The U.S. Postal Service has one of the world’s largest computer networks, which enables nationwide communication among more than 32,000 facilities. Over 500,000 employees work at these facilities, processing and delivering almost 155 billion mail pieces annually. In addition, the computer network stores, transmits, and processes financial, employee, contractor, and vendor information.
The Mass Data Compromise Response Plan (MDCRP) was developed in fiscal year 2010 to enable the Postal Service to respond to the threat of cyber intrusions. It defines the roles and responsibilities of response team members, specifies incident severity levels, outlines the process flow for incident management, and provides methodologies for conducting response activities. The Corporate Information Security Office (CISO) maintains and updates the MDCRP.
In October 2014, the CISO used four of the six sections of the MDCRP to respond to a cyber intrusion. These included the command structure, risk assessment, notification, and reporting sections. The remaining two sections, incident response and assessment, were not used during the 2014 cyber intrusion because the plan was not originally designed to respond to external cyber intrusions.
Since early November 2014, the chief information officer and supporting management continued mitigating the cyber intrusion by upgrading computer systems, removing compromised servers and workstations, implementing additional security monitoring, limiting remote user access, and blocking access to personal email sites.
Our objective was to assess the sufficiency and implementation of the Postal Service’s MDCRP in response to the 2014 cyber intrusion.
What the OIG Found
Although the plan provided some guidance when the intrusion occurred, it needs to be updated to reflect best practices and to align with USPS policy. Specifically, the MDCRP did not have a security clearance requirement for groups such as the CISO or the Privacy and Records Office for responding to events that involve sensitive information. In addition, the MDCRP was missing five key elements: critical assets, comprehensive workflow processes, incident checklists, external communication protocols, and a Postal Service policy. Finally, the Postal Service tested the MDCRP only three times over the last 6 years.
According to the CISO technical service manager, this occurred because the MDCRP focused on internal employee threats rather than external sophisticated attacks. In addition, CISO did not annually test the plan as recommended by industry best practice. The Postal Service is currently working to improve its response capabilities and intends to update the plan once some of those improvements are in place.
In addition, the CISO had challenges in effectively evaluating the extent of the cyber intrusion as required by the plan because it did not have the appropriate technology and services, such as forensic investigation services. Since the 2014 cyber intrusion, the Postal Service has started corrective action to identify and acquire the technologies and services required to better respond to and remediate future cyber intrusions.
The Postal Service approved two financial requests, one in February and one in July 2015, for technology and services required to address a cyber intrusion. The first financial request was for critical and immediate cyber intrusion activities. As part of this request, the Postal Service implemented technologies such as new hardware and software to increase control over critical applications and deployment of monitoring and intrusion detection software.
The second financial request provides for a more robust security posture for the organization such as expanding the CISO and improving cybersecurity awareness and training. The acting manager, CISO, said the plan will be updated after the CISO receives the results of the October 2015 testing and the findings and recommendations from this audit. An updated plan must include, at a minimum, critical information technology assets, comprehensive workflow processes, incident checklists, external communication protocols, Postal Service policy requirements, and annual testing. A comprehensive plan will ensure the Postal Service is better prepared to respond to future cyber intrusions.
What the OIG Recommended
We recommended the Postal Service update its MDCRP to incorporate external cyber intrusion threats and include a security clearance requirement for employees. We also recommended CISO add the five key elements that are missing from the plan and test it at least annually.