Our objective was to determine if the U.S. Postal Service has a cybersecurity incident response capability to effectively detect, analyze, and respond to cyber threats.
The Postal Service faces ongoing cyber threats and challenges that directly impact customers, partners, and employees. These threats could cause harm to information resources in the form of destruction, disclosure, adverse modification of data, or denial of services. For example, the Postal Service suffered a significant data breach in 2014 that exposed the personal data of about 800,000 current and former career and non-career employees. The breach cost the Postal Service [redacted] million in known costs. Currently, there are over [redacted] active user accounts with access to the network; therefore, it is critical to have a robust cybersecurity incident detection and response capability to address continuous threats.
As a result of the 2014 breach, the Corporate Information Security Office (CISO) was established to safeguard the Postal Service’s network. The CISO then established the Cybersecurity Operations Center (CSOC) to detect and respond to cyber events and incidents.
To support a sound cybersecurity foundation, the Postal Service approved [redacted] million in 2017 through the Cybersecurity Decision Analysis Report (DAR) III, Enhancement and Maturity. According to the DAR, this investment would support the continued ability to recruit, develop, and retain a cybersecurity workforce capable of supporting continuous threat monitoring, threat remediation and response, vulnerability management, and incident response activities that are critical to the Postal Service’s success.
We conducted a test during February and March 2020 to determine whether the Postal Service could identify and respond to known cyber threats. We also reviewed the CISO’s Cybersecurity Incident Response Plan, CSOC tickets initiated between March 1 and September 30, 2019, and Cybersecurity DAR III to determine compliance with policy, procedures, or industry best practices. We did not review post-incident activities as the CSOC did not declare any cybersecurity incidents during our scope period.
We planned our fieldwork before the President of the United States issued the national emergency declaration concerning the novel coronavirus outbreak (COVID19) on March 13, 2020. The results of this audit do not reflect operational changes and/or service impacts that may have occurred as a result of the pandemic.
The Postal Service does [redacted]. The CSOC detected very little of the [redacted] we introduced to the Postal Service network as a test procedure from February 18 through March 6, 2020. While the CSOC detected [redacted] activity, they were unable to detect any of the [redacted] other activities executed multiple times. For example, they did not detect the activities associated with [redacted] of [redacted] across the network and a [redacted] launched on the network. Without appropriate [redacted], active threats could go undetected, possibly leading to theft and modification of data or impact on the availability of critical systems.
We also found the CISO had not developed metrics to measure the effectiveness of their incident response capability. Best practices adopted from Carnegie Mellon recommend common metrics such as Mean Time to Detect, Mean Time to Respond, and Percentage of Events Declared as Incidents. Without effective metrics, management cannot make informed decisions to improve the incident response plan or enhance their incident response capability.
In addition, the CISO did not track or monitor investments by project as specified in DAR III. In our prior audit issued in November 2018, we identified a similar issue with tracking investments related to Cybersecurity DAR II, Improvements. Without tracking detailed project expenditures, management is unable to ensure that funds are allocated appropriately, budgets are not overspent, and enhancement projects are executed on-time.
Also, during our review of the Cybersecurity Incident Response tickets in [redacted], we found [redacted] active CSOC module users have the ability to [redacted]. Without proper [redacted], users can introduce [redacted] to the Postal Service network, potentially [redacted]. Lastly, we reviewed a sample of [redacted] cybersecurity tickets initiated between March 1 and September 30, 2019, to determine compliance with the incident response plan and standard operating procedures. CSOC analysts appropriately closed [redacted] of the [redacted] internal tickets, and the [redacted] remaining tickets were reassigned to a group outside of the CSOC for further investigation. These tickets remained open for over a year with no status update. Without a process to update the status of open tickets and resolve issues presented in tickets, the possibility exists for compromised information resources and disrupted operations due to unresolved cyber threats.
We recommend management:
- Complete the [redacted] project implementation as identified in Cybersecurity DAR III and implement the necessary [redacted] to detect internal malicious activity.
- Determine which incident detection and response metrics are meaningful to the organization and establish a process to measure the effectiveness of the incident detection and response capability.
- Track one-to-one alignment of actual investments with Cybersecurity DAR III requests for each project.
- Develop procedures for the safe handling of [redacted] or develop a risk acceptance letter.
- Create a notification within the Cybersecurity Operations Center module in [redacted] notifying users of potential [redacted].
- Develop a process to regularly review unresolved tickets transferred to another office for resolution, verify status, and ensure timely closure.