Expands the main menu

Breadcrumb

Audit Reports

  • Image
    Legacy Systems Cover
Jun
03
2024
Report Number:
24-010-R24
Report Type:
Audit Reports
Category: Security, Technology

Legacy Systems at the U.S. Postal Service

Background

The U.S. Postal Service performs a variety of operations, dependent on its vast information technology infrastructure. This infrastructure encompasses 761 systems that the Postal Service strives to maintain and secure from network attacks. In support of the Delivering for America plan, the Postal Service plans to invest in modernizing and enhancing cybersecurity technologies, but it is still managing outdated computing system hardware and software (legacy systems). Secure systems are imperative to uninterrupted operations and protecting Postal Service data.

What We Did

Our objective was to assess legacy systems at the Postal Service and address Postal Service’s mitigation of risks for these systems. For this audit, we reviewed Postal Service’s 1) legacy system inventory and processes for managing legacy systems; 2) guidance for risk mitigation and compliance with vulnerability remediation; and 3) inventory of systems using unsupported operating systems.

What We Found

We found the Postal Service did not effectively manage its legacy systems and associated risks. Specifically, the Postal Service had documented risks related to legacy systems. Additionally, prior audits identified issues with the Postal Service’s risk management process and highlighted risks associated with some legacy systems. During this audit, the Corporate Information Security Office documented a plan to mitigate the risks in the Postal Service environment; however, the plan did not include completion dates. The ineffective management of legacy systems occurred because the Postal Service did not: sufficiently define legacy systems; identify all systems using legacy operating systems; and have provisions for managing the life cycle of operating systems. Unmanaged legacy systems leave the Postal Service’s systems and data vulnerable to known security exploits, which could allow attackers access to sensitive data or other systems.

Recommendations and Management Comments

We made two recommendations to address managing and mitigating risks associated with legacy systems. Postal Service’s management disagreed with the recommendations. Management’s comments and our evaluation are at the end of the finding and recommendations. The Office of Inspector General considers management’s comments nonresponsive and will work with management through the formal audit resolution process.

Report Recommendations

# Recommendation Status Value Initial Management Response USPS Proposed Resolution OIG Response Final Resolution
1

Create a comprehensive plan to manage legacy systems to include defining legacy systems according to best practices, identifying all legacy systems, and developing a plan of action and milestones to enforce timely mitigation of identified risks related to legacy systems.

Closed $0 Disagree
Agree
2

Mitigate identified risks for all legacy systems, develop a plan of action and milestones to enforce timely mitigation of identified risks related to legacy systems and report the status of mitigations as defined in the Corporate Information Security Office's plan of action and milestones to the Corporate Information Security Office.

Open $0 Disagree
Agree