A recent audit has shed light on troubling security shortcomings within the Federal Bureau of Investigation (FBI) regarding the management of sensitive storage media slated for destruction. The audit, conducted by the Department of Justice’s Office of the Inspector General (OIG), highlights significant flaws in the FBI’s procedures for tracking and securing electronic storage devices containing sensitive information.
According to the OIG report, the FBI has been failing to adequately label, store, and secure decommissioned electronic storage media. These devices, which include internal hard drives and thumb drives, are often filled with sensitive but unclassified law enforcement information and classified national security information (NSI).
The audit uncovered that these items were stored unsupervised on pallets for extended periods at an FBI-controlled facility intended for their destruction, raising serious concerns about the security of such sensitive storage media.
Audit Reveals Critical Security Gaps in Sensitive Storage Media
The report reveals that the FBI’s inventory management and disposition procedures for these devices were notably deficient. Notably, the agency struggled with tracking internal hard drives, including those removed from Top Secret computers, and could not always verify their destruction. The audit found that the FBI’s handling of these sensitive storage media fell short of necessary security standards, increasing the risk of unauthorized access or misuse.
The audit report highlights several critical areas where the FBI’s procedures are lacking. The FBI’s current practices include inadequate policies and controls for accounting for electronic storage media, including thumb drives and internal hard drives. Furthermore, the devices are not always labeled with appropriate NSI classification or sensitive but unclassified (SBU) levels, complicating the process of ensuring their secure disposal.
The audit points out that there is a need for improved physical security measures at the facility where media destruction occurs. Despite the fact that contractors involved in the sanitization and destruction of these devices have access to protected information, including classified data, the FBI’s internal access controls at the destruction facility are insufficient. The audit suggests that these issues warrant immediate attention from the FBI to enhance the security of sensitive storage media.
Recommendations for Improvement
Following the audit, the OIG has made several recommendations for the FBI to address the identified concerns. These recommendations aim to fortify the agency’s procedures for handling sensitive storage media. The proposed improvements include developing and implementing more robust policies for inventory management, ensuring that all electronic storage media is appropriately labeled according to its sensitivity, and enhancing physical security measures at the media destruction facility.
The FBI’s Asset Management Unit (AMU), which oversees the processing, sanitization, destruction, and disposal of electronic media, is at the center of this issue. As of June 2024, the AMU handles assets from various FBI locations, including headquarters and field offices across the U.S. and Puerto Rico. The AMU’s Property Turn-in Team (PTI) is responsible for receiving and cataloging media, while the Media Destruction Team (MDT) manages its sanitization and destruction.
The AMU’s process for handling electronic media involves several stages. Initially, media is collected at either FBI headquarters or the designated destruction facility. Upon arrival, the media is placed in pallet-sized boxes and stored until the MDT can process it. The MDT prioritizes the destruction of high-value assets, such as those containing Top Secret information, and follows a first-in-first-out method for other items.
Despite these procedures, the audit reveals significant issues. For instance, electronic media, including desktop computers, laptops, and other devices, are sometimes not processed promptly, and extracted hard drives are handled last. Additionally, the sanitization process, which includes degaussing, shredding, and disintegration, is not always executed with the requisite level of security. The audit’s findings indicate that the lack of proper marking and tracking of sensitive storage media exacerbates the risks associated with its destruction.