Our objective was to determine whether the Postal Service is effectively managing End-of-Life (EOL) network devices. The scope of our review was information technology (IT) network devices [redacted] that are connected to the Postal Service’s IT network and identified as EOL.
The Postal Service’s IT infrastructure includes thousands of routers, switches, virtual private network gateways, firewalls, voice over internet protocol equipment, and other devices that support the delivery of business systems and IT-enabled processes. These network devices must be monitored, maintained, and replaced appropriately to provide a high-level of network performance and prevent unwanted outages.
EOL is a term used for devices that reach the end of their life cycle, indicating the end of the devices’ useful life from the vendor’s point of view. The vendor’s EOL notification process typically consists of a series of activities, such as end-of-sales, end of software maintenance, end of service contract renewal, and end of support that, once completed, makes a device obsolete from the vendor’s perspective. Once obsolete, a device is not sold, repaired, maintained, or supported. There are many reasons why suppliers make a device obsolete, including market demands, technology innovation, or the device simply matures over time and is replaced by functionally-richer technology.
Replacement of network devices does not need to follow a vendor-based schedule. Replacements should follow a consistent policy set by the organization with device-specific, risk-based replacement plans.
What the OIG Found
We found that the Postal Service is not always effectively managing its EOL network devices. Specifically, the management and replacement process is sometimes reactive and at times does not follow a risk-based approach. Postal Service records indicate that currently [redacted] percent) devices on the Postal Service’s IT network are at or past their EOL. Further, by the end of 2021, [redacted] percent) of the Postal Service’s current network devices will be at their EOL and may need to be replaced.
The Postal Service’s reactive network device replacement process is in place because it did not have a policy, strategy, or a risk-based replacement plan for EOL devices. In March 2019, prior to our fieldwork, Telecom Services began developing a strategic framework for managing EOL network devices, which requires each Telecom team to develop device-specific replacement plans in their area.
Additionally, Telecom Services is enhancing its current Telecommunications Integrated Postal Network vendor contract, which should include requirements for addressing EOL device management. Postal Service management has set a [redacted].
Without a risk-based EOL network device strategy and replacement plan, the Postal Service may not replace the most critical EOL devices in a timely and cost-effective manner. This could result in loss of support or functionality, reduced productivity, unplanned outages, and security risks to the Postal Service’s IT network.
What the OIG Recommended
We recommended the Postal Service:
- Develop and implement a policy to effectively manage network EOL devices.
- Complete the EOL 2019 Telecom Strategy and device specific risk-based replacement plans.
- Ensure the Telecommunications Integrated Postal Network [redacted] that reflect the new approved policies and strategies.