Judge Expands DOGE Team Access to Treasury Systems

US District Judge Jeannette Vargas has modified her preliminary injunction in the case brought by 19 states against the Trump administration, allowing four additional Department of Government Efficiency (DOGE) employees to access the US Treasury Department’s Bureau of Fiscal Services (BFS) payment systems. The ruling comes after an initial “chaotic” rollout and establishes a repeatable vetting framework for future team members.

Court Order and Scope of Access

In her May 28, 2025 order, Judge Vargas confirmed that Thomas Krause, Linda Whitridge, Samuel Corcos, and Todd Newnam have satisfied stringent training and security-clearance requirements, placing them on par with fellow team member Ryan Wunderly. Key stipulations include:

• Completion of department-wide cybersecurity and data-handling training modules.
• Successful background investigations adhering to Federal Investigative Standards (FIS), including National Security Adjudicative Guidelines.
• Direct reporting lines to senior Treasury DFS and CIO Office officials.

Judge Vargas also removed the requirement for prior court approval of each new DOGE hire, noting that continuous judicial oversight would duplicate Treasury’s existing HR and compliance mechanisms.

Background: From “Chaotic” Launch to Structured Onboarding

Earlier in February, Vargas’s preliminary injunction halted DOGE access to personally identifiable information (PII) and confidential financial records after a rushed deployment under President Trump’s executive order. Career staff reported insufficient time to design mitigation controls. One high-profile misstep involved staffer Marko Elez, who was granted full BFS source-code access despite minimal training and later resigned amid controversy over offensive social media posts.

“The Treasury DOGE Team started its work almost immediately after the executive order, even though it lacked the requisite HR specialist or legal counsel. This left career staff with virtually no time to develop adequate safeguards,” Judge Vargas wrote in February.

Technical Deep Dive: Treasury BFS Payment Systems

The BFS operates several mission-critical applications, including:

1. Secure Payment System (SPS): Manages interagency transfers and disbursements, built on a hardened Java EE stack with FIPS 140-2 compliant encryption.
2. Crow’s Nest Monitoring Dashboard: Real-time transaction analytics powered by an in-memory data grid (Apache Ignite) and Spark streaming.
3. Legacy Mainframe Interfaces: COBOL-based batch processing confined within an IBM z/OS environment, wrapped by modern RESTful APIs for external integrations.

Each component is protected by network segmentation, continuous vulnerability scanning (Nessus), and automated compliance checks via Chef InSpec profiles in the Treasury’s private cloud.

Security Protocols and Continuous Vetting

Under the modified injunction, DOGE team members must adhere to the same rigorous controls as any BFS operator. These include:

• Role-Based Access Control (RBAC): Leveraging AWS IAM-style policies in the Treasury’s hybrid cloud to enforce least-privilege.
• Multi-Factor Authentication (MFA): Hardware tokens (FIPS-certified) and PIV/CAC smart cards for high-value transactions.
• Continuous Security Monitoring: SIEM ingestion of syslogs, endpoint telemetry (EDR), and automated alerts for anomalous activity.

Expert opinions, including from former DHS CISO Dr. Lena Castillo, highlight that “institutionalizing a security baseline and continuous vetting is critical to avoid the kind of misconfigurations that plagued the initial rollout.”

Implications for Federal IT Governance

This ruling sets a precedent for balancing judicial oversight with agency autonomy. By embedding vetting and training requirements into standard onboarding, the Treasury can rapidly scale specialized teams—such as those focused on digital modernization—without repeated court intervention. However, states may still challenge potential APA violations if future hires bypass established protocols.

Additional Analysis: Modernization and Cloud Migration Efforts

The BFS is concurrently migrating portions of its transaction processing to a containerized Kubernetes cluster on Oracle Cloud Infrastructure (OCI), leveraging Terraform for IaC and offering improved disaster recovery capabilities. DOGE personnel will play a pivotal role in overseeing microservices deployments and API gateways (Kong), ensuring they align with FedRAMP Moderate controls.

Conclusion

By expanding access under standardized vetting rules, the court aims to mitigate prior operational chaos while preserving states’ rights to challenge procedural overreach. Going forward, the structured approach may serve as a model for other federal agencies integrating specialized teams into critical payment and data-handling systems.