Department of Energy

This report provides information on an alleged sale of surplus Energy Department (DOE) computer equipment to an Idaho businessman. GAO discusses whether (1) the sale actually took place and (2) any surplus computers sold to this businessman contained classified or sensitive unclassified information. GAO also discusses whether DOE is subject to Federal Information Resources Management Regulation Bulletin C-22, which provides guidance on the security and privacy protection of federal computer resources.

GAO found that: (1) between April 1, 1993, and September 30, 1994, DOE sold 25 to 50 surplus personal computers to an Idaho salvage dealer; (2) sales and inventory records did not indicate that the computers were used for processing classified data; (3) it could not determine whether the computers contained classified data, since the salvage dealer did not maintain complete records of the computers purchased; (4) DOE believes that some of the surplus computers contained sensitive data because the contractors responsible for disposing of them did not have written procedures on how to properly sanitize the computers; (5) DOE has implemented procedures to prevent the improper disclosure of sensitive data processed on its computers; and (6) DOE is subject to FIRMR Bulletin C-22 which requires it to establish security safeguards and procedures to ensure the proper disposition of sensitive automated information, but it has not taken action to ensure that the provisions are being implemented at DOE installations.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone: