As a Title 39 agency, the U.S. Postal Service is not subject to federal information security regulations set forth by the National Institute of Standards and Technology or the Federal Information Security Management Act.
That can be both good and bad for Postal Service Chief Information Security Officer Chuck McGann who is tasked with keeping the personal information of nearly everyone in the country confidential.
“We’re in an environment where we aren’t subject to all federal mandates, but we do monitor them and try to see what parts work best for us and our budget,” McGann said in an interview with FedScoop.
For instance, when the federal government was instituting HSPD-12 and PIV cards, the Postal Service wasn’t required to give each employee one. However, realizing that those types of identification cards were not needed for the service’s more than 500,000 employees, the postal service took a different approach, only creating cards for some employees or postal inspectors that went into other federal buildings.
It’s compromises like that that allow the Postal Service to get the security it needs without breaking the bank.
“When, for example, DHS comes out with cybersecurity requirements, they obviously have done research that would cost us millions, so we appreciate their expertise,” McGann said, “but we’re also in a place where we don’t always have the money to implement their recommendations to the letter of the law, so we try to align ourselves the best we can within the budget we have.”
McGann said he is moving forward on a more focused risk management structure. Instead of worrying about every threat to the Postal Service, he is doing an assessment to see which ones can be truly harmful and which require a lesser amount of attention.
One area that will get attention, McGann said, is on mobile security and the postal service’s applications. He’s also following the government trend of investigating “bring your own device,” something he said has potential and some perceived value for the postal service. “We have tremendous support from the technology groups as new opportunities are developed. Collaboration is the key.”
He is also working with information technology on a couple of pilot programs, namely information security, for the Post Office’s same-day delivery.
“We’re looking at the security of that infrastructure to make sure there are no denial of services and that all the information can be authenticated,” McGann said.
As for trends in security, McGann said perhaps the biggest issue he and his security colleagues talk about is the lack of enough qualified security professionals. He said government agencies tend to hire employees from one another, but there aren’t enough new employees entering the government security workforce for them all to share.
McGann said the security community is working with DHS and the General Services Administration to create cybersecurity courses and centers of excellence to help recruit potential talent. They are also digging deeper into the nation’s education system.
“There are a lot of challenges, but at the Postal Service we think we do a great job,” McGann said. “The Postal Service is a premier agency. We’re not perfect – no one is, but our goal is to continually improve the job we do for our customers.”