Trump EO gives DOGE access to all federal systems, targets states, and injects cybersecurity risks

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

Metacurity reviewed a memo sent from the US Office of Management and Budget (OMB) to all federal civilian agencies instructing them how to comply with an executive order (EO) issued by the White House on March 20, 2025.

That EO, entitled Stopping Waste, Fraud, and Abuse by Eliminating Information Silos, directed agencies to rescind or modify all guidance that serves as a barrier to the inter- or intra-agency sharing of unclassified information. It further directed the agencies to give federal officials designated by the president or agency heads (or their designees) full and prompt access to all unclassified agency records, data, software systems, and information technology systems, including authorizing and facilitating both the intra- and inter-agency sharing and consolidation of unclassified agency records.

It also required agency heads to review agency formal regulations governing unclassified data access, including system of records notices, and, within 30 days of the date of this order, submit a report to the Office of Management and Budget cataloging those regulations and recommending whether any should be eliminated or modified.

Finally, the order directed agency heads to take all necessary steps to ensure the federal government has unfettered access to comprehensive data from all state programs that receive federal funding, including data generated by those programs but maintained in third-party databases.

Below is the OMB memo's text, retyped with the same punctuation, underlining, and bold emphasis as in the original memo.

Below is an image of the column headers in the template specifying the data items OMB sought from every federal agency, encompassing all records, data, software systems, and information technology systems.

After reviewing the memo, Metacurity spoke with three experts on US government technology systems currently working in the federal government as higher-level IT specialists, technology branch or division heads, or systems engineers, as well as one software engineer who was recently fired as part of Elon Musk’s so-called Department of Government Efficiency (DOGE) efforts to slash the US government payroll. Metacurity also spoke with someone experienced in tracking federal grants to state governments.

All the experts requested and were given anonymity. Most said they experienced rising concern over what they characterize as the current administration's alarming mismanagement of the US government’s digital technology infrastructure.

Metacurity attempted to reach OMB’s media relations department twice via email for questions and comments, but received no response. A phone call to OMB’s media relations phone number posted on its website went unanswered, and a phone call to OMB’s main phone line posted on its website ended with a recorded message that allowed no opportunity to leave a voicemail.

Is this a DOGE initiative?

Although the EO's ostensible purpose is to “stop waste, fraud, and abuse,” which is also the purported goal of the DOGE project, the EO only indirectly mentions DOGE in an accompanying fact sheet.

Nevertheless, one source who filled out the OMB-requested template told Metacurity that they understood the EO’s goal was to provide DOGE employees across the federal government, not just OMB, with access to their department’s databases and systems. “DOGE is everywhere,” this source said.

Another source inside the federal government who has experience managing technology systems across several agencies, told Metacurity, “[DOGE] is going to this length because they’re not getting the access we think they’re getting. I take the [silo EO] as a sign that they failed at getting [into systems] by going roughshod over everyone” early in the administration.

Finally, a GSA Town Hall held on March 20, the same day as the release of the silo EO, suggests that the EO was written by the DOGE people within GSA or at least with the help of those DOGE workers. However, Stephen Ehikian, acting GSA Director, proclaimed that there are no DOGE people within GSA. This contention flies in the face of the fact that DOGE workers took over a section of the GSA’s headquarters building in DC, on the same floor where Ehikian works. Ehikian is married to a former designer at Musk’s social media company X.

It's possible that the Trump administration downplayed DOGE’s involvement in the EO because DOGE had already generated bad press by the time the EO was released, and had sparked grassroots protests across the US. Speaking at a webinar on DOGE hosted by the Center for Democracy and Technology, Nandan M. Joshi, attorney with Public Citizen Litigation Group, said, “Maybe they didn't mention DOGE because DOGE became a little bit more toxic by March 20th.”

What’s new in OMB’s request?

One government technology expert told Metacurity that the concept of knocking down information silos across the federal government arose in the past as a laudable goal. “In the before times, it would be constructive and useful to have this kind of data sharing,” the expert said. However, given the current fears about and lack of visibility into what DOGE is doing, this kind of data sharing now seems “menacing,” the expert added.

Another expert, a systems engineer who works on a government system, thinks this kind of information sharing in the current environment goes beyond menacing and is an actual threat. “There's a credible sort of threat to all of this,” this expert said. “Even inside our agencies, our instructions have been to limit information because we don't want [DOGE] to do activities like node building or the kinds of things we were instructed to do with the asinine five things memo.” [Elon Musk ordered all federal workers to send a memo listing five accomplishments each week or consider themselves fired, a directive that ultimately failed.]

Experts say that government agencies should already have a comprehensive list of their “records, data, software systems, and information technology systems,” as required by the Federal Information Security Modernization Act (FISMA). But, as one expert told Metacurity, “they certainly don't have all of the [informal policies and federal authorities] that are going to be associated” with each entry in the template, which can, for large agencies, run into hundreds of entries.

“The idea that this information can just be summoned at the snap of a finger is comical, and it speaks to the sort of complexity-squashing viewpoints of people who are writing these memos," this expert said. “I would assume that what's going on here is a fishing expedition.”

Another expert suggested that even if the information can be easily tracked down in existing government repositories, DOGE workers have shown little patience for doing their own research. “In my experience, they don't go carefully looking through government processes to find the existing documentation,” this expert said. “Probably they just don't have the patience for that, or they don't think they have the time for it. So, they tend to demand information they could have easily found.”

Why does the administration want this data?

Almost all the experts said they seriously doubt OMB’s massive information-gathering effort has anything to do with improving government efficiency. “Any casual observer of what DOGE has been doing, at least certainly from the perspective of people inside the government, would say nothing that they're doing has anything to do with efficiency,” one expert told Metacurity.

