Some DOD organizations have been sending IT hardware away for reuse without properly scrubbing sensitive data first, IG finds.
Some Defense Department organizations haven't scrubbed data from information technology equipment before disposing of the hardware, resulting in the possible release of information that could be used for identity theft, or releasing other sensitive DOD information, according to an Inspector General audit.
An investigation by DOD's IG also found that one organization had lost track of one unclassified computer entirely, the report said. The IG released the report Sept. 21.
Also failing to meet guidelines was the Defense Reutilization and Marketing Service, the destination for much of the excess IT equipment in question. DRMS processing centers are charged with ensuring proper sanitization before the equipment is released for reuse by other government agencies and non-governmental organizations.
The audit showed that several DOD organizations did not follow disposal policies, did not properly train personnel or did not develop and implement on-site procedures for the authorized release of IT equipment. Unaccounted-for equipment and hard drives with leftover readable information, including data such as Social Security numbers and e-mail folders, comprised most of the instances of noncompliance.
The audit also showed that some DOD-issued guidance for IT equipment disposal was out of date and didn’t address newer data-storage technologies.
“As a result, four DOD components could not ensure personally identifiable information or other sensitive DOD information was protected from unauthorized release,” the report said.
In response, most of the DOD organizations concurred with recommendations issued by the IG as part of the report, including updating, clarifying and implementing disposal policies and adhering to “applicable laws and regulations.”
One response, from the Army Corps of Engineers Directorate of Information, stipulated that its hard drives in question were not destined for reuse, contained only unclassified data and were destroyed by a General Services Administration-approved facility with transport controls and oversight. Other organizations identified in the report said they were not aware of the specific DOD directive for IT equipment disposal or that they had taken other measures to ensure safe disposal of equipment and information.
Under a 2001 Assistant Secretary of Defense for Command, Control, Communication and Intelligence memorandum, there are only three acceptable ways to sanitize equipment hard drives: overwriting with software to release for reuse, demagnetizing or “degaussing” to render data unreadable, or physically destroying the equipment by force after overwriting or degaussing.
The components audited and cited included the Army Corps of Engineers; Naval Air Warfare Center Aircraft Division at Patuxent River, Md.; the 436th Medical Group at Dover Air Force Base, Del.; the 50th Space Communications Squadron at Schriever Air Force Base, Colo.; and the Army Garrison at West Point, N.Y.