While the Postal Service “has taken positive steps to improve its overall state of cybersecurity” since a 2014 data breach, its approach is still reactive rather than proactive, “potentially exposing the organization to cybersecurity threats that it is unequipped to manage,” an IG report has said.
While many specifics of the report were redacted for public release, the remaining portion includes the general conclusion that the USPS “state of cybersecurity lacks maturity, which limits its ability to fully understand its risk exposure and protect the agency from cyberattack.” It also raised issues of the chief information security office lacking “necessary tools,” approved exceptions from requirements to scan devices for vulnerabilities that were not “in accordance with policy,” and “did not develop practices to ensure application owners took action to address cybersecurity risks.”
That is of concern, the report said, because despite being known for handling physical objects, the USPS has a substantial online presence—with nearly 200,000 desktop and laptop computers, 36,000 mobile devices, 41,000 server computers and 12.3 million daily visitors to usps.com.
The IG said that issues it identified in redacted portions “expose the agency to potential exploitation by threat actors, which could result in negative impacts such as data breaches, major disruption of operations, and reputation damage.”
The recommendations and management’s response also were largely redacted.