Review of the Postal Regulatory Commission’s Compliance With the Federal Information Security Modernization Act of 2014 for Fiscal Year 2025

Background 

This report presents a review of the U.S. Postal Regulatory Commission’s (PRC) information security program and practices for fiscal year (FY) 2025. The Federal Information Security Modernization Act, amended in 2014 (FISMA) requires agencies to develop, implement, and document agencywide information security programs and practices. FISMA also requires inspectors general to conduct annual reviews of their agencies’ information security programs and report the results to the Office of Management and Budget.

What We Did 

To meet the annual review requirement, we contracted with KPMG LLP (KPMG) to conduct this audit subject to our oversight. The audit objectives were (1) to determine the effectiveness of the PRC’s information security program and practices in six framework function areas: Govern,1 Identify, Protect, Detect, Respond, and Recover, and (2) to follow up on the status of corrective actions taken by the PRC to implement the prior year performance audit recommendations and determine whether corrective actions for open FISMA recommendations were effectively implemented.

What We Found 

The PRC has made incremental advancements in its information security program since the FY 2024 FISMA audit. However, it has opportunities to continue to improve its information security program. While the PRC has developed plans of actions and milestones to address all of the recommendations from FY 2024’s FISMA audit finding, policies, procedures, and processes to manage its information security program are not finalized or implemented. As a result, the IG FISMA Metrics were rated a Defined (Level 2) maturity level for the six framework functions. KPMG reported one repeat finding (see Section III) pertaining to the functions and their respective 10 metric domains.

Recommendations and Management’s Comments 

KPMG made two new recommendations and referenced the six open prior recommendations to address the issues identified in the report across the 10 FISMA metric domains. The PRC agreed with all recommendations. KPMG considers management’s comments responsive to all recommendations, and corrective actions should resolve the issues identified in this report.