I write again to express serious concerns and request information regarding the Small Business Administration’s (SBA) facilitation of expedited access to agency data for individuals associated with the Department of Government Efficiency (DOGE), particularly in light of recent reports about the agency’s vetting process.
In testimony before the Senate Committee on Small Business and Entrepreneurship in May, you stated that DOGE operatives “have not had access” to personal or sensitive small business information. However, email communications reviewed by Wired show that on February 3, 2025, senior SBA staff urgently requested broad access for DOGE operatives to both SBA and National Finance Center (NFC) information systems. “Admin access” was reportedly granted within hours to systems containing highly sensitive information—such as Social Security and Employer Identification numbers—of SBA staff and of the millions of small business owners, homeowners, and renters who have used SBA lending programs, including disaster assistance loans.
These reports present a troubling account of SBA’s disregard for basic controls on sensitive data as it expedited access for DOGE operatives. The speed with which SBA granted access makes clear that it failed to protect personal information by bypassing the standard screening and security clearance processes required of government employees who handle sensitive information.3 Even more troubling are reports that one DOGE operative had been fired from an internship at a network monitoring firm after being suspected of leaking internal information, raising serious doubts about his fitness to manage sensitive data. However, in testimony before the Small Business Committee in June, you said the operative “is an SBA employee who has been vetted, as has the entire team.” Given these discrepancies between your testimony before the Senate and House Small Business Committee, and the reporting by Wired, I have serious concerns about the omission of critical information to Congress.
As you know, government protocols regarding requests for access to information and systems typically only allow the lowest level of access required to meet the specific objective in order to protect sensitive data. The emails cited in reports did not explain the intended objective, limit access to the lowest level required, or comply with federal laws, including the Federal Privacy Act and the Federal Information Security Management Act (FISMA).
Add new comment