DOGE Access to Federal Systems Raises Cybersecurity Alarms as CISA Faces Mass Layoffs

Figure 1: Visual representation of the BeyondTrust vulnerability chain

On February 7, 2025, Politico reported that the Trump administration had dismissed CISA employees dedicated to securing U.S. elections and fighting misinformation. Earlier in the week of February 17, DOGE technologists arrived at CISA and gained access to the agency's email and networked files, according to NextGov.

DOGE has been steadily gaining sensitive network access to federal agencies holding personal and financial information on Americans. The New York Times reported on February 21 that the IRS reached an agreement allowing a single DOGE employee, 25-year-old Gavin Kliger, to see only anonymized taxpayer information.

Michelle King, acting commissioner of the Social Security Administration for more than 30 years, was removed after she denied DOGE access to sensitive information, according to CNN. Her replacement, Leland Dudek, posted a now-deleted LinkedIn message acknowledging he had been placed on administrative leave for cooperating with DOGE.

The Consumer Financial Protection Bureau was ordered to stop most work. The agency's homepage has displayed a "404: Page not found" error for weeks. Russell Vought, the architect of the conservative policy playbook Project 2025, was appointed as the CFPB's acting director. Vought has publicly favored abolishing the agency.

Security experts have raised specific concerns about DOGE's approach to federal systems access.

Williams stated that while he does not believe anyone at DOGE would intentionally harm the integrity and availability of federal systems, DOGE has reportedly introduced code changes into multiple federal IT systems without following normal vetting and review processes. "Another name for 'red tape' are 'controls,'" Williams wrote on LinkedIn. "If you're comfortable bypassing controls for the advancement of your agenda, I have questions."

Schneier and Ottenheimer wrote that "the most alarming aspect isn't just the access being granted. It's the systematic dismantling of security measures that would detect and prevent misuse, including standard incident response protocols, auditing, and change-tracking mechanisms, by removing the career officials in charge of those security measures and replacing them with inexperienced operators."

The DOGE website's "wall of receipts" claims that Musk and his team have saved the federal government more than $55 billion through staff reductions, lease cancellations, and terminated contracts. A team of reporters at The New York Times found the math is marred with accounting errors, incorrect assumptions, outdated data, and other mistakes. DOGE claimed it saved $8 billion in one contract when the total amount was actually $8 million, according to the Times.

The doge.gov website administrators left their database open, allowing someone to publish messages ridiculing the site's insecurity, according to Ars Technica.

Figure 2: How the authentication bypass vulnerability works

Supporters of the administration's approach argue that federal agencies have grown inefficient and that reducing bureaucracy could lead to cost savings. The DOGE website claims billions in savings from terminated contracts and staff reductions.

The administration has stated its goal is to identify fraud and waste in government spending. Proponents argue that fresh perspectives from private sector technologists could identify inefficiencies that career bureaucrats have overlooked.

Security experts have identified multiple risks with DOGE's approach to federal systems.

The rapid access to sensitive databases bypasses standard security controls designed to prevent misuse. Federal IT systems typically require extensive vetting, background checks, and security clearances before granting access to sensitive data.

The dismissal of career officials responsible for security measures removes institutional knowledge and oversight capabilities. NIST's potential staff cuts could affect the agency's ability to maintain cybersecurity standards and track software vulnerabilities.

The CFPB's shutdown affects consumer protection enforcement. The agency states its actions have returned nearly $18 billion to Americans in monetary compensation or canceled debts and imposed $4 billion in civil penalties against violators.

The appointment of Sean Cairncross as head of the Office of National Cyber Director has drawn scrutiny. Cairncross, the former chief operating officer of the Republican National Committee, has no formal experience in technology or security, according to Politico. He would be responsible for coordinating national cybersecurity policy and advising the president on cyber threats.

