This is the accessible text file for GAO report number GAO-05-48 entitled 'U.S. Postal Service: Physical Security Measures Have Increased at Some Core Facilities, but Security Problems Continue' which was released on November 16, 2004. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: November 2004: U.S. POSTAL SERVICE: Physical Security Measures Have Increased at Some Core Facilities, but Security Problems Continue: GAO-05-48: GAO Highlights: Highlights of GAO-05-48, a report to congressional requesters: Why GAO Did This Study: Mail and postal facilities are tempting targets for theft and other criminal acts. Approximately 800,000 U.S. Postal Service (USPS) employees process about 700 million pieces of mail daily at almost 38,000 facilities nationwide. Criminals attack letter carriers to get mail containing valuables and burglarize postal facilities to get cash and money orders. These activities at USPS facilities can put at risk the integrity of the mail and the safety of employees, customers, and assets. We looked at physical security measures at large facilities that perform automated mail-sorting functions, which on the basis of discussions with USPS, we defined as “core” facilities. Specifically, our objectives were to provide information on (1) what USPS has determined to be the physical security requirements at core facilities, (2) what security measures have been implemented and what security problems exist at USPS core facilities, and (3) what are USPS’s plans to respond to identified security problems. What GAO Found: USPS has determined physical security requirements, such as access control and exterior lighting, for its facilities and specified them in a handbook and a manual. The security requirements are mandatory for new facilities and any renovations made to existing facilities. Further guidance outlines how physical security requirements are to be implemented at all facilities. Additionally, USPS uses policy memorandums to increase managers’ awareness of specific security issues and reinforce physical security requirements, such as locking doors and wearing identification badges. Available information showed that implementation of security measures had increased at some core facilities, although security problems still existed at some facilities. However, incomplete and inaccurate USPS data precluded us from making an assessment of changes in the implementation of security measures at all core facilities. Specifically, the USPS Facility Security Database, which records security conditions, has a number of problems, such as missing and incomplete data, duplicate responses, and miscoded facilities. Nevertheless, available information on one-third of the 373 core facilities showed some additional security measures have been implemented at each of these facilities since fiscal year 2001. However, our analysis of Inspection Service reports and our site visits to 13 core facilities revealed a number of security problems, such as facility and vehicle keys unaccounted for, doors and gates left unlocked or alarms deactivated, mail and stamp inventory left unsecured, and employees not wearing identification badges as required. According to USPS officials, a number of plans and processes to improve physical security are being developed. For example, through a formal review and follow-up process, the Inspection Service is working with local and headquarters management officials to improve facility security. The Inspection Service has filled almost all of its 47 new Physical Security Specialist positions. USPS has also created an Emergency Preparedness group to ensure consistent application of and increased compliance with security standards and is in the process of updating and improving its Facility Security Database. This database has the potential for identifying and tracking facility security issues nationwide. What GAO Recommends: GAO recommends that the Postmaster General develop a plan, with objectives, time frames, and resources needed, for correcting and updating USPS’s security database so USPS can accurately assess the status of physical security at core facilities, identify needed improvements, and assess progress made. USPS agreed with our recommendation and committed to develop such a plan. www.gao.gov/cgi-bin/getrpt?GAO-05-48. To view the full product, including the scope and methodology, click on the link above. For more information, contact Peter Guerrero at (202) 512-2834. [End of section] Contents: Letter: Background Summary Conclusions Recommendations Agency Comments and Our Evaluation Scope and Methodology Appendixes: Appendix I: Physical Security of USPS Core Facilities: Appendix II: Comments from the U.S. Postal Service: Abbreviations: ID: identification: OMC: Observation of Mail Condition: USPS: U. S. Postal Service: Letter November 16, 2004: The Honorable Tom Davis: Chairman, Committee on Government Reform: House of Representatives: The Honorable Joseph I. Lieberman: Ranking Minority Member: Committee on Governmental Affairs: United States Senate: The U.S. Postal Service (USPS) has a long-standing and continuing responsibility for the safety and security of USPS employees, facilities, assets, and the U.S. mail itself. Each year, USPS must deal with activities at its facilities that can put at risk the integrity of the mail and the safety of employees, customers, or assets. Criminals attack letter carriers--seeking mail containing valuables, such as jewelry or checks--and burglarize postal facilities, seeking cash and money orders. For example, in fiscal year 2001, USPS reported that it lost about $6.3 million in cash and checks to robberies, internal theft, and mishandling.