U.S. Postal Service:
Physical Security Measures Have Increased at Some Core Facilities, but Security Problems Continue
GAO-05-48: Published: Nov 16, 2004. Publicly Released: Nov 16, 2004.
Mail and postal facilities are tempting targets for theft and other criminal acts. Approximately 800,000 U.S. Postal Service (USPS) employees process about 700 million pieces of mail daily at almost 38,000 facilities nationwide. Criminals attack letter carriers to get mail containing valuables and burglarize postal facilities to get cash and money orders. These activities at USPS facilities can put at risk the integrity of the mail and the safety of employees, customers, and assets. We looked at physical security measures at large facilities that perform automated mail-sorting functions, which on the basis of discussions with USPS, we defined as "core" facilities. Specifically, our objectives were to provide information on (1) what USPS has determined to be the physical security requirements at core facilities, (2) what security measures have been implemented and what security problems exist at USPS core facilities, and (3) what are USPS's plans to respond to identified security problems.
USPS has determined physical security requirements, such as access control and exterior lighting, for its facilities and specified them in a handbook and a manual. The security requirements are mandatory for new facilities and any renovations made to existing facilities. Further guidance outlines how physical security requirements are to be implemented at all facilities. Additionally, USPS uses policy memorandums to increase managers' awareness of specific security issues and reinforce physical security requirements, such as locking doors and wearing identification badges. Available information showed that implementation of security measures had increased at some core facilities, although security problems still existed at some facilities. However, incomplete and inaccurate USPS data precluded us from making an assessment of changes in the implementation of security measures at all core facilities. Specifically, the USPS Facility Security Database, which records security conditions, has a number of problems, such as missing and incomplete data, duplicate responses, and miscoded facilities. Nevertheless, available information on one-third of the 373 core facilities showed some additional security measures have been implemented at each of these facilities since fiscal year 2001. However, our analysis of Inspection Service reports and our site visits to 13 core facilities revealed a number of security problems, such as facility and vehicle keys unaccounted for, doors and gates left unlocked or alarms deactivated, mail and stamp inventory left unsecured, and employees not wearing identification badges as required. According to USPS officials, a number of plans and processes to improve physical security are being developed. For example, through a formal review and follow-up process, the Inspection Service is working with local and headquarters management officials to improve facility security. The Inspection Service has filled almost all of its 47 new Physical Security Specialist positions. USPS has also created an Emergency Preparedness group to ensure consistent application of and increased compliance with security standards and is in the process of updating and improving its Facility Security Database. This database has the potential for identifying and tracking facility security issues nationwide.
Recommendation for Executive Action
Status: Closed - Implemented
Comments: In January 2005, USPS developed a project plan to correct and update its security database. The plan detailed tasks, milestones, as well as actual start and completion dates. However, the plan did not include information on project costs or resources needed to complete the tasks. Nevertheless, USPS has completed the vast majority of the tasks identified in the plan and has initiated action on the remainder. The actions USPS has taken included correcting facility designations to address duplicative data issues, simplifying user logon capability to resolve missing data problems due to incomplete security surveys, and establishing a user certification that updated security data are accurate. These USPS actions were designed to address GAO's concerns, which lead to its recommendation.
Recommendation: In order to support the Inspection Service's efforts to improve physical security at USPS core facilities, the Postmaster General should develop a plan, with objectives, time frames, and resources needed, for correcting and updating USPS' security database so that USPS can accurately assess the status of physical security at core facilities, identify needed improvements, and assess progress that facilities have made.
Agency Affected: United States Postal Service: Office of the Postmaster General