Internal feud rages over unvetted DOGE access to federal IT systems

Behind the scenes, tensions are rising between the White House and Intelligence Community (IC), Cybersecurity and Infrastructure Security Agency (CISA), and other federal agencies over whether Elon Musk and employees of the White House Department of Government Efficiency (DOGE) have been given statutorily required security clearances before being turned loose inside sensitive and classified federal IT systems.

These are IT systems that contain data that if compromised would harm or gravely damage U.S. national security and put at risk the personal information – including sensitive financial, medical, tax, and biometric data – of untold millions of Americans.

DOGE employees are said to be being provided unprecedented access without proper security clearances and vetting to the IT systems of the Departments of Treasury and Energy, Social Security Administration, Internal Revenue Service, Centers for Medicare and Medicaid, Office of Management and Budget, Office of Personnel Management (OPM), and General Services Administration, among others, according to sources.

“We’re talking about Social Security numbers, we’re talking about banking information, we’re talking about addresses, biometric information,” said Connecticut Attorney General William Tong, who, along with the state attorney generals of 19 states filed suit against Musk and DOGE to prevent them from accessing sensitive Treasury Department records.

A separate proposed class-action lawsuit by federal employees claims Treasury and OPM failed to protect government workers’ privacy by disclosing their Social Security numbers, personal health information, addresses and other sensitive data to “non-governmental employees and private citizens.”

“Defendants’ failure to protect government employees’ privacy is the biggest breach of American trust by political actors since Watergate,” the workers said, adding that “the individuals granted access to the [personal sensitive information] are, essentially, hackers who have been given access to the data by the government itself … They are individuals who lack authorization to access such information; they are non-government employees who do not have proper security clearances and are uninhibited by the restrictions required by law and placed on federal government employees.”

Alarms over unvetted access, unqualified personnel

Revelations during the last several weeks about DOGE employees have escalated concerns about security, privacy, and insider threats, according to sources with direct knowledge of the situation interviewed by Biometric Update on condition of anonymity.

According to these sources, the CIA, National Security Agency, Defense Counterintelligence and Security Agency (DCSA), and CISA have all expressed deepening concerns over Musk and DOGE employees having not been subjected to the required security vetting for the clearances they need to access the IT systems they have been given access to, which in the case of clearances for classified systems can take up to a year or longer to obtain.

“It doesn’t appear that anyone at DOGE has any such clearance; as there hasn’t been enough time to do any background checks for any level of clearance,” an IC counterintelligence source said.

“Anyone who thinks these kids would pass a [DSCA-level] background check, even for a [Non-Sensitive Public Trust (NSPT) position] is out of his mind,” a senior IC official said, adding they would “never be granted a secret or TS clearance.”

“Based on what’s been reported about them – they would never pass” NSPT vetting, let alone a clearance for classified access. They just wouldn’t,” an IC official said.

The officials explained to Biometric Update that all DOGE employees, including Musk, would be required to have at minimum a NSPT-level clearance. Individuals vetted for NSPT positions are part of the “trusted federal workforce” and are subject to DSCA Continuous Vetting in real-time. While some DOGE employees may not be accessing classified systems, they are still accessing systems that contain highly sensitive federal and personal financial and other records which require public trust vetting.

NSPT vetting is for federal positions that do not require access to classified information but still demand trust due to the highly sensitive nature of their work. These roles typically involve access to sensitive but unclassified information or IT systems that impact the integrity and security of federal operations. They include program and IT support specialists, network administrators, budget analysts, accountants, auditors, and personnel security assistants.

Heather Green, Principal Deputy Assistant Director of Adjudication and Vetting Services at DCSA, explained to Biometric Update last fall that “the NSPT population refers to those individuals who hold non-national security roles but still pose a risk to the integrity or efficiency of the nation through misconduct. These positions include … you know, protection of government information systems. I mean, there’s multiple different roles that the NSPT population may fall into.”

“Monitored data categories that we get lots of questions on, are criminal history, violent extremists, terrorists, and then unlawful subversive activities,” Green said.

“If [security clearance investigations] were being done, they would disqualify Musk and all of [the DOGE] kids if the reporting on them is accurate,” a senior IC official said about several of the young men reportedly employed by DOGE, one of whom reportedly was fired for leaking an employer’s secrets and for having ties to a cyberattack-for-hire service.

