Our objective was to assess whether Decision Analysis Reports (DAR) I and II cybersecurity investments’ stated performance metrics aligned with the Corporate Information Security Office (CISO) strategic and cost objectives.
To establish a sound cybersecurity foundation, the Postal Service has made significant investments in information security. In 2015, the Postal Service approved [redacted] million in investments: [redacted] million for Cybersecurity DAR I and [redacted] million for Cybersecurity Improvements DAR II.
In addition to these investments, these DARs included projected operating expenses of [redacted] million from fiscal years (FY) 2016 through 2022. Capital and deployment investments for DARs I and II were completed in November 2015 and September 2017, respectively. Ongoing operating expenses for each DAR continue to be incurred.
Each DAR’s total approved investment amount is comprised of a capital investment, deployment investment expenses, and first-year operating expenses. Thereafter, an annual budget must be submitted for each year’s operating expenses for each DAR.
What the OIG Found
Overall, the Postal Service’s investment strategies have been effective in strengthening its enterprise cybersecurity program and achieving strategic objectives. However, the Postal Service could enhance its financial commitments to the long-term capabilities of administering the cybersecurity program by establishing continued budgets to fund annual operating expenses.
We found the Postal Service uses the DAR process to approve, monitor, and fund operating expenses for cybersecurity investments. However, expenses associated with day-to-day operations to sustain ongoing cybersecurity operations are not considered to be investments per Postal Service investment policy. These operating expenses are necessary and administrative in nature to sustain ongoing cybersecurity operations and are not expected to end. Examples of such operating expenses are rent, software licenses and services, and employee and contractor support.
This occurred because the Postal Service has not performed long-range planning and administering the cybersecurity program. Without an ongoing cybersecurity operating budget, the Postal Service may not be able to appropriately secure the enterprise to ensure uninterrupted service delivery, preserve customer and employee trust, and maintain competitive products in the digital marketplace. Additionally, the use of multiple finance numbers to manage the investments has made it difficult for management to exercise oversight of the DARs.
We also found the CISO did not track line item expenditures with sufficient detail throughout the DAR II investment. This occurred because CISO considered all approved operating expenses as a single budget and not subject to annual budgetary limits. As a result, CISO could not readily determine whether the [redacted] million overspending in DAR II was operational or deployment expenses. Additionally, by not tracking detailed project expenditures, the sponsor would not be able to evaluate achieved benefits, identify and implement corrective action, and document any required operational or capital investment modifications.
What the OIG Recommended
We recommended management create and execute a program/administrative budget to adequately plan and administer an ongoing cybersecurity program and manage and track DAR II spending against cash flow line items throughout the investment.