Unsupported Operating Systems
Background
Operating systems (OS) consist of software that manages the memory, processes, and hardware of a computer system. Through their lifecycle, OS require vendor support in the form of upgrades, fixes, and new versions. An OS lifecycle begins upon its release and ends when the vendor support ends. When the OS lifecycle ends, it becomes an unsupported OS. Vendors publish end-of-support dates on their websites to inform the public when their OS support will end.
Vendors may charge fees to extend support or provide additional capabilities beyond the original end date. Users can still run the OS without purchasing this additional support; however, it increases risk to the system. U.S. Postal Service Handbook AS-805, Information Security, allows the use of unsupported software with Information Technology management’s approval.
Our objective was to determine how the Postal Service manages unsupported OS, identify associated risks, and review management’s actions to mitigate or accept those risks.
What The OIG Found
Handbook AS-805 does not provide detailed guidance for managing OS such as tracking vendor end-of-support dates, identifying risks associated with running outdated OS, and developing strategies for migrating to another OS when vendor support ends. As a result, management does not have an inventory of OS and is not tracking and maintaining documentation associated with the risk of running unsupported OS.
We determined the Postal Service is currently using at least [redacted] unsupported OS versions on almost [redacted] devices, such as servers and desktop computers. In addition, they are using at least [redacted] unsupported OS versions on about [redacted] mail-processing computer systems.
This occurred because Handbook AS-805 is not aligned with best practices, which recommend organizations assign a single group to manage all software on their network, including monitoring vendor end-of-support dates and developing strategies for replacing unsupported software. Without adequate management of unsupported OS, the Postal Service network is at an increased risk of unauthorized access, disclosure, and modification of sensitive customer data.
What The OIG Recommended
We recommended management revise Handbook AS-805 to provide detailed guidance for managing OS such as assigning a single group the responsibility for managing unsupported OS, tracking vendor end-of-support dates, identifying risks associated with running unsupported OS, and developing strategies for moving to another OS when vendor support ends. We also recommended management develop a current inventory of unsupported OS and either document the acceptance of the risk of continued usage or migrate to a supported OS.