The Government Accountability Office (GAO) is auditing Elon Musk’s so-called Department of Government Efficiency (DOGE).
The probe, which has been ongoing since March, covers DOGE’s handling of data at several cabinet-level agencies, including the Departments of Labor, Education, Homeland Security, Health and Human Services, the Treasury, and the Social Security Administration, as well as the US DOGE Service (USDS) itself, according to sources and records reviewed by WIRED.
Records show that the GAO—an independent auditing, research, and investigative agency for Congress—appears to be requesting comprehensive information from the agencies in question, including incident reports on “potential or actual misuse of agency systems or data” and documentation of policies and procedures relating to systems DOGE operatives have accessed, as well as documentation of policies for the agency's risk assessments, audit logs, insider threat programs, and more.
Over the last few months, DOGE operatives, many of them with connections to Musk’s companies but little to no government experience, have infiltrated dozens of federal agencies as part of Musk’s plan to push out tens of thousands of government employees. They have also gained initial access to untold amounts of sensitive data, from Treasury payment systems to tax records, and appear to be attempting to connect purposefully disparate data systems.
While a number of Democratic officials have sounded the alarm on DOGE’s activities, this audit is one of the first real signs of possible accountability and oversight.
The GAO’s review is expected to be completed by the end of spring, according to records reviewed by WIRED. Congressional sources say it will yield a report that will be made public.
“GAO has received requests to review actions taken by DOGE across multiple agencies,” Sarah Kaczmarek, a spokesperson for the GAO, tells WIRED. “The first thing GAO does as any work begins is to determine the full scope of what we will cover and the methodology to be used. Until that is done, we cannot provide any additional details or estimates on when the work will be completed.”
The audit, according to records reviewed by WIRED, is broadly centered on DOGE’s adherence to privacy and data protection laws and regulations. More specifically, according to records detailing GAO’s interactions with the Department of Labor (DOL), the agency will conduct a granular review of every system to which DOGE—defined in these records as USDS workers and members of the DOGE teams which an executive order directs every federal agency to establish—has been given access at the agencies it is examining. DOL did not respond to requests for comment.
Notes obtained by WIRED detail a proposed meeting between GAO examiners and DOL representatives to request that DOL officials share records of the system privileges provided to DOGE affiliates, including “any modifications to the accounts,” as well as audit logs showing their activity.
In addition, DOL officials were asked to prepare for an in-person meeting at which GAO officials could observe the security settings on laptops the agency had provided to DOGE operatives and review all the systems that track DOGE’s work at DOL, including a data loss prevention tool and systems used to track cybersecurity and privacy incidents.
| Got a Tip? |
|---|
| Are you a current or former government employee who wants to talk about what's happening? We'd like to hear from you. Using a nonwork phone or computer, contact the reporters securely on Signal at leahfeiger.86 and timmarchman.01. |
Notes from a March 18 meeting, marked “Internal/Confidential,” show that a DOL lawyer presented colleagues with an overview of DOL’s interactions with DOGE. “So far,” the notes read, “they do not have write access. They have asked; we’ve held them at bay. We’ve tried to get them to tell us what they want & then we do it. They only have read access.” DOGE seems primarily interested, according to the notes, in pay systems and grants, and has signed an agreement detailing a “long list of things they won’t do.”
The notes also detail interactions between the GAO and DOL related to DOGE’s work. Included are a specific set of requests GAO gave to DOL representatives:
“Please identify any systems and information for which USDS and/or agency DOGE team staff were provided access. In doing so, please identify all accounts created, including those for any applications, servers, databases, mainframes, and/or network equipment.
“Please describe the type of access that USDS and/or agency DOGE team staff have to agency systems and information (e.g., read, write, execute).
“Please describe how USDS and/or agency DOGE team staff access agency systems and information (e.g., on-premise or remote, agency furnished equipment or other equipment).
“Please describe the safeguards that are in place to determine that USDS and/or agency DOGE team staff protect the confidentiality, integrity, and availability of agency systems and information consistent with relevant laws and guidance.