Most experts suggested that OMB crafted its information request to provide DOGE and the Trump administration with an easily scanned, bird's-eye view of federal government programs, enabling quick and easy elimination of efforts that don’t align with the White House’s priorities.

“When you learn that they're taking over software systems and they're taking out data, you got to wonder why, and the number of things that they could be doing is large,” one expert speculated, from engaging in government data manipulation as part of private sector profiteering schemes to creating a state tool of repression to providing fresh data for Elon Musk’s commercial AI systems and much more.

But, the consensus among the experts is that the administration wants the data to shut down ideologically undesirable programs more easily. “I have to assume the intent is to identify programs providing funding for DEI or reproductive health or anything else that the regime has decided they don't want,” one expert said.

This expert also added that another incentive for collecting this information could be “that they're sniffing around for things that they could either use against their political enemies,” or create unified databases to target people they don’t like.  

“You can create RFK’s registry of autistic people, or you can just go down the list. We're going to grab everybody's health records so that we can expel all the [larger] people from the government, or whatever insane thing they're going to come up with next,” the expert said.

Why does the EO and OMB emphasize state data?

Of all the components of the EO and the OMB memo that struck experts as new was the directive to “ensure the federal government has unfettered access to comprehensive data from all state programs that receive Federal funding, including data generated by those programs but maintained in third-party databases.”

One expert said this directive is driven by the reality that “there is no central repository to find out what federal money states get. No big database lists everything every state gets from the federal government.”

An expert who tracks federal funding of state government programs concurs. “There is no central repository for a state to look at or for anyone to look at and see, this is how much I get from this program,” the expert told Metacurity. “USA Spending is kind of that. But the USA Spending website has reliability issues.”

According to this expert, the Trump administration will struggle to corral state-level spending into one convenient database. “It's going to be hard because every program is set up differently. It has different authorizations and different regulations,” the expert said. Most states hire local website developers to track the information that OMB seeks.

Another expert told Metacurity, “My expectation is that they [DOGE] don't have the access because all the information being collected is in literally 10,000-plus databases and programs across the federal government. It’s massive.”

All the experts agree that the Trump administration is likely seeking to identify state-level funding programs to exercise leverage over state governments, much like it has sought to coerce law firms and universities to accede to its demands.

“I’m speculating that they're going to start to lean on people in state governments just as they did at universities,” one expert said. “And Columbia was the first one they leaned on, and Columbia folded immediately, probably partly because they didn't know it was coming.”

Does OMB’s effort pose a cybersecurity threat?

One criticism that has dogged DOGE since the outset of the Trump administration is its lack of attention to cybersecurity. Some infosec professionals say that DOGE has made Americans’ most sensitive data less private and exposed federal government systems to threat actors by adopting a move-fast-and-break-things attitude.

Experts told Metacurity they were concerned about several aspects of how OMB has sought to collect the data under the EO. First, according to one expert who submitted the information to OMB, they did so as a document attached to an email.

Although one expert told Metacurity that sending this information as an attachment on a federal government email system is not a significant security concern, others weren’t so sure. “I've definitely seen a lot of probably questionable information being sent in an unencrypted email in the government in the past,” a different expert said. “It's not great. It's never great when you send that kind of information through a government email.”

Another expert said, “If you search on a scale from some random Joe's Yahoo mail to an actual classified email system, government NIPR [non-classified internet protocol router] mail, as it's typically called, is going to be an actual Microsoft Exchange server and is going to be more secure.”

However, this expert stressed that while ordinary adversaries won’t likely be able to access government emails, history has repeatedly shown that sophisticated threat actors such as nation-states have compromised US government email systems. “Federal unclassified network email has been getting pwned pretty regularly for the past 10 years,” the expert said. “I don't see why this would be any different.”

Moreover, according to this expert, “We have no sense of where the information is going afterwards. Once it gets sent to that inbox, it could get emailed to all sorts of people, and there's very little control over that. My default assumption is that any message being sent, especially unencrypted over an unclassified email system, even if it's government to government, you have to assume that's going to be compromised, if not now, then in a reasonable time in the future.”

This expert said the situation is aggravated by “people who know how to secure these systems getting bullied out of the government or replaced by mercenaries who don't care that much.”

Further compounding all these problems is that chief information security officers (CISOs) were not included in the list of agency officials who were supposed to be vetting the information and how it was supplied to OMB. According to one expert, CISOs are often overlooked in these kinds of information requests because “they tend to slow things down.”

Is role-based access the same as admin access in DOGE-speak?

Perhaps most concerning from a cybersecurity perspective is that one expert who compiled the information requested by OMB was informed that they should prepare to provide “role-based access” to federal officials who demand access under the EO.

Role-based access means that persons are granted access according to their defined roles. For example, some roles need read-only access to the data or systems. Others might need greater privileges, such as admin access, which usually gives individuals full ability to infiltrate or exfiltrate data, alter the data or systems, or even shut them down altogether.

When this expert sought clarification on whether this role-based access would include admin access when requested, the answer they received was yes. A different expert told Metacurity, “Role-based access doesn't mean necessarily admin access, but based on what I've seen elsewhere in the government, the truth is that it means admin access.”

Yet another expert said, “I will strongly reaffirm the assertion that they're probably going to try to get administrator or root-level access. Asking for admin-level access to these systems will be on the table across the government.”

Granting DOGE workers admin access might also open an opportunity for threat actors to pose as DOGE workers, given that DOGE is a shadowy organization with unclear boundaries and many unidentifiable employees. “There’s a squirrely definition of who DOGE is,” one expert said.

They added, “There are people who are associated with Elon Musk's companies who are running around the government doing stuff, but with no org chart. Anyone could show up and claim to be DOGE, but we don't know who they are. So, it could be a foreign threat actor.”