What is biometric data?
Guessing that they were using a thumb print to logon rather than a password? I confess that I’m not sure if this is a huge problem. CIA would want to know if an agent from another agency who hasn’t logged on in a long time is “still the same guy/gal” and that it isn’t somebody spoofing their security. So like required password updates at set intervals, they still require biometrics to be updated.
It also sounds like the USB devices was maintaining a record of logins for a comparison check. So I’m guessing that the USB dongle was required for biometric access to all computer networks, not just this network.