A recent evaluation report released by the Inspector General of the U.S. Department of Defense (DoD) has shed light on significant gaps in the security and management of biometric data within the Department. The report provides a comprehensive analysis of the DoD’s control and accountability mechanisms over technologies used to collect, store, and transmit biometric data, especially in overseas operations.
The objective of the report was to assess whether the DoD has implemented sufficient controls to ensure the secure handling of biometric information. The DoD’s use of such data has been extensive, particularly in areas of conflict where accurate identification of individuals is critical for security operations.
The findings of the report revealed mixed results. On the positive side, the Services and combatant commands were generally compliant with existing DoD policies and their command-specific guidelines in maintaining property accountability for biometric devices. However, a significant concern highlighted was the lack of consistent information security controls across these devices. Notably, many of the biometric collection devices lacked data encryption capabilities. This oversight is attributed to a gap in the DoD’s biometric policy, which does not currently mandate such encryption standards.
Another key issue identified was the absence of a clear policy for the destruction or sanitization of biometric data upon disposal of these devices. This gap in policy raises concerns about the potential unauthorized access to sensitive biometric information, posing a risk to both operational security and the privacy of individuals whose data is collected.
In response to these findings, the report put forth several recommendations. Chief among them is the need for the DoD to update its policies to include stringent standards for data encryption on biometric devices, along with establishing a protocol for the sanitization of biometric data prior to device disposal. The report also emphasized the importance of maintaining proper records of data sanitization.
In a move to address these recommendations, the Chief of the Identity Intelligence Division from the Office of the Under Secretary of Defense for Intelligence and Security (OUSD(I&S)) has initiated the development of revised policies. These policies are expected to enforce enhanced encryption standards and set out clear guidelines for data sanitization. The revised DoD Directive, incorporating these changes, is projected to be approved and published by the first quarter of 2025.
The report signals the importance of safeguarding sensitive data and adapting to evolving technological challenges. As biometric technologies become increasingly integral to military operations, ensuring the security and proper management of this data is paramount for both operational effectiveness and the protection of individual privacy rights.
Source: Department of Defense
November 13, 2023 – by the FindBiometrics Editorial Team