A recently released report from the Department of Defense Office of Inspector General (DoD OIG) finds that DoD doesn’t have enough accountability over devices that collect biometric data.
The Nov. 8 report, “Evaluation of the Control and Accountability of DoD Biometric Data Collection Technologies,” notes that the Services and Combatant Commands have followed DoD policy on biometric devices. However, the report determines that some biometric devices did not have the ability to encrypt data stored on them.
“This evaluation was intended to assess and help prevent unauthorized personnel, including adversaries, access to sensitive personal information that could jeopardize the safety of both U.S. and partner forces,” said IG Robert Storch. “Improving DoD-wide standards for encryption and data protection requirements for biometric devices would help to reduce the risks of inadvertent release of such sensitive information.”
The DoD OIG explained that the Services and Combatant Commands followed DoD policy and their own specific guidance and procedures and maintained proper accountability of biometric devices.
However, the report also notes that some biometric devices did not have the ability to encrypt data stored on them because DoD’s current biometrics policy does not specify information security standards or require encryption capabilities on biometric devices.
Additionally, the IG found that DoD did not consistently provide certification of destruction or sanitization of biometric data when biometric devices were turned in for disposal.
To address these issues, the DoD OIG recommended that the under secretary of Defense for intelligence and security update the DoD biometrics policy to include standards for encrypting and protecting data on biometric devices.
The report also recommends that biometric device owners and custodians be required to sanitize data and maintain sanitization records when turning in the devices for disposal.
DoD officials agreed to take those recommended actions.
