The U.S. Postal Service lacks a working “insider threat” program to assess the potential for release of sensitive material by postal workers, the agency’s inspector general said in an audit released Tuesday.

The report adds another wrinkle to the ongoing debate on Capitol Hill over the debt-ridden Postal Service, which has encountered financial difficulties as consumers increasingly “go paperless.” 

Insider threats are generally understood as current or former employees or business partners of the federal government who accidentally or intentionally misuse information access that causes harm, which can include stealing information. 

The audit is unusual because of how heavily redacted it is to the point that it is difficult for the public to assess what the OIG is specifically concerned about. 

A 2011 executive order mandates that the USPS set up a formal insider threat program because it has access to national security information. But Deputy Assistant Inspector General for Technology Kimberly F. Benoit wrote in the audit that it had not yet done so and that federal inspectors had also discovered physical security flaws at the agency. 

The USPS agreed with the auditor’s recommendations and laid out a timeline to fix the problems.

“Without an established and implemented insider threat program, the Postal Service cannot effectively prevent, detect, and respond to employee and contractor insider threats,” the federal watchdog wrote in the report, before another sentence in the same paragraph that was partially redacted. The redacted sentence ends with the un-redacted clause “as well as negatively impact the Postal Service brand.”

A footnote explaining the brand damage notes an earlier OIG report that assessed the agency’s IT security risk, but the details of that report are also redacted in the footnote. In addition, the likelihood of an insider threat occurring and the potential cost were redacted.

The report also noted physical security deficiencies at an undisclosed agency location including the lack of a fire extinguisher and another necessary but undisclosed item in a secured space that contained national security information.

“According to this location’s” standing operating procedure, the auditors wrote, “an [redacted] and fire extinguisher are required for the secured space within the location.”

Tarnishing the ‘brand’

There were also problems with broken closed-circuit television and the lack of video intercoms in places where they were required. Some, but not all, Postal employees have access to sensitive national security information for reasons that were redacted in the report. Auditors warned that the deficiencies could lead to national security information being stolen, “which could be used to damage U.S. national security and negatively impact the Postal Service brand.”

Auditors blamed poor coordination and a lack of communication among facilities management, the Postal Service and IT regarding the physical security. They also noted a lack of preliminary focus on the insider threat program. But the auditors noted that management took corrective action during the audit.

In a demonstration of just how secret the audit of the Postal Service’s insider threat program is, the OIG redacted every entry in a chart that was supposed to illustrate the Postal Service’s progress in meeting the requirement.

Postal response

The Postal Service responded in a letter dated Sept. 8 that it disagreed with the OIG’s assessment that the agency’s security office first focused on addressing external threats prior to establishing and implementing an insider threat program, a preliminary focus that the OIG had redacted. But the Postal Service quoted OIG’s allegation in its letter.

The Postal Service touted an “all threats view” of cybersecurity and noted several training programs for employees. The USPS also noted it was archiving and reviewing 120 terabytes monthly and approximately 1.3 petabytes annually “of system log information for anomaly detection.”

One petabyte is 1024 terabytes, or a million gigabytes. The OIG is explaining the large volume of how much data the Postal Service scans and stores. The USPS agreed with all three of the OIG’s recommendations — though the target implementation dates for those recommendations were also redacted. The Postal Service clearly pushed back against the idea that the agency was vulnerable to threats. 

“Regardless of all the efforts we have already undertaken to address insider threats, we nevertheless appreciate the call for action to develop an even more robust insider threat program,” USPS officials wrote in the response letter.

The House Oversight and Government Affairs Committee approved the measure by voice vote on March 16. However, generating broader support for the bill has been difficult, in part because of the differing views of so many stakeholders that would be affected by broad policy changes, including increases in postal rates and elimination of mail delivery direct to business customers.

The Congressional Budget Office has estimated the net effect of the Chaffetz-Cummings bill would reduce USPS costs by $6 billion over a decade.