Postal Service’s IT not fully protected from insider threats, watchdog says
An inspector general’s report says the U.S. Postal Service has not fully implemented a federally mandated program designed to protect its computer systems from insider attacks.
The partially-redacted report examines the agency’s efforts to secure information deemed important to national security from potential misuse by employees, contractors or others with access to its network.
Federal agencies possessing national security information are mandated by October 2011’s Executive Order 13587 and the National Insider Threat Policy to establish security programs to protect that data with formal programs that include “organization-wide participation, standard operating procedures, and insider threat training and awareness.”
The report does not detail the nature of the national security information on the USPS network, but it says that the agency is not the originator of the information and only “a limited number of employees” have access to national security systems with electronic and hard-copy information.
The executive order requires any agency with access to national security information have a formal insider threat program, with a framework and minimum standards laid out in the National Insider Threat Policy. The agency’s U.S. Postal Inspection Service is charged with maintaining the insider threat program, while coordinating with the agency’s chief information security officer on cybersecurity and information access protections.
USPS officials had not dedicated full-time resources to implementing some minimum protection standards laid out in the National Insider Threat Policy, the report says, and there were physical and security access breakdowns at facilities with national security information.
Investigators found deficiencies in four areas centering on the minimum standards required for an insider threat program. While the deficient areas were redacted, the OIG noted that they originated from 26 minimum standards crafted in the National Insider Threat Policy, Those standards are composed under categories requiring agencies to:
- Designate a senior official to oversee insider threat program
- Information Integration, Analysis and Response
- Insider Threat Program Personnel
- Access to information
- Monitoring access to information
- Employee training and awareness
Additionally, the OIG found that five contractors had access to secure spaces at one USPS facility despite not having proper security clearances.
Another facility’s closed-circuit TV cameras overlooking its secured spaces were not functioning. Investigators also found one facility lacked a video intercom system, even though it’s required by standard operating procedure, and a separate facility didn’t have a fire extinguisher in its secure area.
The report said that USPS officials took corrective action for the physical security deficiencies during OIG audit.
The inspector general offered three recommendations:
- That the chief postal inspector fully implement an insider threat program for national security information in accordance with National Insider Threat Policy minimum standards
- That the CISO establish and implement a formal organization-wide insider threat program
- That the chief postal inspector and vice president of information technology direct staff to have a fire extinguisher in secure spaces not currently in compliance, as well as other redacted details.
USPS officials agreed with the recommendations, offering to have the National Insider Threat Task Force’s 26 minimum standards operating at full capacity by Oct. 1, 2019.
Agency officials also agreed to implement an insider threat program, request funding in a future cybersecurity-related decision analysis report and finalize an organizational-wide general insider threat module by Sept. 30, 2018, as well as install fire extinguishers in secure areas by Oct. 1, 2018.