[Footnote 1] As agreed with your offices, we built on our previous work regarding cash security by examining physical security measures for USPS's "core"[Footnote 2] mail- processing facilities. Specifically, our objectives were to provide information on (1) what USPS has determined to be the physical security requirements at core facilities, (2) what security measures have been implemented and what security problems exist at USPS core facilities, and (3) what are USPS's plans to respond to identified security problems. To provide information on the physical security requirements at core facilities, we examined USPS handbooks, manuals, policy memorandums, and other documentation. To determine what security measures have been implemented, we obtained and analyzed data about core facilities from the USPS Facility Security Database, examined data from USPS Inspection Service Observation of Mail Conditions, and visited 13 core facilities. To obtain information on USPS plans to respond to identified security problems, we interviewed USPS officials and analyzed documentation they supplied. Additional details on our scope and methodology are provided at the end of this report. Information contained in this report on security measures implemented at core facilities was obtained from a USPS Facility Security Database. We asked USPS to provide us with complete data for 373 core facilities. We determined that the data USPS provided had many problems, including missing and incomplete information, miscoded facilities, and duplicate responses. Data that would have allowed us to compare changes in security measures over time were complete for only about one-third of the 373 core facilities. We used these data to ascertain what new security measures have been implemented since fiscal year 2001. We conducted our work from March 2003 through October 2004, in accordance with generally accepted government auditing standards. This report summarizes the information we provided to your staff during our September 29, 2004, briefing. The briefing slides, which provide more details about our analysis, are included as appendix I. Background: USPS is required to provide mail delivery and postal services to every community, business, and residence in the United States; its territories; and its servicemen and women stationed overseas. In 2003, USPS collected, processed, and delivered over 202 billion pieces of mail. Over 800,000 full-time and part-time employees work in approximately 38,000 facilities, owned or leased by USPS and located throughout the United States, to provide mail services. Most of the facilities are the familiar post office type of facilities that provide retail postal services and products to businesses and the public. Others are large-core mail processing facilities that perform automated mail-sorting functions; these facilities can exceed 1 million square feet in size and employ thousands of workers. The Postal Inspection Service, one of the nation's oldest law enforcement agencies, is USPS's law enforcement and security arm. The Inspection Service is responsible for ensuring the safety and security of postal employees, facilities, and assets. Its 1,900 postal inspectors perform periodic facility security reviews, which are referred to as the Observation of Mail Condition (OMC) Program. OMC reviews are conducted during the fall and early winter.[Footnote 3] Of the 38,000 postal facilities nationwide, the Inspection Service reviewed security at approximately 1,500 in fiscal year 2004. Inspection Service officials told us that most core facilities are reviewed each year. To address physical security concerns, each postal facility has a Security Control Officer, and each postal region has an Area Security Coordinator. The Security Control Officer is usually the installation head or designated manager or supervisor. This official serves as the focal point to help implement security policies and coordinate with the Inspection Service as needed on security matters. Annually, the Security Control Officer is required to complete the Facility Security Survey. The Facility Security Survey is a checklist of 273 yes/no questions regarding the facility's compliance with physical security requirements, such as whether the lighting system is in working order. USPS management uses data from the Facility Security Survey to collect information on facilities' implementation of security measures, and the survey results are maintained in the Facility Security Database. Summary: In summary, we found the following: * USPS has determined physical security requirements for its core facilities, such as access control and exterior lighting, and specifies these requirements in a handbook, a manual, and policy memorandums. Physical security requirements are contained in USPS Handbook RE-5 (Building and Site Security Requirements, March 2001).