Expands the main menu

Breadcrumb

Audit Reports

  • Image
    cover art: illustration of info security.
Sep
27
2024
Report Number:
24-097-R24
Report Type:
Audit Reports
Category: Security

Review of the Postal Regulatory Commission’s Compliance With the Federal Information Security Modernization Act of 2014 for Fiscal Year 2024

Background

This report presents a review of the United States Postal Regulatory Commission’s (PRC) information security program and practices for fiscal year (FY) 2024. The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to develop, implement, and document agencywide information security programs and practices. FISMA also requires inspectors general to conduct annual reviews of their agencies’ information security programs and report the results to the Office of Management and Budget.

What We DId

To meet the annual review requirement, we contracted with KPMG LLP (KPMG) to conduct this audit subject to our oversight. The audit objective was to determine the effectiveness of the PRC’s information security program and practices in five framework function areas: Identify, Protect, Detect, Respond, and Recover.

What We Found

The PRC has opportunities to improve its information security program. Specifically, the PRC began to draft and implement policies, procedures, and processes to manage its information security program. However, KPMG determined that these initiatives were not completed. As a result, the Core Metrics and Supplemental Group 2 Metrics were rated an Ad-Hoc (Level 1) maturity level for the five framework functions. KPMG identified one finding (see Section III) pertaining to the functions and their respective nine metric domains.

Recommendations and Management’s Comments

KPMG made nine recommendations to address the issues identified in the report across the nine FISMA metric domains. The PRC agreed with all recommendations. KPMG considers management’s comments responsive to all recommendations, as corrective actions should resolve the issues identified in the report.

Report Recommendations

# Recommendation Status Value Initial Management Response USPS Proposed Resolution OIG Response Final Resolution
1

Design and implement risk management and general support system policies, procedures, and processes that address National Institute of Standards and Technology Special Publication 800-53, Rev. 5.1, Rel. 5.1.1 control requirements.

Open $0 Agree
2

Design and implement Supply Chain Risk Management policies, procedures, and processes that address National Institute of Standards and Technology Special Publication 800-53, Rev. 5.1, Rel. 5.1.1 control requirements.

Open $0 Agree
3

Develop and implement agency-wide Configuration Management policies, procedures, and processes, that address applicable National Institute of Standards and Technology Special Publication 800-53, Rev. 5.1, Rel. 5.1.1, control requirements.

Open $0 Agree
4

Develop and implement agency-wide identity access management policies, procedures, and processes that address applicable National Institute of Standards and Technology Special Publication 800-53, Rev 5, Rel. 5.1.1, controls requirements.

Open $0 Agree
5

Develop and implement agency-wide data protection and privacy policies, procedures, and processes that address applicable National Institute of Standards and Technology Special Publication 800-53, Rev. 5, Rel. 5.1.1 control requirements.

Open $0 Agree
6

Develop and implement agency-wide Security Training policies, procedures, and processes that address applicable National Institute of Standards and Technology Special Publication 800-53, Rev. 5.1, Rel. 5.1.1, control requirements.

Open $0 Agree
7

Finalize and implement its Information Security Continuous Monitoring plan and update the plan and any additional procedures and processes to address applicable National Institute of Standards and Technology Special Publication 800-53, Rev. 5, Rel. 5.1.1, control requirements.

Open $0 Agree
8

Develop and implement agency-wide incident response policies, procedures, and processes that address applicable National Institute of Standards and Technology Special Publication 800-53, Rev. 5, Rel 5.1.1, control requirements.

Open $0 Agree
9

Develop and implement agency-wide contingency planning policies, procedures, and processes that address applicable National Institute of Standards and Technology Special Publication 800-53, Rev. 5, Rel 5.1.1, control requirements.

Open $0 Agree