DOD repurposed IT equipment without scrubbing sensitive info, audit reveals

Inspector General finds inadequate controls for getting rid of used IT equipment

Some Defense Department organizations haven't scrubbed data from information technology equipment before disposing of the hardware, resulting in the possible release of information that could be used for identity theft, or releasing other sensitive DOD information, according to an Inspector General audit.

An investigation by DOD's IG also found that one organization had lost track of one unclassified computer entirely, the report said. The IG released the report Sept. 21.

Also failing to meet guidelines was the Defense Reutilization and Marketing Service, the destination for much of the excess IT equipment in question. DRMS processing centers are charged with ensuring proper sanitization before the equipment is released for reuse by other government agencies and non-governmental organizations.

The audit showed that several DOD organizations did not follow disposal policies, did not properly train personnel or did not develop and implement on-site procedures for the authorized release of IT equipment. Unaccounted-for equipment and hard drives with leftover readable information, including data such as Social Security numbers and e-mail folders, comprised most of the instances of noncompliance.

The audit also showed that some DOD-issued guidance for IT equipment disposal was out of date and didn’t address newer data-storage technologies.

“As a result, four DOD components could not ensure personally identifiable information or other sensitive DOD information was protected from unauthorized release,” the report said.

In response, most of the DOD organizations concurred with recommendations issued by the IG as part of the report, including updating, clarifying and implementing disposal policies and adhering to “applicable laws and regulations.”

One response, from the Army Corps of Engineers Directorate of Information, stipulated that its hard drives in question were not destined for reuse, contained only unclassified data and were destroyed by a General Services Administration-approved facility with transport controls and oversight. Other organizations identified in the report said they were not aware of the specific DOD directive for IT equipment disposal or that they had taken other measures to ensure safe disposal of equipment and information.

Under a 2001 Assistant Secretary of Defense for Command, Control, Communication and Intelligence memorandum, there are only three acceptable ways to sanitize equipment hard drives: overwriting with software to release for reuse, demagnetizing or “degaussing” to render data unreadable, or physically destroying the equipment by force after overwriting or degaussing.

The components audited and cited included the Army Corps of Engineers; Naval Air Warfare Center Aircraft Division at Patuxent River, Md.; the 436th Medical Group at Dover Air Force Base, Del.; the 50th Space Communications Squadron at Schriever Air Force Base, Colo.; and the Army Garrison at West Point, N.Y.

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.


  • Image: Shutterstock

    COVID, black swans and gray rhinos

    Steven Kelman suggests we should spend more time planning for the known risks on the horizon.

  • IT Modernization
    businessman dragging old computer monitor (Ollyy/

    Pro-bono technologists look to help cash-strapped states struggling with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help.

Stay Connected