Containers of retired assets at the FBI were being stored in an unsecured area for weeks at a time, including unlabeled hard drives. | Photos courtesy U.S. Department of Justice
A recent criminal case involving device theft during federal government asset disposition jobs is shining new light on 2024 audits highlighting IT asset management weaknesses at the FBI and the Nuclear Regulatory Commission.
A former employee at ITAD provider Wisetek in December pleaded guilty to charges of conspiring against the United States, specifically for selling stolen property. He admitted to taking electronic devices during asset disposition jobs in the Washington, D.C., area, and reselling them to nearby secondhand electronics stores.
Among the victimized clients were federal agencies and government contractors, all of whom were unnamed in the court documents, which were released by the U.S. Attorney’s Office for the District of Columbia last month. There was modest evidence that the U.S. Agency for International Development was one victim agency – the agency’s inspector general, a role tasked with agency oversight, helped with the investigation – but agency and Department of Justice spokespersons declined to confirm.
Multiple audits completed by agency inspectors general in 2024 suggest data security problems were more widespread.
Federal Bureau of Investigation
In August 2024, the inspector general for the Department of Justice, Michael Horowitz, released a report outlining “concerns” related to the Federal Bureau of Investigation’s IT asset management and disposition practices.
Horowitz’s office didn’t set out to examine the agency’s ITAD practices, but they came to light during an audit of a specific FBI contract. And they were concerning enough that he issued the special report, calling for “immediate attention and action.”
“During this contract audit, we identified significant weaknesses related to the FBI’s inventory management and disposition procedures for its electronic storage media containing sensitive but unclassified information, such as law enforcement sensitive information, as well as classified national security information,” Horowitz wrote in the final report. “We also identified concerns regarding the physical security over these items at an FBI-controlled facility where the media destruction takes place.”
The FBI has an “asset management unit” that uses contractors to handle IT asset collection, data sanitization, destruction and disposal at a central location, according to the audit. This central unit receives assets from FBI headquarters, offices in the D.C. area, and from some of the 36 field offices across the U.S. Some field offices use their own ITAD vendors.
Extracted hard drives receive little attention
The bureau destroys devices in a priority order, with top secret or high-financial-value assets receiving first priority, then devices like laptops, printers, fax machines, TVs and digital cameras. Then comes answering machines, shredders and other bulky devices. Hard drives extracted from computers are in the lowest-priority category.
It’s those extracted hard drives that raised the most concern.
The audit found that the FBI “does not always account for” storage devices, including extracted hard drives, being retired from offices. FBI personnel put asset tracking labels on each computer chassis, but when hard drives are removed from computers during the disposition process, the hard drive doesn’t receive its own tracking label. That meant there were unlabeled extracted hard drives stored in boxes or on the floor of the FBI asset management unit when the auditors visited.
Additionally, even when drives were labeled, FBI staff noted that because the drives were in the lower-priority category than computers, they were not being tracked as rigorously. External hard drives were being closely tracked, but not the internal drives once they were extracted.
Staff told auditors the extracted devices were treated differently because, per FBI agency guidelines, those drives are supposed to be degaussed, a common method of data erasure, at the same time. But staff confirmed “not all hard drives, particularly hard drives extracted by local FBI field office IT specialists and shipped from field offices, are being handled in accordance with this best practice.”
Sometimes computers arrive without any internal hard drives, staff noted, and it’s unclear to asset management staff what was done with the drive. Finally, staff added that when field offices send devices to the asset management facility, they don’t always detail how many hard drives were sent.
That meant asset management staff were “unable to verify that the quantities received are the same quantities shipped.”
“We believe that the FBI’s practice of not accounting for extracted internal hard drives, thumb drives, and other media devices is not consistent with FBI or DOJ policies to ensure accountability of media containing sensitive or classified information,” the auditors wrote.
The auditors recommended the FBI revise its guidelines to ensure extracted drives are tracked and otherwise appropriately accounted for, like other storage media, and FBI agreed to take those steps.
Unguarded gaylords contained unlabeled and confidential drives
Another concern was insufficient internal physical security at the asset management facility. Auditors arrived in a 2023 site visit to find an “open pallet-sized box of extracted electronic storage media, specifically hard drives and solid-state drives,” including “electronic media without any marking or label, as well as media marked unclassified and secret.” A staff member told auditors the open box was unsecured for days or even weeks.
During that same visit, auditors found a pallet with a container whose “shrink wrapping was torn, and boxes inside were visibly open and contained hard drives marked Secret.”
The auditors noted that the asset management unit is shared with other FBI operations and that “there were 395 persons with active access to the facility, which included 28 task force officers and 63 contractors from at least 17 companies.” One security camera in the area was broken and others provided poor camera coverage, auditors added.
An FBI asset management supervisor and contractor both “confirmed that they would not
be aware if someone was to take hard drives from the pallets because these assets are not counted or otherwise tracked.”
One final point of concern was a lack of labels on some extracted hard drives and flash drives indicating their level of information confidentiality.
The auditors recommended strengthening security protocols to prevent asset theft or loss at the facility, and to ensure all electronic storage devices were marked with appropriate information classification levels. The agency agreed.
Nuclear Regulatory Commission
A July 2024 audit outlined problematic IT asset management practices at the Nuclear Regulatory Commission, a federal agency tasked with nuclear energy regulation.
Completed by the agency’s assistant inspector general for audits and evaluations, Hruta Virkar, the audit found that four laptops were not returned when three employees left the agency in 2023; that in a database laying out where 980 assets were located, over two-thirds of the devices were not actually in the stated location; and that established IT asset decommissioning practices were not being followed in some cases.
The latter concern focused on 1,500 IT assets that were “stored in headquarters awaiting disposal,” including some that were there since 2022. The assets were supposed to be retired by a third-party vendor, and the inspector general’s office determined the backlog was mostly because of how contract documentation was written. Some of the language lacked wording requiring “timely completion” of data sanitization.
Additionally, the agency’s decommissioning process included a step in which asset sanitization would be “verified” before the devices were released to the agency’s administrative office, which handles final disposal. But this verification step “made it unclear who was responsible for the assets, causing the assets to accumulate,” auditors found.
The stockpile led to the agency spending an unnecessary $37,000 on software licenses installed on the unused devices, the auditors noted.
The audit made a handful of recommendations, which agency management generally agreed with, according to the report. Rewriting the ITAD contract – which is up in April 2025 – to include timely service requirements, and refining the agency’s standard operating procedures to specify details of the “verification” step, were among them.