Did the DOGE workers violate the law?: Under the Federal Information Security Management Act (FISMA), all information systems operated by or on behalf of the US federal government must obtain an authorization to operate (ATO). The purpose of an ATO is to minimize the security risks to which those systems might be exposed.Complying with the ATO under FISMA requires the completion of five steps: analyzing the impact a disaster or attack on the data would have on the public and agency; developing a system security and privacy plan; inviting experts to assess and verify the plan; signing off on the plan by the authorizing official, information security officer, and system owner; and developing a plan for ongoing monitoring.To get a government official, such as a CIO or CISO, to sign off on an ATO under FISMA, government systems must meet a list of security controls contained in a publication by the National Institute of Standards and Technology, NIST SP 800-53. FISMA mandates that federal agencies implement NIST’s guidelines, making compliance with NIST SP 800-53 mandatory for obtaining an ATO.According to Skinner, an ATO is an essential security mechanism for government computer systems. “Moving data out of this system’s ATO means that DOGE moved Americans’ personal data outside of government security controls, beyond the ability of government security experts to track if the data is being leaked,” he tells CSO. “Someone could steal this data, and we might never know it.”Skinner adds: “When SSA employees resisted DOGE’s attempt to move data outside the ATO, DOGE wrote itself a Provisional ATO, which is a real thing but not a blank check to circumvent the security rules, avoid oversight, and expose Americans’ personal data. DOGE treated it as a blank check.”The complaint alleges that the lack of proper documentation of controls likely violates FISMA by placing a high-value asset containing data on over 450 million Americans and eligible noncitizens, in an uncontrolled environment. It also alleges that the Provisional ATO violates the Privacy Act of 1974, “which requires agencies to maintain personal information with accuracy, relevance, timeliness, and completeness as necessary to assure fairness in determinations about individuals. Placing production NUMIDENT data in cloud environments without independent security controls violates these maintenance requirements.”Finally, the complaint argues that what DOGE did violates the Computer Fraud and Abuse Act by facilitating unauthorized access to protected computer systems.
Why did DOGE do this?: Moghaddassi’s stated rationale that the “business need is higher than the security risk” and an earlier statement by Solly that the data move was necessary to improve the way that SSA exchanges data provide little insight into what exactly DOGE intends to do with the data.It’s possible that the DOGE team decided to move the NUMIDENT database to better comply with a March executive order issued by Trump, entitled “Stopping Waste, Fraud, and Abuse by Eliminating Information Silos,” which directed agencies to rescind or modify all guidance that serves as a barrier to the inter- or intra-agency sharing of unclassified information and give the DOGE team and other federal officials access to all unclassified records, data, software systems, and information technology systems across all federal civilian agencies.Data analysis and technology firm Palantir is reportedly helping the Trump administration compile a master list of personal information on Americans to achieve this anti-silo initiative, which is contingent on SSA and IRS data.It’s also conceivable that the DOGE team was seeking to further the development of a master database at DHS to track and surveil undocumented immigrants, which is mainly dependent on access to the SSA database. A host of other Trump-DOGE initiatives, including a plan to push AI technologies throughout the federal government, might also be a motivating factor for DOGE to move SSA and other government systems data away from systems not governed by security protocols.Whatever the motivation, DOGE may have engaged in similar actions across the federal government where the loosely defined initiative has housed its workers, including the General Services Administration, the Veterans Administration, the Department of Health and Human Services, the Internal Revenue Service, and more.The revelation that DOGE has violated security protocols at the SSA “is probably more of a tip of the iceberg situation,” Skinner speculates. “I am guessing that this is what they are doing everywhere. It seems like they’re going around and cracking open the security at those agencies and taking the data and moving it away from someplace where security experts within the government can see what they’re doing with it.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4046997/whistleblower-doge-put-social-security-database-covering-300-million-americans-on-insecure-cloud.html
