Expands the main menu

Breadcrumb

Audit Reports

  • Image
Mar
29
2017
Report Number:
IT-AR-17-002
Report Type:
Audit Reports
Category: Technology

Information Technology Continuity of Operations Plans

Background

The U.S. Postal Service is the center of a $1.4 trillion mailing industry. To meet its mail delivery mandate, the Postal Service has developed an overarching Continuity of Operations (COOP) plan to continue essential business functions when there is a disruption of normal operations.

To support the Postal Service’s overarching COOP plan, Information Technology (IT) management developed their own COOP plans, referred to as Functional Workgroup Annex (FWGA) plans. These FWGA plans address essential information technology functions.

Federal directives require the Postal Service to develop and maintain COOP plans. Most recently, Presidential Policy Directive 40, issued in July 2016, reiterates COOP plan requirements and the need to include information technology systems, processes, and resources in plan development. In addition, Postal Service policy requires FWGA plans for all computer solution and service centers.

Our objective was to determine whether the Postal Service’s IT division has viable FWGA capabilities to support essential business functions.

What the OIG Found

We found that the Postal Service is unable to meet its essential business functions because its FWGA plans are not current at [redacted] Postal Service IT locations we selected: [redacted], the [redacted] and the [redacted] centers.

We found that Postal Service management did not annually review, update, and test FWGA plans. For example, they had not updated [redacted] of the [redacted] plans in over [redacted] years. The plans were also incomplete and missing key requirements such as identifying critical information system assets, alternative telecommunications services, and procedures for using alternative processing sites that are not susceptible to the same threats as the primary location. Additionally, Postal Service management did not train personnel who execute the existing FWGA plans.

These issues occurred because Postal Service management did not have a policy that defined requirements for managing FWGA plans.

Without current, complete, and tested FWGA plans, the Postal Service will not be able to effectively support essential information system resources and services during an event that disrupts normal operations. In addition, a lack of training would result in Postal Service personnel not having the skills required to support essential functions during a continuity event.

What the OIG Recommended

We recommended Postal Service management create a policy for managing FWGA plans based on federal directives and industry best practices; review, update, and test FWGA plans annually; and require annual training for all personnel with FWGA plan responsibilities.