“Please describe the processes that the agency has in place to ensure that USDS and DOGE teams are appropriately protecting the confidentiality, integrity, and availability of the agency systems and information as required by applicable laws and guidance.”
Concerns about DOGE access to agency systems are not unfounded. In February, WIRED reported that Marko Elez, a 25-year-old former X engineer, was granted the ability not only to read the code in the Treasury systems but also to write—or change—it. With that level of access, there were concerns that he could have potentially cut off congressionally authorized payments or caused the systems to simply stop working. “It’s like knowing you have hackers on your network, but nobody lets you do anything about it,” a Treasury employee told WIRED at the time.
Elez, according to the March 18 meeting notes and previous WIRED reporting, also has access to the DOL and has been linked to the Social Security Administration. His and other DOGE affiliates’ access to SSA data is currently restricted due to a court order. Elez did not immediately respond to a request for comment.
Reporting from WIRED and other outlets since then has continued to expose DOGE’s sweeping attempts to access sensitive data—and the potential consequences. President Donald Trump’s executive order from March 20 directs agencies to begin “eliminating information silos,” purportedly to fight fraud and waste. These actions could also threaten privacy by consolidating personal data housed on different systems into a central repository, WIRED previously reported.
A record detailing an initial request from GAO for DOL documents, due at the end of March, shows that the agency was asked to show how it protected its systems, with the requested documentation covering, among other things, its policies on management of access to system accounts, training, the principles of separation of duties and least privilege, the use of portable storage devices, audit logging, and its insider threat program. These requests reference the National Institute of Standards and Technology publication Security and Privacy Controls for Information Systems and Organizations, which serves as a set of information security guidelines for federal systems not related to national security.
The DOL was also asked to provide records documenting risk assessments and memorandums of understanding pertaining to DOGE; documentation for each system account created for DOGE that shows approval for requests to access the accounts, what access authorization they have, and any subsequent modifications to the accounts; all communications from October 2024 to March 2025 related to DOGE being granted access to agency systems and/or information; and detailed information on the job status of each DOGE affiliate, their relationship to the USDS, and the supervisory structure they’re working under and the security training they’ve undergone. (DOGE’s management structure has been quite opaque, with even DOGE workers not knowing who was technically in charge a month after Donald Trump’s inauguration.)
GAO examiners also sought information including instances of and incident reports related to “potential or actual misuse of agency systems or data,” detailed information on who oversees specific systems and data dictionaries, data architecture records, and interface control documents for specific systems, as well as documentation of the audit logs for each system.
The GAO audit is being carried out in response to requests from congressional leaders.
In a February 6 letter, representative Bobby Scott, a Democrat from Virginia and the ranking member of the House of Representatives’ Education and Workforce committee, cited reporting from WIRED and other outlets about DOGE intrusions into federal systems in the course of asking the agency to investigate what he called “a constitutional emergency” related to DOGE access.
On February 24, in a letter obtained by WIRED, representative Richard Neal, a Democrat from Massachusetts and the ranking member of the Ways and Means Committee, requested a review of what DOGE is doing in agencies including the Treasury Department and the Social Security Administration.
“Americans expect that when they share personal information with the government, whether for paying taxes or accessing health or Social Security benefits, it will be safeguarded,” Neal tells WIRED. “That is not what’s happened with DOGE, and why, at my request, the Government Accountability Office is working to shed much-needed light on their access to and use of personal and confidential information. It shouldn’t have to come to this—if there’s nothing to hide, DOGE should want the public to understand its work—but this is exactly why accountability measures across the government are so important.”
According to a Congressional aide, who spoke to WIRED on condition of anonymity because they are not authorized to be quoted in the media, the requests followed media reports on DOGE’s incursions into federal systems.
“The federal government, and actually most private companies as well, operate on the principle that data should be protected,” they say. “It should be protected from theft, protected from access by people who do not have a legitimate purpose or reason to be in and to be accessing that data. And so the reports of untrained people rummaging around databases changing code, scraping data—who knows what they’re doing?—were pretty alarming.”
“Has this data been exported outside of the agencies?” they add. “Is it being accessed or used by hackers or private citizens, or maybe it’s being used to train AI models? I don’t know.”
