U.S. Postal Service
Physical Security Measures Have Increased at Some Core Facilities, but Security Problems Continue Gao ID: GAO-05-48 November 16, 2004Mail and postal facilities are tempting targets for theft and other criminal acts. Approximately 800,000 U.S. Postal Service (USPS) employees process about 700 million pieces of mail daily at almost 38,000 facilities nationwide. Criminals attack letter carriers to get mail containing valuables and burglarize postal facilities to get cash and money orders. These activities at USPS facilities can put at risk the integrity of the mail and the safety of employees, customers, and assets. We looked at physical security measures at large facilities that perform automated mail-sorting functions, which on the basis of discussions with USPS, we defined as "core" facilities. Specifically, our objectives were to provide information on (1) what USPS has determined to be the physical security requirements at core facilities, (2) what security measures have been implemented and what security problems exist at USPS core facilities, and (3) what are USPS's plans to respond to identified security problems.
USPS has determined physical security requirements, such as access control and exterior lighting, for its facilities and specified them in a handbook and a manual. The security requirements are mandatory for new facilities and any renovations made to existing facilities. Further guidance outlines how physical security requirements are to be implemented at all facilities. Additionally, USPS uses policy memorandums to increase managers' awareness of specific security issues and reinforce physical security requirements, such as locking doors and wearing identification badges. Available information showed that implementation of security measures had increased at some core facilities, although security problems still existed at some facilities. However, incomplete and inaccurate USPS data precluded us from making an assessment of changes in the implementation of security measures at all core facilities. Specifically, the USPS Facility Security Database, which records security conditions, has a number of problems, such as missing and incomplete data, duplicate responses, and miscoded facilities. Nevertheless, available information on one-third of the 373 core facilities showed some additional security measures have been implemented at each of these facilities since fiscal year 2001. However, our analysis of Inspection Service reports and our site visits to 13 core facilities revealed a number of security problems, such as facility and vehicle keys unaccounted for, doors and gates left unlocked or alarms deactivated, mail and stamp inventory left unsecured, and employees not wearing identification badges as required. According to USPS officials, a number of plans and processes to improve physical security are being developed. For example, through a formal review and follow-up process, the Inspection Service is working with local and headquarters management officials to improve facility security. The Inspection Service has filled almost all of its 47 new Physical Security Specialist positions. USPS has also created an Emergency Preparedness group to ensure consistent application of and increased compliance with security standards and is in the process of updating and improving its Facility Security Database. This database has the potential for identifying and tracking facility security issues nationwide.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-05-48, U.S. Postal Service: Physical Security Measures Have Increased at Some Core Facilities, but Security Problems Continue
This is the accessible text file for GAO report number GAO-05-48
entitled 'U.S. Postal Service: Physical Security Measures Have
Increased at Some Core Facilities, but Security Problems Continue'
which was released on November 16, 2004.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
November 2004:
U.S. POSTAL SERVICE:
Physical Security Measures Have Increased at Some Core Facilities, but
Security Problems Continue:
GAO-05-48:
GAO Highlights:
Highlights of GAO-05-48, a report to congressional requesters:
Why GAO Did This Study:
Mail and postal facilities are tempting targets for theft and other
criminal acts. Approximately 800,000 U.S. Postal Service (USPS)
employees process about 700 million pieces of mail daily at almost
38,000 facilities nationwide. Criminals attack letter carriers to get
mail containing valuables and burglarize postal facilities to get cash
and money orders. These activities at USPS facilities can put at risk
the integrity of the mail and the safety of employees, customers, and
assets. We looked at physical security measures at large facilities
that perform automated mail-sorting functions, which on the basis of
discussions with USPS, we defined as ’core“ facilities. Specifically,
our objectives were to provide information on (1) what USPS has
determined to be the physical security requirements at core facilities,
(2) what security measures have been implemented and what security
problems exist at USPS core facilities, and (3) what are USPS‘s plans
to respond to identified security problems.
