Our objective was to determine whether controls are in place to effectively manage the U.S. Postal Inspection Service’s national security clearance processes and safeguard personally identifiable information (PII).
The Postal Inspection Service processed 1,253 national security clearances between fiscal years (FY) 2016 and 2018. The Postal Inspection Service primarily grants Top Secret national security clearances; it only granted four Secret clearances during that time. The cost is dependent on the type of investigation, initial or reinvestigation, with a minimum cost of almost $2,000 to no more than $4,100 per clearance. Postal Service policy states that certain positions always require national security clearances, such as executive positions and certain manager positions. In addition, the Postal Inspection Service is responsible for conducting risk assessments to determine if other positions require national security clearances.
The Postal Inspection Service works with the Office of Personnel Management (OPM) to conduct a comprehensive search of an applicant’s past involvement in criminal investigations. The Postal Inspection Service uses database searches to determine prior clearance status and criminal record history. It also collects and retains PII, such as an applicant’s prior employment and financial history and family members’ social security numbers.
In addition, the Postal Inspection Service uses two contractors to compile background investigation reports. The Postal Inspection Service is responsible for overseeing its contractors’ performance. Specifically, contractors are required to complete initial investigation reports in 30 days and periodic reinvestigations in 60 days, per the contracts. These deadlines can be extended if a contractor submits an extension request to the Postal Inspection Service and it is approved. In addition, the Postal Inspection Service is responsible for coordinating with the Postal Service’s Corporate Information Security Office (CISO) to certify all contractors’ data security.
What the OIG Found
Overall, the Postal Inspection Service adequately reviewed, collected, and retained the documents required to grant national security clearances. However, improvements are needed for managing security clearance position designations, overseeing contractors’ performance, reviewing contractors’ data security, and physically safeguarding PII.
We found the Postal Inspection Service did not complete required Position Designation Surveys (PDS) to determine whether national security clearances are necessary for postal positions not specified by policy. Specifically, it did not have the required clearance assessments for 107 of 1,253 employees (9 percent) who had national security clearances processed between FYs 2016 and 2018. This occurred because management did not have a process in place for tracking the completion of PDS. Accordingly, management spent over $318,000 on clearances without the required PDS. Without clearance assessments, the Postal Inspection Service may have granted national security clearances that were unnecessary.
The Postal Inspection Service did not ensure its contractors completed background investigations per contract requirements. The two contractors provided late reports in 21 of 179, or 12 percent, of the randomly selected cases we reviewed. This occurred because management did not have a method for tracking contractor performance. Management also did not retain or document extension requests from the contractors. As a result, the Postal Inspection Service paid contractors over $87,000 annually for reports that did not meet timeliness requirements.
Postal Inspection Service management did not ensure the Postal Service’s CISO conducted adequate data security reviews of the contractors’ systems. The initial data security review should have occurred when the contracts began and the systems should have been subsequently assessed every two years. The review was not initiated for one contractor and was initiated, but not completed, for the other contractor. The contractors commenced work in 2007 and 2017, respectively. This occurred because the Postal Inspection Service manager was unaware of his responsibility to coordinate security reviews with the CISO and did not provide oversight to ensure reviews were completed. The contractors maintain PII records of all employees who have applied for a clearance, and the Postal Inspection Service does not currently have assurance that the information is adequately protected.
Additionally, Postal Inspection Service management did not always update or restrict access to areas where security clearances are processed. We found that management did not revoke building access for 15 of 23, or 65 percent, of former employees between 2014 and 2018. This occurred because management did not update access control lists as employees left, and management was unaware of the requirement for a semiannual access control review. There is an increased risk of unauthorized individuals, such as terminated employees, gaining access to secure areas containing PII. During the audit, management took corrective action to revoke access for the 15 former employees.
What the OIG Recommended
We recommended management:
- Develop a process to ensure PDS are completed and maintained before initiating a national security clearance investigation.
- Complete PDS for personnel possessing national security clearances without a Position Designation Survey on file to determine if the position warrants a clearance.
- Track contractors’ performance by consistently reviewing monthly reports and extension requests for investigations.
- Coordinate with the CISO to complete security reviews for contractors and ensure updated reviews are conducted every two years.
- Disable badges when employees separate and review and update the badge access list semiannually.