Sensitive diplomatic data at risk

One of the DOGE employees in question is 19-year-old Edward Coristine, who, according to reports, is a “senior adviser” in the State Department’s Bureau of Diplomatic Technology (DT), a relatively new agency within the U.S. Department of State created to modernize and enhance the technological capabilities of American diplomacy.

Launched in 2023, DT was formed by merging the Bureau of Information Resource Management with the Office of the Chief Information Officer. The restructuring aims to streamline the department’s tech functions and to improve its ability to handle cybersecurity threats, emerging technologies, and digital diplomacy initiatives.

Key functions and responsibilities include protecting the State Department’s sensitive information and diplomatic communications from cyber threats, including foreign adversaries and malicious actors, and upgrading outdated systems and infrastructure to support the evolving needs of diplomatic missions worldwide. This includes implementing cloud technologies, enhancing secure communication channels, and improving digital workflows.

It’s unclear whether this involves the department’s classified communications, backchannels, and cable messaging systems used by the Secretary of State, ambassadors, and foreign missions to transmit top secret information such as the intelligence products produced by the department’s Bureau of Intelligence and Research (INR). INR is a member of the Intelligence Community that produces the Secretary’s Morning Summary, which is the equivalent of the President’s Daily Brief, and generally far more comprehensive and contains intelligence derived from America’s most secret sources and methods of intelligence collection.

The DT also explores and integrates new technologies like AI, blockchain, and data analytics to improve diplomatic efforts and policymaking.

Coristine reportedly was fired from an internship at Path Network after an internal probe found he leaked sensitive information to a competitor. The network monitoring company has employed “reformed blackhat hackers.” When Coristine worked for the company, an individual using a Telegram handle linked to him reportedly sought out cyberattack-for-hire services.

One of a handful of companies Coristine reportedly created, Tesla.Sexy LLC, managed numerous web domains, including at least two registered in Russia. One active Russian domain hosts Helfie, an AI bot designed for Discord servers and aimed at the Russian market.

Financial, tax records systems at risk

Aside from the State Department, another potentially serious compromise of sensitive federal IT systems occurred at the Department of Treasury, where DOGE employees reportedly were given access to highly sensitive payment systems that are crucial to the nation’s financial infrastructure. These systems manage everything from federal disbursements to debt payments and are designed with robust security protocols to safeguard against fraud, cyber threats, and operational risks, including insider threats.

These systems are vital for maintaining the financial integrity of the U.S. government and ensuring smooth and secure financial operations domestically and internationally. Disruptions or breaches could have far-reaching implications for the economy, national security, and public trust. They also are subject to strict regulatory frameworks like the Federal Information Security Management Act and National Institute of Standards and Technology guidelines.

Musk DOGE hire Marko Elez reportedly was granted administrator-level access to critical U.S. Treasury payment systems, including the Payment Automation Manager (PAM) and the Secure Payment System (SPS). Elez resigned after being linked to a deleted social media account containing racist content and advocacy for eugenics, but Musk promptly rehired him.

The Payment Automation Manager automates the issuance of federal payments, including direct deposits and checks for Social Security, tax refunds, and federal salaries, making it a critical and sensitive system. PAM handles massive volumes of daily transactions and sensitive financial data, making security clearances essential for employees interacting with it.

The Secure Payment System is a web-based application that allows federal agencies to certify and submit payment schedules to the Treasury securely and includes strong encryption and authentication protocols.

A High-Risk Public Trust Tier 4 NSPT Investigation is said to be required for both systems because they involve broad control over payment processes or system administration where errors or misuse could have significant financial or reputational consequences. A Confidential or Secret clearance is required for roles involving integration with classified systems or information.

Despite concerns of Treasury officials and lawmakers about his lack of prior government or finance experience, Elez’s access would have allowed him to modify essential financial infrastructure. In early February, Elez reportedly visited a Treasury facility in Kansas City to meet with staff to gain deeper insight into federal payment processing systems. His access to these systems was restricted on February 5, 2025, according to the White House.

Following graduation from Rutgers University in 2021, where Elez focused on software development and distributed systems, he worked at SpaceX, contributing to vehicle telemetry, Starship software, and satellite systems. He later joined X where he specialized in search AI and software development. His professional experience prior to DOGE was exclusively at Musk’s companies.

