Background
This report presents a review of the United States Postal Regulatory Commission’s (PRC) information security program and practices for fiscal year (FY) 2024. The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to develop, implement, and document agencywide information security programs and practices. FISMA also requires inspectors general to conduct annual reviews of their agencies’ information security programs and report the results to the Office of Management and Budget.
What We DId
To meet the annual review requirement, we contracted with KPMG LLP (KPMG) to conduct this audit subject to our oversight. The audit objective was to determine the effectiveness of the PRC’s information security program and practices in five framework function areas: Identify, Protect, Detect, Respond, and Recover.
What We Found
The PRC has opportunities to improve its information security program. Specifically, the PRC began to draft and implement policies, procedures, and processes to manage its information security program. However, KPMG determined that these initiatives were not completed. As a result, the Core Metrics and Supplemental Group 2 Metrics were rated an Ad-Hoc (Level 1) maturity level for the five framework functions. KPMG identified one finding (see Section III) pertaining to the functions and their respective nine metric domains.
Recommendations and Management’s Comments
KPMG made nine recommendations to address the issues identified in the report across the nine FISMA metric domains. The PRC agreed with all recommendations. KPMG considers management’s comments responsive to all recommendations, as corrective actions should resolve the issues identified in the report.