Background
The U.S. Postal Service performs a variety of operations, dependent on its vast information technology infrastructure. This infrastructure encompasses 761 systems that the Postal Service strives to maintain and secure from network attacks. In support of the Delivering for America plan, the Postal Service plans to invest in modernizing and enhancing cybersecurity technologies, but it is still managing outdated computing system hardware and software (legacy systems). At least 62 of the Postal Service’s 761 systems were considered legacy as of December 2023. Secure systems are imperative to uninterrupted operations and protecting Postal Service data.
What We Did
Our objective was to assess legacy systems at the Postal Service and address Postal Service’s mitigation of risks for these systems. For this audit, we reviewed Postal Service’s 1) legacy system inventory and processes for managing legacy systems; 2) guidance for risk mitigation and compliance with vulnerability remediation; and 3) inventory of systems using unsupported operating systems.
What We Found
We found the Postal Service did not effectively manage its legacy systems and associated risks. Specifically, the Postal Service had documented risks related to legacy systems for over seven years. Additionally, prior audits identified issues with the Postal Service’s risk management process and highlighted risks associated with some legacy systems. During this audit, the Corporate Information Security Office documented a plan to mitigate the risks in the Postal Service environment; however, the plan did not include completion dates. The ineffective management of legacy systems occurred because the Postal Service did not: sufficiently define legacy systems; identify all systems using legacy operating systems; and have provisions for managing the life cycle of operating systems. Unmanaged legacy systems leave the Postal Service’s systems and data vulnerable to known security exploits, which could allow attackers access to sensitive data or other systems.
Recommendations and Management Comments
We made two recommendations to address managing and mitigating risks associated with legacy systems. Postal Service’s management disagreed with the recommendations. Management’s comments and our evaluation are at the end of the finding and recommendations. The Office of Inspector General considers management’s comments nonresponsive and will work with management through the formal audit resolution process.