The U.S. Postal Service has the mail processing resources, information technology (IT) network, and transportation infrastructure to deliver mail to every residential and business address in the country. These resources include facilities, equipment, and systems used to process, transfer, and store data, which are vital for business operations. The Postal Service implements physical and environmental security controls over systems to reduce the risk of system and equipment failure, damage from environmental hazards, and unauthorized access to its facilities and assets.
The Margaret L. Sellers (MLS) Processing and Distribution Center (P&DC) is 760,000 square feet and processes up to 12 million mailpieces daily. The facility houses a vehicle maintenance facility, retail store, district and area administrative offices, and the U.S. Postal Inspection Service.
Our objective was to determine whether the Postal Service has adequate and effective physical and environmental security controls at the MLS P&DC.
What the OIG Found
Although we did not identify any significant environmental security issues, the Postal Service does not have adequate and effective physical security controls over systems at the MLS P&DC. Specifically, we found that managers did not review, update, and limit access to the facility or ensure perimeter controls restricted access to it. We also found retail store employees allowed unauthorized access to restricted areas; employees, contractors, and unauthorized individuals were able to enter facility parking lots without verification.
These issues occurred because:
There was no oversight of access to secure areas.
The Human Resources manager did not follow separated employee clearance procedures.
Employees allowed unfamiliar individuals into the retail area and altered dock doors to give contract drivers access to the P&DC.
The gate sensor at the employee entrance did not function properly.
Managers instructed employees to open the truck entrance gate upon driver arrival without verifying identification.
Improperly implemented physical security controls increase the risk of theft or disruption of critical operations; and unauthorized access to the facility, IT assets, and mail processing equipment.
What the OIG Recommended
We recommended management assign personnel to approve access to secure areas, and review and update badge and key access requirements for all offices semiannually as required by policy. In addition, management should communicate and enforce policies and procedures to remove access for separated employees and to prevent unauthorized access to restricted areas.
Management should also repair the gate sensor at the employee entrance; instruct employees to verify access before allowing trucks into the facility; issue badges to contractors; and ensure dock doors lock and function properly.