Watchdog review compels DOD to refresh its biometrics policy
The Pentagon recently initiated a process to formally update the policies governing how its components protect and secure biometric data and devices, after a recent oversight review revealed records-keeping and information security gaps that could be placing sensitive national security information at risk of exposure to malicious actors.
A team led by the chief of the identity intelligence division from the Office of the Under Secretary of Defense for Intelligence and Security, which is overseeing the development of these new policies, anticipates that approvals and publication will occur by the first quarter of fiscal 2025.
The move comes after a Defense Department Office of the Inspector General-led investigation between February and August found that some military components are not properly encrypting biometric data, and also not verifying that data on federal biometric devices is sanitized (or deleted) accordingly at the time of their disposal.
“This could jeopardize force protection by providing adversaries with the biometric information and identities of friendly forces and other individuals assisting the United States,” according to the OIG assessment.
Based on existing DOD standards, biometrics refers to the process of recognizing a person based on measurable anatomical, physiological, or behavioral characteristics — like fingerprints or iris patterns.
Biometric data is computer-generated information collected from those features.
“Military units conducting overseas operations use biometrics to identify individuals encountered in the field and share this information with other units and other federal agencies. The DOD has used biometrics to verify common access credentials; identify personnel seeking access to installations as friend, foe, or neutral; operate detention facilities; protect DOD personnel at expeditionary bases in theater; and recover and identify U.S. personnel,” officials wrote in the review.
For the study, the watchdog team interviewed many DOD personnel and other stakeholders; evaluated department-wide, service, and command‑specific procedures, directives and instructions on the control and accountability of biometric data-capturing technologies; and inventoried biometric devices across the organization, among other activities.
Among several findings, the officials uncovered that at least two service components supporting overseas operations — U.S. Army Central and U.S. Special Operations Command Europe — were operating with biometric devices that are not encrypted or encoded in a cyber-secure manner.
They also found that the Pentagon’s biometric community applies different approaches and guidance regarding the disposal of biometric hardware and the sanitization of data from them. Notably, existing DOD rules do not mandate that components provide certification of the destruction or sanitization of biometric data to the Defense Logistics Agency when the devices are turned over after use.
“Because the services and combatant commands did not consistently encrypt biometric data or certify that data on biometric devices were sanitized at the time of disposal, the DOD could allow unauthorized personnel, including enemy forces, access to sensitive information,” OIG officials wrote.
In accordance with their recommendations, the chief of the identity intelligence division of the Pentagon’s I&S directorate recently developed a plan of action and milestones to revise the department’s overarching policies regarding device cleaning and records to track them, and standards for protecting and encrypting biometric data across its sprawling enterprise.
“The Division Chief stated that they expect the revised [DOD standard] to receive the necessary approvals and be published by the first quarter of FY 2025,” the report states.
Based on those actions, the OIG team considers their official recommendations resolved but open.
“We will close the recommendations when we receive and review the directive that includes the modifications as stated,” they confirmed.
Pentagon spokespersons didn’t respond to questions from DefenseScoop this week regarding the I&S team’s new plan of action for this policy revamp.