What GAO Found:
USPS has determined physical security requirements, such as access
control and exterior lighting, for its facilities and specified them in
a handbook and a manual. The security requirements are mandatory for
new facilities and any renovations made to existing facilities. Further
guidance outlines how physical security requirements are to be
implemented at all facilities. Additionally, USPS uses policy
memorandums to increase managers‘ awareness of specific security issues
and reinforce physical security requirements, such as locking doors and
wearing identification badges.
Available information showed that implementation of security measures
had increased at some core facilities, although security problems still
existed at some facilities. However, incomplete and inaccurate USPS
data precluded us from making an assessment of changes in the
implementation of security measures at all core facilities.
Specifically, the USPS Facility Security Database, which records
security conditions, has a number of problems, such as missing and
incomplete data, duplicate responses, and miscoded facilities.
Nevertheless, available information on one-third of the 373 core
facilities showed some additional security measures have been
implemented at each of these facilities since fiscal year 2001.
However, our analysis of Inspection Service reports and our site visits
to 13 core facilities revealed a number of security problems, such as
facility and vehicle keys unaccounted for, doors and gates left
unlocked or alarms deactivated, mail and stamp inventory left
unsecured, and employees not wearing identification badges as required.
According to USPS officials, a number of plans and processes to improve
physical security are being developed. For example, through a formal
review and follow-up process, the Inspection Service is working with
local and headquarters management officials to improve facility
security. The Inspection Service has filled almost all of its 47 new
Physical Security Specialist positions. USPS has also created an
Emergency Preparedness group to ensure consistent application of and
increased compliance with security standards and is in the process of
updating and improving its Facility Security Database. This database
has the potential for identifying and tracking facility security issues
nationwide.
What GAO Recommends:
GAO recommends that the Postmaster General develop a plan, with
objectives, time frames, and resources needed, for correcting and
updating USPS‘s security database so USPS can accurately assess the
status of physical security at core facilities, identify needed
improvements, and assess progress made. USPS agreed with our
recommendation and committed to develop such a plan.
www.gao.gov/cgi-bin/getrpt?GAO-05-48.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Peter Guerrero at (202)
512-2834.
[End of section]
Contents:
Letter:
Background
Summary
Conclusions
Recommendations
Agency Comments and Our Evaluation
Scope and Methodology
Appendixes:
Appendix I: Physical Security of USPS Core Facilities:
Appendix II: Comments from the U.S. Postal Service:
Abbreviations:
ID: identification:
OMC: Observation of Mail Condition:
USPS: U. S. Postal Service:
Letter November 16, 2004:
The Honorable Tom Davis:
Chairman, Committee on Government Reform:
House of Representatives:
The Honorable Joseph I. Lieberman:
Ranking Minority Member:
Committee on Governmental Affairs:
United States Senate:
The U.S. Postal Service (USPS) has a long-standing and continuing
responsibility for the safety and security of USPS employees,
facilities, assets, and the U.S. mail itself. Each year, USPS must deal
with activities at its facilities that can put at risk the integrity of
the mail and the safety of employees, customers, or assets. Criminals
attack letter carriers--seeking mail containing valuables, such as
jewelry or checks--and burglarize postal facilities, seeking cash and
money orders. For example, in fiscal year 2001, USPS reported that it
lost about $6.3 million in cash and checks to robberies, internal
theft, and mishandling.[Footnote 1] As agreed with your offices, we
built on our previous work regarding cash security by examining
physical security measures for USPS's "core"[Footnote 2] mail-
processing facilities. Specifically, our objectives were to provide
information on (1) what USPS has determined to be the physical security
requirements at core facilities, (2) what security measures have been
implemented and what security problems exist at USPS core facilities,
and (3) what are USPS's plans to respond to identified security
problems. To provide information on the physical security requirements
at core facilities, we examined USPS handbooks, manuals, policy
memorandums, and other documentation. To determine what security
measures have been implemented, we obtained and analyzed data about
core facilities from the USPS Facility Security Database, examined data
from USPS Inspection Service Observation of Mail Conditions, and
visited 13 core facilities. To obtain information on USPS plans to
respond to identified security problems, we interviewed USPS officials
and analyzed documentation they supplied. Additional details on our
scope and methodology are provided at the end of this report.
Information contained in this report on security measures implemented
at core facilities was obtained from a USPS Facility Security Database.
We asked USPS to provide us with complete data for 373 core facilities.
We determined that the data USPS provided had many problems, including
missing and incomplete information, miscoded facilities, and duplicate
responses. Data that would have allowed us to compare changes in
security measures over time were complete for only about one-third of
the 373 core facilities. We used these data to ascertain what new
security measures have been implemented since fiscal year 2001. We
conducted our work from March 2003 through October 2004, in accordance
with generally accepted government auditing standards. This report
summarizes the information we provided to your staff during our
September 29, 2004, briefing. The briefing slides, which provide more
details about our analysis, are included as appendix I.
Background:
USPS is required to provide mail delivery and postal services to every
community, business, and residence in the United States; its
territories; and its servicemen and women stationed overseas. In 2003,
USPS collected, processed, and delivered over 202 billion pieces of
mail. Over 800,000 full-time and part-time employees work in
approximately 38,000 facilities, owned or leased by USPS and located
throughout the United States, to provide mail services. Most of the
facilities are the familiar post office type of facilities that provide
retail postal services and products to businesses and the public.
Others are large-core mail processing facilities that perform automated
mail-sorting functions; these facilities can exceed 1 million square
feet in size and employ thousands of workers.
The Postal Inspection Service, one of the nation's oldest law
enforcement agencies, is USPS's law enforcement and security arm. The
Inspection Service is responsible for ensuring the safety and security
of postal employees, facilities, and assets. Its 1,900 postal
inspectors perform periodic facility security reviews, which are
referred to as the Observation of Mail Condition (OMC) Program. OMC
reviews are conducted during the fall and early winter.[Footnote 3] Of
the 38,000 postal facilities nationwide, the Inspection Service
reviewed security at approximately 1,500 in fiscal year 2004.
Inspection Service officials told us that most core facilities are
reviewed each year.
To address physical security concerns, each postal facility has a
Security Control Officer, and each postal region has an Area Security
Coordinator. The Security Control Officer is usually the installation
head or designated manager or supervisor. This official serves as the
focal point to help implement security policies and coordinate with the
Inspection Service as needed on security matters. Annually, the
Security Control Officer is required to complete the Facility Security
Survey. The Facility Security Survey is a checklist of 273 yes/no
questions regarding the facility's compliance with physical security
requirements, such as whether the lighting system is in working order.
USPS management uses data from the Facility Security Survey to collect
information on facilities' implementation of security measures, and the
survey results are maintained in the Facility Security Database.
Summary:
In summary, we found the following:
* USPS has determined physical security requirements for its core
facilities, such as access control and exterior lighting, and specifies
these requirements in a handbook, a manual, and policy memorandums.
Physical security requirements are contained in USPS Handbook RE-5
(Building and Site Security Requirements, March 2001).[Footnote 4]
These security requirements are mandatory for new facilities and any
renovations made to existing facilities. For example, RE-5 specifies
that perimeter fencing and gates must be 8 feet high. In addition, USPS
Administrative Support Manual 13 outlines how physical security
requirements are to be implemented at facilities. For example, this
manual requires that all facilities ensure that personnel wear
identification (ID) badges in full view during official duty hours. In
addition to the handbook and manuals, USPS officials use policy
memorandums to increase facility managers' awareness of specific
security issues and reinforce the requirements, such as locking doors,
wearing ID badges, and challenging those without IDs.
* Available information showed that implementation of security measures
had increased since 2001 at some core facilities, although security
problems still existed at some facilities. However, incomplete and
inaccurate USPS data precluded us from making an overall assessment of
the implementation of security measures at all 373 core facilities.
USPS security data for core facilities had a number of problems,
including miscoded facilities, duplicate responses, and incomplete
information. Complete and accurate comparison data were available for
only 119 of 373 core facilities. These data showed that some additional
security measures were implemented at each of the 119 core facilities
between fiscal years 2001, and the most recent year security survey
data were available--either fiscal year 2003 or 2004. For example, 15
core facilities had installed electronic access control systems since
2001. In addition, our analysis of Inspection Service reports and our
visits to 13 core facilities identified security problems. During its
2004 reviews, the Inspection Service found a variety of problems at
core facilities, including required annual security surveys not being
completed, facility and vehicle keys unaccounted for, doors and gates
being left unlocked or alarms deactivated, unattended vehicles left
unlocked, registered mail and stamp inventory left unsecured, and
employees not wearing ID badges as required. During our visits to 13
core facilities we observed some similar security problems. At two
locations, entry gates were left opened and unguarded, and we were able
to enter restricted areas unescorted at three other facilities.
