The List of Rules Marko Elez Didn’t Sign

One of the lawsuits in which it was recently disclosed that DOGE boy Marko Elez emailed information with Personally Identifiable Information to two people at GSA (which I also wrote about here) is one in which Public Citizen is representing AARP in a Privacy Act claim against Treasury. [docket]

The government provided it in that case amid a discovery dispute, mostly as a courtesy because they were filing it in New York. But it contributed to a request for more information about what the hell Marko Elez was up to.

On February 18, Colleen Kollar-Kotelly ordered the government to file any Administrative Record behind the decision to give DOGE access to Treasury. The government squawked about that order, but after plaintiffs noted that the real decision maker in this case was Treasury Secretary Scott Bessent, not the people who had submitted declarations, Judge Kollar-Kotelly ordered those submitted, which the government provided — as a 215 page exhibit — on March 10.

On March 14 — the same day Treasury disclosed Elez’ mailed files to GSA — they supplemented that record. Some of the new documents appear to include some of the details Treasury gathered as they tried to figure out what Elez had done with his access.

That includes this data, showing that when someone first tried to give Elez access to the Top Secret Treasury Mainframe, they equivocated about whether to give Elez read only (the message on January 30) or read-write (the message the next day); at the time he appears to have been granted interim Secret, not Top Secret, clearance.

The main exhibit in the Administrative Record includes a spreadsheet showing what access he was supposed to have as of February 1, reflecting the sandboxed access described in earlier filings. It doesn’t reflect this read-write access.

Plaintiffs are also interested in Elez’ access during a late January trip to Kansas City, which has never been addressed in the declarations in this case.

What plaintiffs didn’t ask about (though they do ask for backup) is the letter sent on February 5 asking Elez to please sign the rules that go along with the Fiscal Service laptop Elez used to access Treasury networks.

Those rules include the following:

  • Use Fiscal Service data, equipment, and IT systems properly and follow laws, regulations, and policies governing the use of such resources (Base Line Security Requirements, (BLSRs), Treasury Information Technology Security Program (TD-P 85-01), the Treasury Security Manual (TD-P 15-71), and Fiscal Service Policies).
  • Protect Fiscal Service data, equipment and IT systems from loss, theft, damage, and unauthorized use or disclosure. Secure mobile media (paper and digital) based on the sensitivity of the information contained.
  • Use appropriate sensitivity markings on mobile media (paper and digital).
  • Promptly report any known or suspected security breaches or threats, including lost, stolen, or improper/suspicious use of Fiscal Service data, equipment, IT systems, or facilities to the IT Service Desk at 304-480-7777.
  • Do not attempt to circumvent any security or privacy controls.
  • Logoff, lock, or secure workstation/laptop to prevent unauthorized access to Fiscal Service IT systems or services.
  • Do not read, alter, insert, copy, or delete any Fiscal Service data except in accordance with assigned job responsibilities, guidance, policies, or regulations. The ability to access data does not equate to the authority to access data. In particular, Users must not browse or search Fiscal Service data except in the performance of authorized duties.
  • Do not reveal any data processed or stored by Fiscal Service except as required by job responsibilities and within established procedures.
  • Do not remotely access Fiscal Service IT systems unless authorized to do so, such as an approved telework agreement authorizing remote access over the bureau’s VPN software.
  • Do not transport or use Fiscal Service data or equipment outside of the United States or US Territories without written approval from the CSO or CISO.
  • Do not connect Fiscal Service equipment to or access a Fiscal Service IT system from a foreign network without written approval from the CSO or CISO.
  • Do not install or use unauthorized software or cloud services on Fiscal Service equipment.
  • Take reasonable precautions to prevent unauthorized individuals from viewing screen contents or printed documents.
  • Do not open e-mail attachments, or click links, from unknown or suspicious sources.
  • Be responsible for all activities associated with your assigned user IDs, passwords, access tokens, identification badges, Personal Identity Verification (PIV) cards, or other official identification device or method used to gain access to Fiscal Service data, equipment, IT systems, or facilities.
  • Protect passwords and other access credentials from improper disclosure. Do not share passwords with anyone else or use another person’s password or other access credential such as, but not limited to, someone else’s PIV card.
  • Use only equipment and software provided by Fiscal Service or that has been approved for use by Fiscal Service’s CIO or designee to conduct Fiscal Service business.
  • Provide non-work contact information to the bureau to facilitate emergency communications.
  • Comply with Fiscal Service social media policy, including restrictions on publishing Fiscal Service information to social media and public websites. [my emphasis]

One of these rules, about not revealing data processed by Fiscal Service, would seem to apply to his sharing of information with GSA.

There’s no evidence Elez ever did sign those rules. Instead, he quit — and, without evidence, the entire world has assumed he quit because he was revealed to have made racist comments on social media.

It’s not yet clear what happened; perhaps it’ll become more clear if plaintiffs get discovery. But by all appearances, on Scott Bessent’s authority, someone at least considered giving a guy only cleared to the Secret level Read/Write access to Treasury’s Top Secret Mainframe, without first making sure he had signed a list of rules about altering or copying data.

And then he left.

Update: I’ve tweaked this reflecting the comment below that the Mainframe may be called Top Secret, without actually being classified Top Secret.

Update: Judge Kollar-Kotelly did grant more limited discovery. That includes most, but not all, details plaintiffs wanted about Elez’ email:

9. With respect to the email sent by Marko Elez referred to in paragraph 12 of the declaration of David Ambrose, ECF 48-2:

a. identify each addressee, including any cc’s or bcc’s.

b. state the date on which the email was sent.

c. identify each individual, if any, who authorized or directed Mr. Elez to send the email.

d. identify the Bureau Systems from which the Personal Information contained in the email or the attached spreadsheet was obtained.

[removed]

f. describe the nature of the information that was transmitted, including whether the information relates to the USAID files that Mr. Elez copied, as noted in paragraph 18 of Joseph Gioeli’s declaration, ECF 24-2.