Five former U.S. Treasury secretaries warned in a New York Times Op-Ed on Monday that DOGE employees have put “America’s payments system and the highly sensitive data within it to the risk of exposure, potentially to our adversaries. And our critical infrastructure is at risk of failure if the code that underwrites it is not handled with due care. That is why a federal judge this past weekend blocked, at least temporarily, these individuals from the Treasury’s payments system, noting the risk of ‘irreparable harm.’”

The former secretaries said “the nation’s payment system has historically been operated by a very small group of nonpartisan career civil servants. In recent days, that norm has been upended, and the roles of these nonpartisan officials have been compromised by political actors from the so-called Department of Government Efficiency. One has been appointed fiscal assistant secretary — a post that for the prior eight decades had been reserved exclusively for civil servants to ensure impartiality and public confidence in the handling and payment of federal funds.”

Another young man Musk reportedly hired as a “special DOGE adviser” who has been assigned at the Internal Revenue Service (IRS) is Gavin Kliger, who has been called out for amplifying extremist viewpoints, including reposting content from white supremacist Nick Fuentes and misogynistic influencer Andrew Tate. His actions have only exacerbated the concerns of national security officials, lawmakers, and civil liberties groups about the vetting process for DOGE appointments.

Kliger reportedly is a DOGE senior adviser to Acting IRS Commissioner Douglas O’Donnell for 120 days and has been given access to the IRS’ Integrated Data Retrieval System (IDRS), another critical federal IT system that operates under strict data security regulations. Only authorized IRS personnel can access the system, and there are strict controls to prevent unauthorized use.

IDRS is an internal database system used by the IRS to retrieve, update, and process taxpayer information. It enables real-time updates to taxpayer accounts, ensuring that changes such as payments, penalties, or adjustments are reflected promptly. It is also used to monitor taxpayer compliance, issue notices, track payment histories, and helps in initiating enforcement actions, including tax liens and levies.

Kliger ostensibly is to provide engineering assistance and IT modernization consulting to the IRS. According to the Washington Post, Kliger is required to keep tax return information confidential, protect data from unauthorized access, and to destroy any information shared with him while he is at the IRS.

On Wednesday, Sens. Ron Wyden, Ranking Member of the Senate Committee on Finance, and Elizabeth Warren, Ranking Member of the Senate Committee on Banking, Housing, and Urban Affairs, reminded O’Donnell in a letter that “violations of … taxpayer privacy laws, including unauthorized access to or disclosure of tax returns and return information, can result in criminal penalties, including incarceration.”

The two lawmakers added that, “Section 6103 of the tax code prohibits any unauthorized disclosure of tax returns or information contained in tax returns,” and that “Section 7213A also makes it unlawful for any federal officer, employee, or authorized viewer to willfully inspect a return or return information for a purpose other than one specifically authorized by law, with inspection defined expansively, to include ‘any examination of a return or return information.’ Therefore, improper inspection of tax return information is illegal, even if it has not been made public or disclosed to any unauthorized recipients.”

Wyden and Warren said, “It appears … DOGE team members [have been given] access to the IDRS, raising serious concerns that Elon Musk and his associates are seeking to weaponize government databases containing private bank records and other confidential information to target American citizens and businesses as part of a political agenda.”

The two lawmakers told O’Donnell, “The IRS must immediately disclose to the Senate Committee on Finance the full extent of the potential access to IRS systems and data granted to DOGE team members so that the Committee can address any efforts by DOGE personnel to gain access to taxpayer records at the IRS, which may constitute criminal violations of federal privacy laws.”

In response to lawsuits filed in federal courts challenging Musk and DOGE’s legitimacy and legal standing to access sensitive government IT systems, DOGE has been temporarily barred from further access to Treasury systems. Another court will soon take up whether to bar Musk and DOGE from accessing all federal IT systems and whether they meet statutory requirements to even be doing what they are doing.

Intelligence and national security officials are “increasingly alarmed” about “what damage [to national security] may already have been done,” sources told Biometric Update, noting that their concerns have been made known to top Democrat and Republican Congressional leaders.

Article Topics

biometric data  |  biometrics  |  cybersecurity  |  data privacy  |  data protection  |  DOGE  |  U.S. Government