The U.S. Postal Service is in the midst of a large-scale investment program to bolster its cybersecurity, but a new report from its inspector general calls for more insights into how recurring expenses could affect the service’s goals.
The report comes as the Postal Service recently had to address security weaknesses on its public-facing websites that allowed the information of 60 million users to be exposed. The service is amid a six-year program to modernize its cybersecurity infrastructure, through fiscal 2022.
The OIG found that although USPS’s overall strategy has helped strengthen the service’s cybersecurity posture, it hasn’t accounted for operating expenses like software licenses or employee and contractor support in its long-term planning.
“Without an ongoing cybersecurity operating budget, the Postal Service may not be able to appropriately secure the enterprise to ensure uninterrupted service delivery, preserve customer and employee trust, and maintain competitive products in the digital marketplace,” the report said.
The report centers on the USPS’s accounting of two cybersecurity Decision Analysis Reports (DARs), which the service approved in 2015. DARs essentially are the approved lists of goals and expenditures of any project with a total cost of more than $5 million. The reports include details like capital investment, deployment investment expenses and first-year operating expenses. The total amount of funding under the first two DARs was redacted in the OIG report.
The inspector general noted that though the DARs include annual operating expenses, they do not address day-to-day operations in their investment calculations. That decision dates back to a 2005 USPS policy on information system investment. It had a ripple effect on the cybersecurity DARs, the OIG report said.
The USPS discovered a funding shortfall for operational expenses on DAR I in fiscal 2017, the report said. To cover the costs, which were redacted in the report, the service’s Corporate Information Security Office (CISO) was compelled to use funding promised to DAR II to sustain the operations.
The report also noted that the CISO had not provided enough detail of the line-item expenses associated with DAR II. As a result, expenses exceeded the cybersecurity budget plan without a clear indication of whether the overages occurred because of operational or deployment costs.
“This occurred because the CISO considered all DARs’ approved operating expenses, including future years’ projections, as a single budget and these expenses were not subject to annual budgetary limits if spending was less than the DARs’ total approved amount,” the report said. “Additionally, by not tracking detailed project expenditures, the sponsor would not be able to evaluate achieved benefits, identify and implement corrective action, and document any required operational or capital investment modifications.”
The OIG offered two recommendations:
- That the vice president of finance and planning, in coordination with the chief information security officer, create and execute a program budget to adequately plan and administer an ongoing cybersecurity program.
- That the chief information security officer manage and track DAR II spending against cash flow line items throughout the investment.
USPS officials agreed with both recommendations and agreed to have additional budget planning in place by the end of January 2019. The service, however, disagreed with the report’s assessment that USPS officials didn’t perform long-range planning in developing the cybersecurity program.
The OIG responded by saying the DAR process didn’t include ongoing operating expenses estimates and that a program budget should be used to ensure uninterrupted services, rather than a capital investment budget.