During the audit of Negotiated Service Agreement – Contract [redacted], we identified an issue related to the transmission of Negotiated Service Agreement (NSA) pricing rate tables. Specifically, the Postal Service electronically transmitted confidential contract pricing rates to PC Postage vendors in unencrypted emails.
NSAs are contractual agreements between the Postal Service and commercial mailers, whereby mailers receive customized pricing discounts in exchange for meeting volume and mail preparation requirements. NSAs specify customized pricing and may include a quarterly revaluation of shipping rates, based on volume tiers and commitments. If a mailer uses a PC postage provider to print their postage, then initial pricing rate tables and any quarterly or annual price changes are sent to the mailer and the PC Postage provider via email.
Postal Service policy requires sensitive information, including customized pricing and other proprietary information to be sent in an encrypted format. The Postal Service must [redacted] to send an encrypted email. This will trigger Postal Service systems to flag the email as sensitive and encrypt it. If the [redacted] Postal Service systems will not flag the email as sensitive and will not encrypt it. We reviewed unencrypted emails sent from usps.gov email address extensions to vendors with attachments containing contract pricing rate tables for the period June 1, 2020 through January 21, 2021. Because this issue poses security weaknesses across all contracts, the scope of our review included, but was not limited to, the vendor involved in NSA – Contract [redacted].
We identified this issue while conducting our performance audit in accordance with generally accepted government auditing standards.