USPS OIG Report: Postal Inspection Service’s Oversight of Facility Security and Access Control

Background

The U.S. Postal Inspection Service is responsible for Postal Service policies, procedures, standards, and requirements for facility security and access controls. It has also established a risk management process — the Vulnerability Risk Assessment Tool (VRAT) — to ensure compliance with facility security policies and procedures and identify facility security deficiencies. Additionally, the Postal Inspection Service is an associate member of the Interagency Security Committee (ISC) formed by Executive Order 12977 to enhance the quality and effectiveness of security in protecting federal facilities.

What We Did

Our objective was to assess whether the Postal Inspection Service’s facility security and access control policies align with federal standards and best practices and how identified security deficiencies are addressed. Specifically, we evaluated policies and procedures related to facility security and access control, assessed risk management policies and procedures for facilities, reviewed the ISC’s standards and best practices for facility security, and analyzed VRAT data.

What We Found

“Specifically, we found that the Postal Inspection Service groups facilities into three security tiers based on the criticality of the facility to the U.S. Postal Service’s mission. Because the Postal Inspection Service relies on only one of the six required security factors for determining the security level, 99 percent of facilities are placed in the lowest risk group. Further, the Postal Inspection Service does not assign a baseline level of protection based on the security level or regularly reassess the required security measures. As a result, required security measures may not be commensurate with the risks faced by a particular facility, causing facilities to potentially face unmitigated risks or resources to be expended on unnecessary security measures. We also found that the guidance surrounding the VRAT is insufficient for security control officers to identify the appropriate status of facility security deficiencies identified in VRAT.”

Read Full Report


Source: USPS OIG

Leave a Reply

Required fields are marked *