Department of Energy:
Procedures Lacking to Protect Computerized Data
AIMD-95-118: Published: Jun 5, 1995. Publicly Released: Jul 6, 1995.
- Full Report:
Pursuant to a congressional request, GAO provided information on the alleged sale of surplus Department of Energy (DOE) computer equipment to a private businessman, focusing on whether: (1) the sale actually occurred; (2) the surplus computers contained any classified or sensitive unclassified information; and (3) DOE is subject to Federal Information Resources Management Regulation (FIRMR) guidance concerning the security and protection of federal computer resources.
GAO found that: (1) between April 1, 1993, and September 30, 1994, DOE sold 25 to 50 surplus personal computers to an Idaho salvage dealer; (2) sales and inventory records did not indicate that the computers were used for processing classified data; (3) it could not determine whether the computers contained classified data, since the salvage dealer did not maintain complete records of the computers purchased; (4) DOE believes that some of the surplus computers contained sensitive data because the contractors responsible for disposing of them did not have written procedures on how to properly sanitize the computers; (5) DOE has implemented procedures to prevent the improper disclosure of sensitive data processed on its computers; and (6) DOE is subject to FIRMR Bulletin C-22 which requires it to establish security safeguards and procedures to ensure the proper disposition of sensitive automated information, but it has not taken action to ensure that the provisions are being implemented at DOE installations.
Recommendation for Executive Action
Status: Closed - Implemented
Comments: DOE published a Technical Security Advisory that provides information on the proper disposal of excess ADP equipment. It addresses the need to ensure that magnetic media, storage, or memory devices have been sanitized prior to being transferred or removed from service or declared excess. The transmittal memo provides information on software products that may be used for sanitization. However, according to the Unclassified Computer Security Program Manager, this advisory is not a departmental policy, and therefore, is not mandatory. Energy had intended to publish guidance in a mandatory policy that it was developing, but that policy was never finalized, and the Advisory was issued instead. Recent security concerns led Energy to reevaluate its security and to develop new computer security policies, which were implemented in July 1999. However, Energy has not incorporated the Advisory in the new policies.
Recommendation: The Secretary of Energy should direct the Deputy Assistant Secretaries for Information Management and for Procurement and Assistance Management to develop and implement procedures in DOE operations and field offices that instruct all contractors on the proper disposal of excess automatic data (ADP) processing equipment. These procedures should include instructions on how contractors should properly sanitize excess computers. The Secretary should then require all operations and field offices to adhere to these procedures when disposing of excess ADP equipment.
Agency Affected: Department of Energy