Introduction
This management alert presents issues the U.S. Postal Service Office of Inspector General (OIG) identified during the State of Cybersecurity audit (Project Number 21-205). Our objective is to notify Postal Service management of risks associated with security control deficiencies identified during the Assessment & Authorization (A&A) process that have not been mitigated. See Appendix A for additional information about this alert.
Background
The U.S. Postal Service uses approximately 545 business applications1 that provide services to both postal employees and its customers and has one of the federal government’s most frequently visited websites (usps.com). Given its large cyber presence, the Postal Service faces ongoing threats and challenges that have the potential to hinder its ability to carry out its core function of providing secure and reliable delivery of mail to homes and businesses.
As cyberattacks on the government continue to increase and become more sophisticated, the need for a well-defined A&A process is critical and helps an organization to be proactive rather than reactive to cybersecurity threats. The A&A process is a comprehensive process of determining sensitivity and criticality defining security requirements and assessing risk. This process establishes the extent to which the design and implementation of an application meet security requirements defined by federal guidelines, mandates, and the organization. Once these requirements are assessed, the Corporate Information Security Office (CISO) may grant one of these three approval statuses:
Full Authorization, which allows an application to operate on the network because it meets all necessary security controls.
- Conditional Authorization, which allows an application to operate on the network under specific terms and conditions.
- Deny Authorization, which indicates that the application does not meet security controls requirements.
In October 2020, the Postal Service transitioned from the annual certification and accreditation process to a [redacted] A&A process to support the need for ongoing monitoring of security controls. Although the Postal Service has made strides in continuously monitoring and scanning systems on its network, we found issues with the process for mitigating security control deficiencies identified during A&A. Based on the critical nature of postal applications, the Postal Service should ensure that it has adequate security controls in place to prevent risk of exposure of postal systems and data.