Sorry, you need to enable JavaScript to visit this website.
Expands the main menu

Audit Reports

  • Oversight of the Vulnerability Risk Assessment Tool Process
May
06
2026
Report Number:
25-147-R26
Report Type:
Audit Reports
Category: Internal Services, Security

Oversight of the Vulnerability Risk Assessment Tool Process

Background

The mission of the U.S. Postal Inspection Service is to support and protect the U.S. Postal Service and its employees, infrastructure, and customers. One of the ways it accomplishes its mission is by providing technological support and risk management tools as well as strategy services designed to mitigate risk and prevent criminal attacks.

What We Did

Our objective was to assess the efficiency and effectiveness of the Postal Service’s and the Postal Inspection Service's oversight of the Vulnerability Risk Assessment Tool (VRAT) process and resolution of identified deficiencies. The VRAT is a risk-based model to identify security deficiencies at postal facilities. For this audit, we judgmentally selected samples of three Postal Inspection Service divisions and 12 Postal Service facilities nationwide for review based on VRAT survey and deficiency data. Additionally, we reviewed VRAT processes, procedures, training, and applicable guidance.

What We Found

The Postal Inspection Service did not effectively oversee the VRAT process. Many surveys were not started or incomplete, deficiencies remained unresolved, and the status for resolved deficiencies was not reported in the system. Additionally, while facility security training included a VRAT component, the Postal Inspection Service and Postal Service did not ensure that all facility management received this training prior to performing VRAT surveys. Lastly, there were instances where personnel from both the Postal Inspection Service and Postal Service duplicated efforts by completing separate VRAT surveys in the same fiscal year at Tier 1 (most critical) and Tier 2 (critical) facilities.

Recommendations and Management Comments

We made six recommendations to strengthen VRAT oversight by improving monitoring and follow-up processes, policies and procedures, and reporting and resolution practices; bolstering facility security training and guidance; and reducing the redundancy of VRAT surveys. Postal Service management agreed with all six recommendations. Management’s comments and our evaluation are at the end of each finding and recommendation.

Report Recommendations

# Recommendation Status Value Initial Management Response USPS Proposed Resolution OIG Response Final Resolution
1

Update policy to include the Vulnerability Risk Assessment Tool survey completion requirements for Tier 1 and Tier 2 postal facilities.

 Open $0 Agree
2

Develop a process to identify postal facilities that did not complete a Vulnerability Risk Assessment Tool survey and ensure that those facilities meet survey completion requirements.

 Open $0 Agree
3

Establish a process to monitor unresolved Vulnerability Risk Assessment Tool survey deficiencies across all tier levels to ensure timely resolution and verify accurate status and prioritization.

 Open $0 Agree
4

Revise policies and procedures related to the Vulnerability Risk Assessment Tool process to require facility management to update deficiency statuses, upon resolution, and communicate these changes to the field, once finalized.

 Open $0 Agree
5

1) Verify and track that all personnel involved in Vulnerability Risk Assessment Tool surveys have completed the most updated, required training, and 2) update applicable Vulnerability Risk Assessment Tool guidance and provide it to all postal personnel responsible for completing the surveys.

 Open $0 Agree
6

Update guidance for Tier 1 and Tier 2 facilities to require Postal Service personnel to perform Tier 3 Vulnerability Risk Assessment Tool surveys only in the off years that the Postal Inspection Service performs the Tier 1 and Tier 2 Vulnerability Risk Assessment Tool surveys.

 Open $0 Agree