The Office of the Inspector General (OIG) has audited the Federal Bureau of Investigation's (FBI) inventory management and disposal procedures for electronic storage devices. This audit revealed serious issues about the handling, tracking, and security of sensitive electronic storage media, including devices carrying sensitive but unclassified (SBU) and classified national security information (NSI). The audit findings have consequences for federal government contractors, particularly those that handle or manage sensitive computer data. Understanding these concerns and the associated corrective actions can provide contractors with useful insights into best practices in information security and compliance.

The audit uncovered many significant flaws in the FBI's present practices. The most significant issue is a lack of appropriate policies and procedures for accounting for electronic storage media taken from devices, such as thumb drives and internal hard drives. The FBI has not regularly identified these storage devices with the appropriate NSI classification or SBU levels, which is a vital step in ensuring the safe handling and destruction of sensitive material. Furthermore, the audit uncovered flaws in the physical security procedures at the FBI-controlled facility where material is destroyed. The facility did not have effective internal physical access controls, which could allow illegal access to sensitive or classified information.

One of the report's key findings is the FBI's failure to adequately account for loose electronic storage media, such as computer hard drives and thumb drives. These objects are frequently taken from bigger devices such as computers and servers, but the extracted media is not tracked separately in the Asset Management System (AMS). This omission poses a substantial danger since sensitive data stored on these devices may be lost or stolen without detection. The audit also discovered that the FBI did not regularly designate these retrieved storage devices with the proper classification labels, which violates both FBI and Department of Justice (DOJ) rules. The lack of adequate labeling raises the risk of misusing sensitive information, perhaps exposing it to unauthorized individuals.

The audit also noted that the FBI's facility for deleting electronic media lacks adequate security safeguards. During a site visit, the OIG discovered that electronic storage media, such as hard drives and solid-state drives, were stored in insecure, open pallet-sized crates labeled "non-accountable." These crates contained media that had not been marked or labeled, with some marked as unclassified or secret. The audit found that these pallets had been left unsecured for extended periods of time, often days or weeks, and were available to a significant number of FBI and non-FBI staff, as well as contractors from numerous companies. This circumstance not only raises the possibility of theft, but also jeopardizes the protection of important data.

In response to the audit findings, the OIG issued many recommendations to the FBI to address these concerns. First, the OIG suggested that the FBI improve its procedures to ensure that all electronic storage media containing sensitive or classified information are properly accounted for, tracked, sanitized, and destroyed on a timely basis. This advice underlines the importance of more tight inventory management practices in preventing the loss or theft of sensitive data. Contractors can learn from this by instituting equivalent controls in their own operations, such as keeping complete logs of all electronic storage medium and ensuring that all sensitive data is correctly identified and tracked throughout its lifecycle.

Second, the OIG recommended that the FBI develop measures to verify that all electronic storage medium are labeled with the proper NSI classification level. This step is critical for preserving the integrity of sensitive data and ensuring compliance with federal rules.

Finally, the OIG advised the FBI to tighten its physical security procedures at the site where electronic storage media are handled and destroyed. This includes things like creating safe cages to store unsanitized and unwrapped hard drives and increasing camera surveillance coverage to watch vulnerable places.