A lot of concerns here, but one of my biggest is probably security hygiene. Are these folks plugging random USB drives into air gapped government equipment? Are they emailing sensitive information around? Not good.
Frankly, if a copy of the private keys leaves a controlled server, the entire system should be considered compromised and torn down and re-done, which might be the entire point of this....