Members of the U.S. Committee on Oversight and Government Reform have urged President Donald Trump to cease all Department of Government Efficiency (DOGE) activities that create serious cybersecurity vulnerabilities, expose government networks to cyberattacks, and risk disclosure of sensitive information. The demand comes following cyber exposures and top House Oversight Committee members demanding a briefing from the DOGE on their efforts to protect sensitive government systems against cyber threats.
“We write with increasing alarm about how individuals associated with Elon Musk and the Department of Government Efficiency (DOGE) appear to have introduced negligent cybersecurity practices into information technology systems at multiple government agencies,” Gerald E. Connolly, ranking member of the Committee on Oversight and Government Reform, Shontel M. Brown, ranking member of the Subcommittee on Cybersecurity, Information Technology, and Government Innovation, and Melanie A. Stansbury, ranking member of the Subcommittee Delivering on Government Efficiency, wrote in their Tuesday letter to President Trump. “This reckless disregard of critical cybersecurity practices creates opportunities for hostile actors to access sensitive information. We urge your Administration to cease all DOGE activities that create serious cybersecurity vulnerabilities, expose government networks to cyberattacks, and risk disclosures of sensitive and personal information.”
Earlier this month, Committee Democrats sent a letter to the Office of Personnel Management (OPM) highlighting reports of a server added to the OPM network ‘without regard for crucial security and privacy protections.’ Although the deadlines in that letter have passed, the Committee has yet to receive a response from the Administration. In the weeks since Committee Democrats sent that letter, further evidence indicates that DOGE activities have continued to expose sensitive internal systems, including the Department of Treasury’s payment systems and critical systems at labs that support the U.S. nuclear weapons stockpile.
“Since then, further evidence indicates that DOGE activities have exposed sensitive data at additional agencies,” the members detailed. “For example, public reporting indicates that DOGE has access to the Department of Treasury’s Secure Payment System, which distributes more than $5 trillion in federal funding each year. Internet histories show that under the current Trump Administration, any outside actor could reach Treasury’s Secure Payment System from the public internet, making this system accessible to malicious actors.”
Similar records show that systems at the Office of the Comptroller of the Currency, the Treasury Inspector General for Tax Administration, and the Office of the Inspector General were publicly exposed.
Public internet records also show that servers at the Lawrence Livermore National Laboratory, Los Alamos National Laboratory, Thomas Jefferson National Accelerator Facility, and Fermi Accelerator National Laboratory all exposed entry points through which a malicious actor could remotely access their computer systems. Some of these labs study and manage the critical systems that support the U.S. nuclear weapons stockpile. It is deeply alarming that an adversary could exploit these vulnerabilities to gain full access to these systems.
The House Committee letter emphasizes that decades of efforts by both Republican and Democratic administrations, along with bipartisan collaboration in Congress, have enhanced the federal government’s cybersecurity practices, making them more transparent, enforceable, and resilient. However, in just a few weeks, the ‘reckless behavior’ of the unelected and unaccountable DOGE team has jeopardized this progress, leaving multiple government agencies vulnerable to cyberattacks from foreign agents and malicious actors.
To assess the severity of reported cybersecurity and privacy violations, the committee members ask for information, along with a briefing from DOGE leadership, detailing the measures DOGE is taking to prevent malicious actors from accessing sensitive government systems, by Mar. 11.
The committee members have requested a comprehensive list of all federal agencies where individuals linked to DOGE have implemented new technologies. This includes but is not limited to, virtual and physical servers, network appliances, databases, workstations, external application programming interfaces, and external data endpoints. Additionally, they seek a complete inventory of both virtual and physical machines introduced by DOGE-associated individuals into federal government networks since the initial actions of the Trump transition team. Furthermore, they require information on any external entities to which the DOGE team has transferred data.
They have also asked for a list of all individuals given administrative or ‘sudo’ access to federal information technology systems during the Trump transition and after Jan.20, 2025; and a list of all new vendors used by federal IT systems since the beginning of the Trump transition. Also, since Jan. 20, 2025, they asked how many cybersecurity incidents have been identified at federal agencies that may have exposed government systems or data.
The committee members also requested details on risk assessments that were conducted for each identified incident. They inquired about how these incidents were categorized in terms of their impact on confidentiality, integrity, and availability of federal data and systems. They asked whether any incidents were deemed to have posed a national security risk, and if so, how they were handled. They wanted to know what corrective actions have been taken to address these cybersecurity incidents. They questioned whether affected systems were patched, reconfigured, or isolated, and if so, requested details on the remediation timeline.
They further inquired whether any agencies were found to have repeatedly violated cybersecurity policies, and if so, what enforcement actions were taken to ensure compliance. They also asked whether any agencies and DOGE team members were found to have failed to report cybersecurity violations to the appropriate authorities, including the Cybersecurity & Infrastructures Security Agency, the Office of Management and Budget (OMB), or agency inspectors general. If so, they wanted to know what actions have been taken to hold those agencies accountable for noncompliance.
They also questioned whether any federal employees, contractors, third parties, or DOGE team members were found to have engaged in willful negligence or misconduct that contributed to cybersecurity violations. They asked if any cybersecurity incidents resulted in confirmed or suspected breaches of personally identifiable information (PII) or other sensitive government data, and if so, whether affected individuals and entities were notified as required by relevant breach notification policies.
Lastly, the committee members ask how has the administration ensured transparency in reporting cybersecurity violations to Congress and the public while safeguarding national security interests.
