DOD repurposed IT equipment without scrubbing sensitive info, audit reveals

Inspector General finds inadequate controls for getting rid of used IT equipment

Some Defense Department organizations haven't scrubbed data from information technology equipment before disposing of the hardware, resulting in the possible release of information that could be used for identity theft, or releasing other sensitive DOD information, according to an Inspector General audit.

An investigation by DOD's IG also found that one organization had lost track of one unclassified computer entirely, the report said. The IG released the report Sept. 21.

Also failing to meet guidelines was the Defense Reutilization and Marketing Service, the destination for much of the excess IT equipment in question. DRMS processing centers are charged with ensuring proper sanitization before the equipment is released for reuse by other government agencies and non-governmental organizations.

The audit showed that several DOD organizations did not follow disposal policies, did not properly train personnel or did not develop and implement on-site procedures for the authorized release of IT equipment. Unaccounted-for equipment and hard drives with leftover readable information, including data such as Social Security numbers and e-mail folders, comprised most of the instances of noncompliance.

The audit also showed that some DOD-issued guidance for IT equipment disposal was out of date and didn’t address newer data-storage technologies.

“As a result, four DOD components could not ensure personally identifiable information or other sensitive DOD information was protected from unauthorized release,” the report said.

In response, most of the DOD organizations concurred with recommendations issued by the IG as part of the report, including updating, clarifying and implementing disposal policies and adhering to “applicable laws and regulations.”

One response, from the Army Corps of Engineers Directorate of Information, stipulated that its hard drives in question were not destined for reuse, contained only unclassified data and were destroyed by a General Services Administration-approved facility with transport controls and oversight. Other organizations identified in the report said they were not aware of the specific DOD directive for IT equipment disposal or that they had taken other measures to ensure safe disposal of equipment and information.

Under a 2001 Assistant Secretary of Defense for Command, Control, Communication and Intelligence memorandum, there are only three acceptable ways to sanitize equipment hard drives: overwriting with software to release for reuse, demagnetizing or “degaussing” to render data unreadable, or physically destroying the equipment by force after overwriting or degaussing.

The components audited and cited included the Army Corps of Engineers; Naval Air Warfare Center Aircraft Division at Patuxent River, Md.; the 436th Medical Group at Dover Air Force Base, Del.; the 50th Space Communications Squadron at Schriever Air Force Base, Colo.; and the Army Garrison at West Point, N.Y.

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

Featured

Reader comments

Mon, Sep 28, 2009

The DoD has generated "tons" of guidance and direction regarding the proper disposal of equipment. Unfortunately, the policies are not enforced and responsible partys are not held accountable for their actions. As long as the "hammer" does not fall, nothing will change.

Thu, Sep 24, 2009 Paul

Just an aside, what DoD organization is updating their equipment? I had to special order a computer to be able to run my programs without waiting 4 hours and still had to go through Dell, which makes some of the worst computers yet. Most of my coworkers have computers that are at least 3-4 years old. They don't need the fastest systems but what they have are still way to slow.

Thu, Sep 24, 2009 GG

OK, maybe I'm missing something, but if one organization only lost 'one unclassified computer entirely,' then they should be given an award. We account for hundreds of thousands of desktops and laptops, but must string up the poor custodian who had a machine moved or stolen without his knowledge. The solution doesn't have to be difficult, but I'm sure the DoD IG will laden us down with enough bureaucracy to keep the bean counters happy for years to come.

Thu, Sep 24, 2009

Here we go again. This report will likely lead to reinstating the 'destroy all hard drives' policy of a few years ago, which basically means all used computers end up as scrap metal. For all but classified hard drives, the various NSA-approved scrub routines should be more than adequate, and allows the computers to be given to schools and such, so the taxpayers get at least some value for their dollar. (The computers most DOD activities get rid of are better than what a lot of people have at home, or in their kids' school, since DOD tends to refresh as soon as warranty expires.)

Thu, Sep 24, 2009

DRMS is Defense Reuilization and "Marketing" Service, not Marking

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above