly in the text.
Last updated: May 20, 2026. GAO’s ongoing Treasury work and the NLRB OIG investigation may produce additional findings. This article will be updated when primary sources publish new material.
Marcus Chen is a cybersecurity analyst and senior editor at Axis Intelligence, covering federal security policy, VPN infrastructure, identity protection, and digital threat intelligence.
Marcus Chen is the Cybersecurity & Privacy Editor at Axis Intelligence. With over 12 years of experience in enterprise security, he holds CISSP and CISM certifications and previously served as a SOC analyst at a Fortune 500 financial institution. Marcus personally tests every VPN, antivirus, and security tool he reviews, running them through standardized threat simulations in his home lab. He covers cybersecurity tools, VPN reviews, privacy guides, scam analysis, and enterprise security frameworks.
Voice: Technical but accessible. Speaks like a security analyst explaining things to a non-technical colleague. Uses concrete analogies. Never hypes, always measures risk.