In response to a 2014 cyber intrusion, the U.S. Postal Service purchased [redacted] software through an existing contract with [redacted]. Personnel working on remediation efforts used [redacted] for secure communications after discovering the intrusion compromised Postal Service email servers.
Our objectives were to determine whether the Postal Service’s contract for [redacted] software complied with applicable standards and evaluate management’s adherence to the contract.
What The OIG Found
The [redacted] software contract did not comply with all applicable standards and management did not ensure the supplier adhered to all contract clauses. Specifically, the Postal Service did not include provisions in the software contract for system integrity, computing environment, and application information security. In addition, the Postal Service did not ensure the supplier complied with all information security requirements, such as storing Postal Service information in a private cloud and becoming Federal Risk and Authorization Management Program-certified. Finally, the Postal Service did not perform a Certification and Accreditation of the software.
The Postal Service also lacks a retention policy specifying how long to maintain emails, sufficient access controls, and a method to ensure that personnel with access to the software have appropriate security clearances. These issues occurred because the original contracting officer was unaware of some provisions that should be in the contract and because management focused on cyber intrusion remediation plans rather than the software and its associated cloud storage security requirements.
Without proper security, contractual, retention, and access controls, the Postal Service is at an increased risk of unauthorized access and disclosure of sensitive information. We questioned about $22 million in contractual costs because the Postal Service failed to complete the Certification and Accreditation process and incorporate required contract provisions.
What The OIG Recommended
We recommended management include all appropriate provisions in their contract and require the supplier to comply with specific security standards and become Federal Risk and Authorization Management Program-certified. We also recommended management complete the Certification and Accreditation process for [redacted] software, develop an email retention policy, and assign personnel to manage access to the software and obtain required security clearances.