Our objective was to determine whether the U.S. Postal Service effectively addressed security deficiencies at Network Distribution Centers (NDC) to enhance the safety and security of the work environment.
NDCs are highly mechanized Postal Service mail processing plants that distribute standard mail and provide package services. There are currently 21 NDCs nationwide and Inspection Service and Postal Service personnel are responsible for security at those locations. The Vulnerability Risk Assessment Tool (VRAT) is the application employees use to identify security risks and vulnerabilities at these facilities.
What the OIG Found
The Postal Service and Postal Inspection Service did not always effectively address and monitor security deficiencies at the 11 NDCs we assessed. Specifically:
- Security officials did not always timely address security deficiencies identified during VRAT assessments.
- Installation heads did not always monitor the status of identified deficiencies, to include tracking the progress of corrective actions taken and closing out deficiencies when resolved.
- Installation heads did not always provide deficiency status updates to security officials.
There were 139 security deficiencies identified on the VRAT assessments at the 11 NDCs we reviewed. Deficiencies included obstructed, damaged, or inoperable gates, fences, doors, locks, and closed circuit television systems.
In addition, security officials did not always conduct VRAT assessments at the prescribed frequencies. Further, the security assessment policy has not been updated to reflect the use of the VRAT assessment tool, which replaced the annual security survey in fiscal year 2012.
These conditions occurred because internal controls were not sufficient to ensure responsible security and area officials effectively addressed, monitored, and communicated security deficiencies or conducted VRAT assessments, as required.
When security deficiencies are not timely addressed or VRAT assessments are not conducted as required, there is an increased risk to the safety and security of Postal Service employees, customers, the mail, and other assets.
What the OIG Recommended
We recommended management establish standard operating procedures, to include timeframes, to address, monitor, and communicate identified security deficiencies. We also recommended management establish an oversight mechanism to promote accountability and ensure compliance with VRAT requirements and update policy to reference the VRAT assessment.