* According to USPS officials, a number of plans and processes to
improve physical security are being developed. The Inspection Service
is responsible for leading several of these efforts. For example,
through a formal review and follow-up process, the Inspection Service
is working with local and headquarters management officials to improve
facility security. In an effort to address security concerns, the
Inspection Service has filled almost all of 47 new Physical Security
Specialist positions. In addition, at the end of fiscal year 2004, the
Inspection Service completed training for 500 to 600 Security Control
Officers, including those at the 373 core facilities. USPS officials
also told us that an Emergency Preparedness group has been created to
develop and implement measures to protect critical infrastructure, in
collaboration with the Inspection Service. Although some management
positions have been filled for this group, the unit is not yet fully
operational. According to USPS officials, efforts are also under way to
update and improve the Facility Security Database. For example,
officials are in the process of refining a facility risk assessment,
correcting data problems with the Facility Security Database, and
integrating the two into a single physical security evaluation and
tracking tool. We are recommending that the Postmaster General develop
a plan, with objectives, time frames, and needed resources, for
correcting problems with the Facility Security Database. USPS concurred
with this recommendation.
Conclusions:
Although the Inspection Service is responsible for improving USPS
physical security, it may lack information critical to these efforts.
USPS officials acknowledge that there is no integrated system for
tracking the status of physical security efforts. On the basis of our
examination of the limited data available, we believe that the Facility
Security Database has the potential to be an effective management tool
for identifying, tracking, and correcting security issues. However, its
current problems, such as incomplete and duplicative data, prevent USPS
management from using the database to assess the implementation of
required security requirements and determining progress in correcting
deficiencies. USPS is taking steps to address deficiencies in the
Facility Security Database. However, USPS currently lacks an overall
plan--with objectives, time frames, and resources needed--that would
help ensure that these deficiencies will be addressed.
Recommendations:
In order to support the Inspection Service's efforts to improve
physical security at USPS core facilities, we recommend that the
Postmaster General develop a plan, with objectives, time frames, and
resources needed, for correcting and updating USPS' security database
so that USPS can accurately assess the status of physical security at
core facilities, identify needed improvements, and assess progress that
facilities have made.
Agency Comments and Our Evaluation:
We provided a draft of this report to USPS for its review and comment.
In a letter from the Chief Operating Officer dated October 29, 2004,
USPS agreed with our report's information and recommendation and
committed to developing a plan that will identify the resources and
time frames needed to complete work on the project to upgrade and
expand its facility security information system. See appendix II for
the full text of USPS's comments.
Scope and Methodology:
To provide information on the physical security requirements at core
facilities, we reviewed USPS handbooks, manuals, policy memorandums,
and other documents. We reviewed this documentation to gain an
understanding of how the requirements are specifically implemented at
core postal facilities. We also interviewed USPS Operations and
Inspection Service officials regarding these requirements and the
extent of their application at core facilities. We used the written
documentation and interviews to define the specific roles of various
officials in identifying security concerns, assessing priorities, and
implementing improvements to facilities.
To determine what changes in security measures have been implemented at
373 core facilities since 2001, we obtained and analyzed data extracted
from USPS's Facility Security Database, including answers to 28
specific questions, out of 273, that reflected USPS's emphasis on
prevention of unauthorized entry and exit. We compared the data
extracted from the Facility Security Database with the defined list of
373 core facilities and determined that due to incomplete data,
duplicate entries, and miscodes, we were unable to accurately determine
the implementation status for 254 of the 373 core facilities. However,
for 119 core facilities, we had complete data that, although not
projectible to the universe of 373 core facilities, were sufficiently
reliable for determining the changes in security measures at these
facilities from one reporting period (2001) to another (2003/2004).