Katie Arrington was named the Department of Defense's new chief information security officer. The National Security Agency suspended her clearance in 2021, although the exact reasons were classified. Arrington argued the suspension was politically motivated.

Figure 3: Privilege escalation from user to SYSTEM level

Federal agencies maintain security controls through multiple layers of oversight. The Cybersecurity and Infrastructure Security Agency serves as the nation's primary cybersecurity agency, responsible for protecting critical infrastructure and coordinating responses to cyber threats.

NIST develops cybersecurity standards and frameworks used across government and industry. The agency maintains the National Vulnerability Database, which tracks software vulnerabilities and provides severity ratings used by organizations worldwide.

The Office of Personnel Management maintains records on federal employees, including security clearance information. The Treasury Department and IRS hold tax records and financial information on millions of Americans.

Standard federal IT security practices require change management processes, audit trails, and separation of duties to prevent unauthorized access or modifications. These controls are designed to detect and prevent both external attacks and insider threats.

Technical context (optional): Federal information systems are classified under FISMA (Federal Information Security Management Act) and must meet security requirements based on the sensitivity of the data they contain. High-impact systems require the most stringent controls, including continuous monitoring, incident response capabilities, and regular security assessments.

The changes at federal cybersecurity agencies occur as the United States faces ongoing threats from nation-state actors. Russia, China, Iran, and North Korea have all been attributed with significant cyber operations against U.S. targets.

The dismissal of election security staff at CISA comes ahead of future election cycles. CISA was established in 2018 specifically to coordinate election security efforts across federal, state, and local governments.

The SEC's shift away from cryptocurrency enforcement, with the unit renamed to focus on "cyber and emerging technologies," coincides with the largest cryptocurrency theft on record. On February 21, the cryptocurrency exchange Bybit announced a cybersecurity breach leading to the theft of more than $1.4 billion worth of cryptocurrencies.

The CFPB's shutdown affects oversight of financial technology companies. Elon Musk's efforts to transform X into a payments platform would otherwise be regulated by the CFPB.

Confirmed:

• At least 130 CISA employees have been dismissed
• DOGE has gained access to databases at SSA, DHS, OPM, and Treasury
• DOGE technologists have accessed CISA email and networked files
• The CFPB has been ordered to stop most work
• NIST is preparing for approximately 500 staff cuts
• The doge.gov database was left open to public editing
• DOGE's claimed savings figures contain documented accounting errors

Unclear:

• The full scope of DOGE's access to federal systems
• What code changes DOGE has introduced to federal IT systems
• Whether standard security vetting was performed for DOGE staff
• The long-term impact on federal cybersecurity capabilities
• Whether any data has been exfiltrated or misused

Congressional oversight hearings on DOGE's activities and access to federal systems. More than 70 lawsuits are currently underway to halt the administration's efforts to reduce the federal workforce.

The status of NIST's cybersecurity standards work and vulnerability tracking capabilities following potential staff cuts.

Any security incidents or data breaches at agencies where DOGE has gained access.

The outcome of legal challenges to executive orders affecting independent agencies.

Federal employee responses to the Office of Personnel Management's directive requiring staff to submit bullet points justifying their work. The Department of Justice has urged employees to hold off replying due to concerns about ethics violations, according to Bloomberg.

1. Krebs on Security, "Trump 2.0 Brings Cuts to Cyber, Consumer Protections," February 23, 2025
2. Schneier on Security, "DOGE as a National Cyberattack," February 2025
3. Politico, "Trump guts cyber workers," February 7, 2025
4. NextGov, "DOGE employee Edward Coristine lands CISA, DHS email," February 2025
5. Wired, "DOGE NIST CISA Cuts Cybersecurity," February 2025
6. The New York Times, "IRS DOGE Gavin Kliger," February 21, 2025
7. CNN, "Social Security head steps down DOGE access," February 17, 2025
8. Ars Technica, "DOGE's .gov site lampooned as coders quickly realize it can be edited by anyone," February 2025