The FBI’s inventory management and disposition procedures for its electronic storage media – including sensitive and classified data – have raised concerns at the Department of Justice’s (DoJ) Office of the Inspector General (OIG).
In a management advisory memo released on Aug. 22, the DoJ OIG found that the FBI does not always account for its loose electronic storage media and does not have the ability to confirm if the extracted sensitive data – held on hard drives, thumb drives, and floppy disks – was properly destroyed.
As a result of last week’s memo, the FBI said its Office of the Chief Information Officer – alongside other FBI technical security stakeholders – created the “Physical Control and Destruction of Classified and Sensitive Electronic Devices and Material Policy Directive,” which will require marking and accountability as envisioned in the DoJ OIG review.
“The policy is in the final editing stage in the FBI’s Internal Policy Office,” the agency wrote.
According to the memo, the DoJ OIG found three areas of concern in the FBI’s media accountability and disposition efforts.
The first area for improvement includes ensuring all electronic storage media containing sensitive or classified information are appropriately accounted for, tracked, timely sanitized, and destroyed.
“The FBI instructs field offices to remove hard drives slated for destruction from Top Secret computers,” the report says. “However, extracted internal hard drives are not tracked, and the FBI does not have the ability to confirm that these hard drives that contained [sensitive] and/or [national security] information were properly destroyed. The lack of accountability of these media increases the risk of loss or theft without possibility of detection.”
The OIG also found that the FBI fails to properly label electronic storage media.
“When extracting internal electronic media for disposal, these internal media become stand-alone assets without any label to identify the level of classification of information they contained or processed,” the report says. “These practices are not in accordance with FBI and DOJ policies.”
Finally, the OIG found that the FBI does not physically secure its electronic media slated for disposal.
“A pallet containing extracted internal hard drives marked non-accountable had been stored for 21 months and had wrapping that was torn and left open,” the report reads. “This facility is shared with other FBI operations, such as logistics, mail, and information technology equipment fulfilment, and had almost 400 persons with access as of May 2024, including 28 task force officers and 63 contractors from at least 17 companies.”
“Both the FBI supervisor and contractor confirmed that they would not be aware if someone was to take hard drives from the pallets because these assets are not accounted for or tracked,” the OIG found.
The DoJ OIG made three recommendations to improve the FBI’s management of its inventory and disposition for its electronic storage media. The FBI agreed with all three recommendations and, as a result, the recommendations are considered resolved.
