OIG: USPS not prepared for IT blackout

The U.S. Postal Service may be ill-prepared to fulfill essential operations in the event of an IT outage, according to a recent inspector general report.

The Post Office is required to have continuity of operations plans in place to prepare for a range of possible disruptions to normal postal operations, whether they're due to tech failures, cyber attacks or natural causes, such as rain, sleet, snow or gloom of night. 

But the IG found that USPS's IT management lacks complete continuity of operations plans, and USPS does not annually train personnel responsible for executing them.

To complement those emergency plans, IT management developed what it calls functional working group annex plans that address "essential information technology operations."

However, in a report dated March 29 and released publicly April 6, the IG found IT management's plans to be lacking.

Auditors found that USPS IT management did not annually review, update and test the plans. At least one of the plan sets had not been updated in years. The IG redacted the number of plans and when the most recent update took place from the report. (FCW has filed a FOIA request for an unredacted copy of the report.)

The watchdog also found that all of the plans reviewed had former employees listed as points of contact. 

The plans were also missing key requirements, such as identifying critical information system assets, alternative telecommunications services and procedures for using alternative processing centers that do not face the same threats as the initial site.

Additionally, auditors reported that USPS IT management did not provide annual training for personnel responsible for carrying out the plans. They warn that untrained staff "may not have the skills required to support essential functions" during a disruption of normal operations.

The IG noted that, during the audit, USPS took corrective action and began training its personnel to handle continuity of operations plans.

"These issues occurred because Postal Service Management did not have a policy that defined requirements for managing" the functional working group annex plans, the report stated.

Auditors also noted that the USPS information security handbook "references a non-existent management instruction policy … that was never finalized or published."   

The IG recommended USPS management to develop a policy for managing IT continuity of operations plans that includes annual reviews, updates and testing, based on federal directives and best practices, and to require annual training for all personnel responsible for carrying out the plan's responsibilities.

USPS management generally agreed with the two findings. Management also told the IG that it has begun to take corrective action and will complete each recommendation by Sept. 30.