Objective

Our objective was to assess whether Decision Analysis Reports (DAR) I and II cybersecurity investments’ stated performance metrics aligned with the Corporate Information Security Office (CISO) strategic and cost objectives.

To establish a sound cybersecurity foundation, the Postal Service has made significant investments in information security. In 2015, the Postal Service approved [redacted] million in investments: [redacted] million for Cybersecurity DAR I and [redacted] million for Cybersecurity Improvements DAR II.

In addition to these investments, these DARs included projected operating expenses of [redacted] million from fiscal years (FY) 2016 through 2022. Capital and deployment investments for DARs I and II were completed in November 2015 and September 2017, respectively. Ongoing operating expenses for each DAR continue to be incurred.

Each DAR’s total approved investment amount is comprised of a capital investment, deployment investment expenses, and first-year operating expenses. Thereafter, an annual budget must be submitted for each year’s operating expenses for each DAR.

What the OIG Found

Overall, the Postal Service’s investment strategies have been effective in strengthening its enterprise cybersecurity program and achieving strategic objectives. However, the Postal Service could enhance its financial commitments to the long-term capabilities of administering the cybersecurity program by establishing continued budgets to fund annual operating expenses.

We found the Postal Service uses the DAR process to approve, monitor, and fund operating expenses for cybersecurity investments. However, expenses associated with day-to-day operations to sustain ongoing cybersecurity operations are not considered to be investments per Postal Service investment policy. These operating expenses are necessary and administrative in nature to sustain ongoing cybersecurity operations and are not expected to end. Examples of such operating expenses are rent, software licenses and services, and employee and contractor support.

This occurred because the Postal Service has not performed long-range planning and administering the cybersecurity program. Without an ongoing cybersecurity operating budget, the Postal Service may not be able to appropriately secure the enterprise to ensure uninterrupted service delivery, preserve customer and employee trust, and maintain competitive products in the digital marketplace. Additionally, the use of multiple finance numbers to manage the investments has made it difficult for management to exercise oversight of the DARs.

We also found the CISO did not track line item expenditures with sufficient detail throughout the DAR II investment. This occurred because CISO considered all approved operating expenses as a single budget and not subject to annual budgetary limits. As a result, CISO could not readily determine whether the [redacted] million overspending in DAR II was operational or deployment expenses. Additionally, by not tracking detailed project expenditures, the sponsor would not be able to evaluate achieved benefits, identify and implement corrective action, and document any required operational or capital investment modifications.

What the OIG Recommended

We recommended management create and execute a program/administrative budget to adequately plan and administer an ongoing cybersecurity program and manage and track DAR II spending against cash flow line items throughout the investment.

Read full report

Comments (1)

We welcome your comments related to the topic on this page. Complaints about the Postal Service, including lost, stolen or mishandled mail, that are unrelated to the content on this page, will not be posted. Please visit the Contact Us page for information on where to file formal complaints with our agency or the Postal Service.

Leave a comment

CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.
  • anon

    Your report is well done. It is very concerning though to me as a citizen that I may not necessarily feel protected when I'm giving my information and credit card information at the post office. I noticed that the report ends with a recommendation broader than a mandate. Where is the follow-up and oversight to ensure this recommendation is initiated. This does leave a sense of uneasiness that the government is really not watching out and doing not doing the job they should be in protecting citizens and their personal information

    Nov 26, 2018