[Footnote 4] These security requirements are mandatory for new facilities and any renovations made to existing facilities. For example, RE-5 specifies that perimeter fencing and gates must be 8 feet high. In addition, USPS Administrative Support Manual 13 outlines how physical security requirements are to be implemented at facilities. For example, this manual requires that all facilities ensure that personnel wear identification (ID) badges in full view during official duty hours. In addition to the handbook and manuals, USPS officials use policy memorandums to increase facility managers' awareness of specific security issues and reinforce the requirements, such as locking doors, wearing ID badges, and challenging those without IDs. * Available information showed that implementation of security measures had increased since 2001 at some core facilities, although security problems still existed at some facilities. However, incomplete and inaccurate USPS data precluded us from making an overall assessment of the implementation of security measures at all 373 core facilities. USPS security data for core facilities had a number of problems, including miscoded facilities, duplicate responses, and incomplete information. Complete and accurate comparison data were available for only 119 of 373 core facilities. These data showed that some additional security measures were implemented at each of the 119 core facilities between fiscal years 2001, and the most recent year security survey data were available--either fiscal year 2003 or 2004. For example, 15 core facilities had installed electronic access control systems since 2001. In addition, our analysis of Inspection Service reports and our visits to 13 core facilities identified security problems. During its 2004 reviews, the Inspection Service found a variety of problems at core facilities, including required annual security surveys not being completed, facility and vehicle keys unaccounted for, doors and gates being left unlocked or alarms deactivated, unattended vehicles left unlocked, registered mail and stamp inventory left unsecured, and employees not wearing ID badges as required. During our visits to 13 core facilities we observed some similar security problems. At two locations, entry gates were left opened and unguarded, and we were able to enter restricted areas unescorted at three other facilities. * According to USPS officials, a number of plans and processes to improve physical security are being developed. The Inspection Service is responsible for leading several of these efforts. For example, through a formal review and follow-up process, the Inspection Service is working with local and headquarters management officials to improve facility security. In an effort to address security concerns, the Inspection Service has filled almost all of 47 new Physical Security Specialist positions. In addition, at the end of fiscal year 2004, the Inspection Service completed training for 500 to 600 Security Control Officers, including those at the 373 core facilities. USPS officials also told us that an Emergency Preparedness group has been created to develop and implement measures to protect critical infrastructure, in collaboration with the Inspection Service. Although some management positions have been filled for this group, the unit is not yet fully operational. According to USPS officials, efforts are also under way to update and improve the Facility Security Database. For example, officials are in the process of refining a facility risk assessment, correcting data problems with the Facility Security Database, and integrating the two into a single physical security evaluation and tracking tool. We are recommending that the Postmaster General develop a plan, with objectives, time frames, and needed resources, for correcting problems with the Facility Security Database. USPS concurred with this recommendation. Conclusions: Although the Inspection Service is responsible for improving USPS physical security, it may lack information critical to these efforts. USPS officials acknowledge that there is no integrated system for tracking the status of physical security efforts. On the basis of our examination of the limited data available, we believe that the Facility Security Database has the potential to be an effective management tool for identifying, tracking, and correcting security issues. However, its current problems, such as incomplete and duplicative data, prevent USPS management from using the database to assess the implementation of required security requirements and determining progress in correcting deficiencies. USPS is taking steps to address deficiencies in the Facility Security Database. However, USPS currently lacks an overall plan--with objectives, time frames, and resources needed--that would help ensure that these deficiencies will be addressed. Recommendations: In order to support the Inspection Service's efforts to improve physical security at USPS core facilities, we recommend that the Postmaster General develop a plan, with objectives, time frames, and resources needed, for correcting and updating USPS' security database so that USPS can accurately assess the status of physical security at core facilities, identify needed improvements, and assess progress that facilities have made. Agency Comments and Our Evaluation: We provided a draft of this report to USPS for its review and comment. In a letter from the Chief Operating Officer dated October 29, 2004, USPS agreed with our report's information and recommendation and committed to developing a plan that will identify the resources and time frames needed to complete work on the project to upgrade and expand its facility security information system. See appendix II for the full text of USPS's comments. Scope and Methodology: To provide information on the physical security requirements at core facilities, we reviewed USPS handbooks, manuals, policy memorandums, and other documents. We reviewed this documentation to gain an understanding of how the requirements are specifically implemented at core postal facilities. We also interviewed USPS Operations and Inspection Service officials regarding these requirements and the extent of their application at core facilities. We used the written documentation and interviews to define the specific roles of various officials in identifying