The FBI’s data handling practices were sharply criticized during a recent Justice Department (DOJ) audit, with the Office of the Inspector General (OIG) noting that the agency is failing to adequately control its storage media and that its disposal methods are potentially exposing sensitive and classified information.
Much of the criticism seems to focus on the use of removable drives across the agency; not just thumb and flash drives, but also removable internal hard drives. OIG also took issue with some physical security measures at FBI facilities, and the agency has responded to the audit by announcing it will update its policies to improve disposal practices and labeling of storage media among other items.
FBI data handling practices under review after DOJ inspection
The OIG report points to serious issues with tracking of storage media, to include losing the chain of custody and records of current locations at times. This includes internal hard drives removed from computers classified as “Top Secret.” In some cases these hard drives and other media drives were placed on pallets as they waited to be destroyed, and the report indicates these pallets sometimes sat for periods of up to two years and were not properly guarded.
OIG noted that the FBI had a sufficient labeling system in place for computers and servers that hold sensitive information, but that this program did not extend to thumb drives and other forms of removable media (to include the hard drives pulled from computers that were otherwise labeled). An FBI supervisor and a contractor that runs the facility confirmed that there was no way of knowing if these devices were accessed by people in the building once they were placed on the pallets. The report also noted that a video surveillance system that is supposed to watch over the door to the storage area has been non-functional for months due to an incomplete installation.
The facility (left unnamed for security reasons) is FBI-controlled, but is accessed by multiple contractors from outside private businesses and home to a number of different agency operations that are less sensitive (such as mail and logistics). The report found that 395 total people had approved access to the facility including 63 contractors from 17 different outside companies that in some cases were part of the data handling process. Some contractors had access to the storage media awaiting destruction for the purposes of sanitizing and disposing of it.
The facility is a central disposal location that takes in storage media from a wide variety of FBI offices across the country including its national headquarters and 36 regional field offices. Though these materials are not labeled, facility data handling procedures require all electronic media slated for disposal to be treated as if it has classified national security information (NSI) or sensitive but unclassified (SBU) information on it.
Storage media destruction a low priority item for FBI
The report indicates that the reason some of this storage media sat for as long as two years is that agency data handling procedures put computer drives at the bottom of the priority list for destruction. Bulky items, such as televisions and full computers, are prioritized for obvious logistical reasons. However, any item that is labeled as having NSI or SBU on it is supposed to jump over these items to the top of the priority list. Though the facility policy is to treat all drives as if they might have sensitive information on them, the fact that they were not actually labeled or sorted seems to have created a bureaucratic snafu that left them sitting for long periods as if they were a standard low priority item.
This seems to have created a somewhat comical situation in which computers labeled as “Top Secret” would still be prioritized for destruction, but the contents that prompted that labeling were removed with internal hard drives that were routinely shipped via the Defense Courier Service to save money. When shipped in this way FBI agents may have attached a label indicating what specific computer the drive was removed from, but the facility would simply add these drives to the low priority bins even if such a label was present as it did not independently indicate that NSI or SBU was on them.
The OIG recommended that the FBI improve its data handling by properly tracking and labeling these drives, and to beef up physical security. The FBI said that it is developing a new data handling directive called “Physical Control and Destruction of Classified and Sensitive Electronic Devices and Material Policy Directive” in response to the audit. Brett Hansen, CGO at Cigent, speculates on what this might include: “Meeting mission requirements and the ever-evolving threat landscape can make ensuring the integrity of data throughout its lifecycle a daunting task. Organizations like the FBI first need to universally adopt proven techniques and technology for safeguarding vulnerable data at the edge. These include Hardware Full Drive Encryption with Pre-boot Authentication and Multi Factor Authentication. Proper disposal of data is also imperative and again there are technologies that can verify all data is permanently erased.”
Additionally, the FBI has said it will address the physical security issue by placing the storage media awaiting destruction inside of locked cages. OIG has said that it expects a progress update on all of these new measures in 90 days.

