The Controller General of Accounts (CGA) has issued a critical security alert for all Public Financial Management System (PFMS) users. Vide Office Memorandum No. V-12025/5/2025-PFMS/C.N. 18742 dated 05 February 2026, the Ministry of Finance has mandated a strict “Cyber Hygiene” protocol. All Program Divisions (PDs), Drawing & Disbursing Officers (DDOs), and Data Operators must immediately adhere to these new guidelines to prevent unauthorized access and potential financial fraud.
The “Cyber Hygiene” Protocol: What Changed?
Until now, many departmental users treated PFMS login credentials casually, often sharing passwords between “Makers” and “Checkers” to expedite bill processing. This practice is now explicitly flagged as a security violation. The new order comes in the wake of increased cyber-attack risks targeting government financial infrastructure.
Audit Warning: Sharing of user credentials (User ID/Password) or OTPs with colleagues, even for “official work,” is now a punishable lapse. If a fraudulent transaction occurs from an ID used by multiple people, the registered owner of the ID will be held solely responsible under the CGA Inquiry Rules Vigilance Order 2026 PEO PO Guidelines.
- Order No: V-12025/5/2025-PFMS/C.N. 18742/5624-5625
- Date of Issue: 05 February 2026
- Authority: Department of Expenditure (CGA), Ministry of Finance
- Mandate: Immediate implementation of 12-point security check.
DDO & Data Operator Checklist (Mandatory)
Section Officers and AAOs managing the PFMS terminals must ensure the following “Do’s and Don’ts” are strictly enforced in their sections. This is not just an IT advisory; it is an operational directive.
Change passwords periodically (every 30-45 days).
Log out immediately after completing a session.
Verify URL starts with https:// before login.
NEVER save passwords in the browser.
NEVER install unauthorized software/social media apps on PFMS systems.
NEVER click suspicious links/attachments.
The order specifically highlights the risk of “Remote Access” tools. Installing software like AnyDesk or TeamViewer on a dedicated PFMS terminal is strictly prohibited unless authorized by the NIC/PFMS technical team for troubleshooting.
System Security & Bill Processing Impact
Non-compliance with these guidelines may lead to the disabling of user IDs without prior notice. For DDOs, this means a potential halt in bill generation and payment processing.
| Security Parameter | Compliance Requirement |
|---|---|
| Password Policy | Strong (Alphanumeric + Special Char). No writing on desk/files. |
| OTP Alert | Report immediately if OTP received without initiating transaction. |
| System Hygiene | Remove all social media sites/unauthorized apps from the PC. |
| Access Control | Configure regular system scans; Keep system password protected. |
For more technical details on e-bill prerequisites, refer to the PFMS e-Bill Mandatory Prerequisites CGA Order 2026. Failure to secure the system can be treated as “Administrative Negligence” in future inspections.
Can I share my PFMS password with my assistant?
No. The order explicitly forbids sharing credentials. Every user (Maker/Checker) must use their own unique login ID. Sharing is a security violation.
What should I do if I receive an unexpected OTP?
Do not share it. Immediately report the incident to the PFMS helpdesk and your Pr. AO, and change your password instantly.
Is antivirus mandatory for PFMS computers?
Yes. The OM mandates the installation of suitable anti-malware, anti-ransomware, and anti-exploit software on all systems accessing PFMS.
हिंदी सारांश
वित्त मंत्रालय (CGA) ने सभी PFMS उपयोगकर्ताओं के लिए 5 फरवरी 2026 को एक सख्त सुरक्षा एडवाइजरी (Office Memorandum) जारी की है। इसके अनुसार, अपना यूजर आईडी, पासवर्ड या ओटीपी किसी भी सहकर्मी के साथ साझा करना सख्त मना है। यह आदेश सरकारी खातों को साइबर हमलों से बचाने के लिए लाया गया है। यदि किसी आईडी से गलत लेनदेन होता है, तो वह कर्मचारी जिम्मेदार होगा जिसके नाम पर आईडी है। सभी DDOs को अपने कंप्यूटर में एंटीवायरस अपडेट रखने और सोशल मीडिया ऐप्स हटाने के निर्देश दिए गए हैं।
📲 WhatsApp पर शेयर करें और ग्रुप जॉइन करें