security concerns, assessing priorities, and implementing improvements to facilities. To determine what changes in security measures have been implemented at 373 core facilities since 2001, we obtained and analyzed data extracted from USPS's Facility Security Database, including answers to 28 specific questions, out of 273, that reflected USPS's emphasis on prevention of unauthorized entry and exit. We compared the data extracted from the Facility Security Database with the defined list of 373 core facilities and determined that due to incomplete data, duplicate entries, and miscodes, we were unable to accurately determine the implementation status for 254 of the 373 core facilities. However, for 119 core facilities, we had complete data that, although not projectible to the universe of 373 core facilities, were sufficiently reliable for determining the changes in security measures at these facilities from one reporting period (2001) to another (2003/2004). We analyzed Postal Inspection Service OMC reports for fiscal year 2004 to identify security problems at core facilities. To observe security measures, we visited 13 core mail-processing facilities, selected on the basis of a mix of age, size, and geographic diversity. We are sending copies of this report to the Postmaster General, the Chairman of the Senate Committee on Governmental Affairs, and the Ranking Minority Member of the House Committee on Government Reform, and other interested parties. We will provide copies to others on request. In addition, the report will be available at no charge on the GAO Web site at [Hyperlink, http://www.gao.gov]. If you have any questions about this report, please contact me on (202) 512-2834 or Carol Anderson-Guthrie, Assistant Director, on (214) 777- 5739. Other key contributors to this assignment were Dwayne Curry, Eric Fielding, Reid Jones, Donna Leiss, and Walter Vance. Signed by: Peter F. Guerrero: Director, Physical Infrastructure Issues: [End of section] Appendixes: Appendix I: Physical Security of USPS Core Facilities: [See PDF for images] [End of slide presentation] [End of section] Appendix II: Comments from the U.S. Postal Service: UNITED STATES POSTAL SERVICE: PATRICK R. DONAHOE: CHIEF OPERATING OFFICER AND EXECUTIVE VICE PRESIDENT: October 29, 2004: Mr. Peter F. Guerrero: Director, Physical Infrastructure Issues: United States Government Accountability Office: Washington, DC 20548-0001: Dear Mr. Guerrero: Thank you for providing the Postal Service with the opportunity to review and comment on the draft report, U.S. Postal Service: Physical Security Measures Have Increased at Some Core Facilities, but Security Problems Continue. We are pleased that the GAO recognizes that we take physical security at our core facilities very seriously and that we are working on a number of initiatives that, when implemented, will lead to improved security at all of our facilities. As the report also notes, we still have room for improve-ment at many facilities. Basic security deficiencies such as unlocked doors and unguarded gates are continuing problems and ones that we routinely discuss with field managers at all levels. When we build or lease new facilities, we install the appropriate level of security technology, such as electronic access controls and closed circuit camera systems, based on the mandatory requirements specified in our physical security regulations. For existing facilities, we work with local management to prioritize their security needs and develop cost-effective solutions to increase compliance with security requirements. For example, some older facilities may need to have access control systems installed or fencing upgraded. At others, occasional reminders to employees of the requirement to wear their ID badges will improve security compliance. One of the most important duties of the Postal Inspection Service is to monitor and report on how well our nearly 38,000 facilities are complying with physical security requirements. To facilitate better collection and evaluation of Inspection Service-and local management- generated security reports, we have been working with the Inspection Service to upgrade and expand our facility security information system. As the report recommends, we will develop a plan that will identify the resources and time frames needed to complete work on the project. Once we have up-to-date and accurate data on the status of security measures at our facilities, we can more reliably identify those facilities in need of security improvements and make sure they are being implemented in a timely and efficient manner. If you or your staff would like to discuss any of these comments further, I am available at your convenience. Sincerely, Signed by: Patrick R. Donahoe: [End of section] (543038): FOOTNOTES [1] See U.S. Postal Service: More Consistent Implementation of Policies and Procedures for Cash Security Needed, GAO-03-267 (Washington, D.C.: Nov. 15, 2002). [2] For the purposes of this review, "core" is defined as 373 USPS mail processing facilities, which are designated as Processing & Distribution Centers (P&DC), Processing & Distribution Facilities (P&DF), Air Mail Centers (AMC), Air Mail Facilities (AMF), Bulk Mail Centers (BMC), and other facilities, such as Priority Mail Processing Centers. These facilities were defined as "core," based on discussions with USPS officials. [3] According to USPS officials, OMC reviews occur between September and the first week in January because of the high volume of mail processed during this period. [4] Postal officials told us that RE-5 is under revision. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: