Audit finds notable security gaps in FBI's storage media management

An audit from the Department of Justice's Office of the Inspector General (OIG) identified "significant weaknesses" in FBI's inventory management and disposal of electronic storage media containing sensitive and classified information.
  • The report highlights multiple issues with policies and procedures or controls for tracking storage media extracted from devices, and significant physical security gaps in the media destruction process.
The FBI has acknowledged these issues and is in the process of implementing corrective actions based on the recommendations from OIG.
FINDINGS :OIG's audit highlights several weaknesses in FBI's inventory management and disposal procedures for electronic storage media containing sensitive but unclassified (SBU) as well as classified national security information (NSI).

The three key findings are summarized as follows:

  • The FBI does not adequately track or account for electronic storage media, such as internal hard drives and thumb drives, once they are extracted from larger devices, which increases the risk of these media being lost or stolen.
  • The FBI fails to consistently label electronic storage media with the appropriate classification levels (e.g., Secret, Top Secret), which could lead to mishandling or unauthorized access to sensitive information.
  • The OIG also observed insufficient physical security at the FBI facility where media destruction occurs. This includes inadequate internal access controls, unsecured storage of media awaiting destruction, and non-functioning surveillance cameras, all of which heighten the risk of classified information being compromised.
Compromised pallet on FBI's storage warehouse aisle
Pallet with storage devices exposed in FBI's facility
Source: OIG

Recommendations and FBI's response

The OIG has made three specific recommendations to the FBI to address the identified problems.

  1. Revise procedures to ensure all electronic storage media containing sensitive or classified information, including hard drives that are extracted from computers slated for destruction, are appropriately accounted for, tracked, timely sanitized, and destroyed.
  2. Implement controls to ensure its electronic storage media are marked with the appropriate NSI classification level markings, in accordance with applicable policies and guidelines.
  3. Strengthen the control and practices for the physical security of its electronic storage media at the facility to prevent loss or theft.

FBI acknowledged the audit's findings and stated it is in the process of developing a new directive titled "Physical Control and Destruction of Classified and Sensitive Electronic Devices and Material Policy Directive."

This new policy is expected to address the problems identified in the storage media tracking and classification markings.

Protective cages to be used in FBI storage facilities
Protective cages to be used in FBI storage facilities
Source: OIG
Additionally, the FBI said it is in the process of  installing protective "cages" to use as storage points for the media, which will be covered by video surveillance.

Related Articles:

Man sentenced for hacking state registry to fake his own death

QNAP adds NAS ransomware protection to latest QTS version

US warns of Iranian hackers escalating influence operations

Chrome will redact credit cards, passwords when you share Android screen

GitHub Actions artifacts found leaking auth tokens in popular projects