We analyzed Postal Inspection Service OMC reports for fiscal year 2004
to identify security problems at core facilities. To observe security
measures, we visited 13 core mail-processing facilities, selected on
the basis of a mix of age, size, and geographic diversity.
We are sending copies of this report to the Postmaster General, the
Chairman of the Senate Committee on Governmental Affairs, and the
Ranking Minority Member of the House Committee on Government Reform,
and other interested parties. We will provide copies to others on
request. In addition, the report will be available at no charge on the
GAO Web site at [Hyperlink, http://www.gao.gov].
If you have any questions about this report, please contact me on (202)
512-2834 or Carol Anderson-Guthrie, Assistant Director, on (214) 777-
5739. Other key contributors to this assignment were Dwayne Curry, Eric
Fielding, Reid Jones, Donna Leiss, and Walter Vance.
Signed by:
Peter F. Guerrero:
Director, Physical Infrastructure Issues:
[End of section]
Appendixes:
Appendix I: Physical Security of USPS Core Facilities:
[See PDF for images]
[End of slide presentation]
[End of section]
Appendix II: Comments from the U.S. Postal Service:
UNITED STATES POSTAL SERVICE:
PATRICK R. DONAHOE:
CHIEF OPERATING OFFICER AND EXECUTIVE VICE PRESIDENT:
October 29, 2004:
Mr. Peter F. Guerrero:
Director, Physical Infrastructure Issues:
United States Government Accountability Office:
Washington, DC 20548-0001:
Dear Mr. Guerrero:
Thank you for providing the Postal Service with the opportunity to
review and comment on the draft report, U.S. Postal Service: Physical
Security Measures Have Increased at Some Core Facilities, but Security
Problems Continue.
We are pleased that the GAO recognizes that we take physical security
at our core facilities very seriously and that we are working on a
number of initiatives that, when implemented, will lead to improved
security at all of our facilities. As the report also notes, we still
have room for improve-ment at many facilities. Basic security
deficiencies such as unlocked doors and unguarded gates are continuing
problems and ones that we routinely discuss with field managers at all
levels.
When we build or lease new facilities, we install the appropriate level
of security technology, such as electronic access controls and closed
circuit camera systems, based on the mandatory requirements specified
in our physical security regulations. For existing facilities, we work
with local management to prioritize their security needs and develop
cost-effective solutions to increase compliance with security
requirements. For example, some older facilities may need to have
access control systems installed or fencing upgraded. At others,
occasional reminders to employees of the requirement to wear their ID
badges will improve security compliance.
One of the most important duties of the Postal Inspection Service is to
monitor and report on how well our nearly 38,000 facilities are
complying with physical security requirements. To facilitate better
collection and evaluation of Inspection Service-and local management-
generated security reports, we have been working with the Inspection
Service to upgrade and expand our facility security information system.
As the report recommends, we will develop a plan that will identify the
resources and time frames needed to complete work on the project. Once
we have up-to-date and accurate data on the status of security measures
at our facilities, we can more reliably identify those facilities in
need of security improvements and make sure they are being implemented
in a timely and efficient manner.
If you or your staff would like to discuss any of these comments
further, I am available at your convenience.
Sincerely,
Signed by:
Patrick R. Donahoe:
[End of section]
(543038):
FOOTNOTES
[1] See U.S. Postal Service: More Consistent Implementation of Policies
and Procedures for Cash Security Needed, GAO-03-267 (Washington, D.C.:
Nov. 15, 2002).
[2] For the purposes of this review, "core" is defined as 373 USPS mail
processing facilities, which are designated as Processing &
Distribution Centers (P&DC), Processing & Distribution Facilities
(P&DF), Air Mail Centers (AMC), Air Mail Facilities (AMF), Bulk Mail
Centers (BMC), and other facilities, such as Priority Mail Processing
Centers. These facilities were defined as "core," based on discussions
with USPS officials.
[3] According to USPS officials, OMC reviews occur between September
and the first week in January because of the high volume of mail
processed during this period.
[4] Postal officials told us that RE-5 is under revision.
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
