DOD repurposed IT equipment without scrubbing sensitive info, audit reveals

Inspector General finds inadequate controls for getting rid of used IT equipment

Some Defense Department organizations haven't scrubbed data from information technology equipment before disposing of the hardware, resulting in the possible release of information that could be used for identity theft, or releasing other sensitive DOD information, according to an Inspector General audit.

An investigation by DOD's IG also found that one organization had lost track of one unclassified computer entirely, the report said. The IG released the report Sept. 21.

Also failing to meet guidelines was the Defense Reutilization and Marketing Service, the destination for much of the excess IT equipment in question. DRMS processing centers are charged with ensuring proper sanitization before the equipment is released for reuse by other government agencies and non-governmental organizations.

The audit showed that several DOD organizations did not follow disposal policies, did not properly train personnel or did not develop and implement on-site procedures for the authorized release of IT equipment. Unaccounted-for equipment and hard drives with leftover readable information, including data such as Social Security numbers and e-mail folders, comprised most of the instances of noncompliance.

The audit also showed that some DOD-issued guidance for IT equipment disposal was out of date and didn’t address newer data-storage technologies.

“As a result, four DOD components could not ensure personally identifiable information or other sensitive DOD information was protected from unauthorized release,” the report said.

In response, most of the DOD organizations concurred with recommendations issued by the IG as part of the report, including updating, clarifying and implementing disposal policies and adhering to “applicable laws and regulations.”

One response, from the Army Corps of Engineers Directorate of Information, stipulated that its hard drives in question were not destined for reuse, contained only unclassified data and were destroyed by a General Services Administration-approved facility with transport controls and oversight. Other organizations identified in the report said they were not aware of the specific DOD directive for IT equipment disposal or that they had taken other measures to ensure safe disposal of equipment and information.

Under a 2001 Assistant Secretary of Defense for Command, Control, Communication and Intelligence memorandum, there are only three acceptable ways to sanitize equipment hard drives: overwriting with software to release for reuse, demagnetizing or “degaussing” to render data unreadable, or physically destroying the equipment by force after overwriting or degaussing.

The components audited and cited included the Army Corps of Engineers; Naval Air Warfare Center Aircraft Division at Patuxent River, Md.; the 436th Medical Group at Dover Air Force Base, Del.; the 50th Space Communications Squadron at Schriever Air Force Base, Colo.; and the Army Garrison at West Point, N.Y.

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.