CERT Resilience Management Model Extended to Tackle Postal Security Challenges
December 16, 2014 • Article
December 16, 2014—The United States Postal Inspection Service (USPIS) is well acquainted with today’s dynamic and expanding risk environment. The USPIS is the law enforcement, crime prevention, and security arm of the United States Postal Service (USPS) and the longest standing federal law enforcement agency in the U.S. The mission of the USPIS is to support and protect the U.S. Postal Service and its employees, infrastructure, and customers; enforce the laws that defend the nation’s mail system from illegal or dangerous use; and ensure public trust in the mail. Members of the USPIS Revenue, Product, and Global Security team had learned about work in resilience management being done at the SEI and recognized that they could apply it to many of the safety and security challenges that USPS and USPIS are facing, including the increasing risk in international mail operations.
“In 2010, two packages from Yemen containing explosives were discovered on U.S-bound cargo planes operated by major shipping companies,” said the SEI’s Nader Mehravari, a senior member of the SEI technical staff and member of the CERT Cyber Risk Management Team. “As a result, the United Nation’s Universal Postal Union (UPU) developed two standards to improve security in the transport of international mail and to improve the security of critical postal facilities.” The UPU is the governing body that regulates the transportation of international mail. The USPIS engaged the SEI to help them develop a method to identify gaps in the security of international mail processing centers and similar shipping and transportation processing facilities. This effort is described in an SEI technical note titled A Proven Method for Identifying Security Gaps in International Postal and Transportation Critical Infrastructure.
The USPIS initiated another collaborative engagement, begun in 2011, which resulted in the development of a custom set of extensions to the SEI’s CERT Resilience Management Model (CERT-RMM). These extensions, which address international mail transportation, mail induction (acceptance and verification), and mail revenue assurance, are detailed in three technical notes recently published by the SEI.
The SEI team, which has included Julia Allen, Pamela Curtis, Nader Mehravari, and David White, translated USPS and UPU standards, guidelines, and design criteria into new CERT-RMM extensions and field assessment instruments that the USPIS has used to improve the operational resilience of domestic and international mail operations. This includes ensuring authorized access to mail and the availability, sanctity, custody, and visibility of mail from acceptance to delivery. The three extensions are
CERT Resilience Management Model—Mail-Specific Process Areas: International Mail Transportation (Version 1.0). This extension is designed to ensure that all international mail is transported in accordance with the standards established by the UPU. CERT Resilience Management Model—Mail-Specific Process Areas: Mail Induction (Version 1.0). This extension is designed to ensure that mail is collected and accepted in accordance with USPS standards and requirements for the resilience of mail during the induction process. CERT Resilience Management Model—Mail-Specific Process Areas: Mail Revenue Assurance (Version 1.0). This extension is designed to ensure that the USPS is compensated for all mail that is accepted, transported, and delivered.
The starting point for all of the SEI’s work with the USPIS was CERT-RMM. Speaking at a recent SEI webinar, Michael Ray, assistant inspector in charge, Revenue, Product and Global Security for USPIS said, “RMM—the approach itself and the methodology—is very comprehensive…. It enabled us to pick and choose which elements or processes would apply for the evaluation of risk for the organization for a new product or an enhanced product before it went to market. It also enabled us to better identify those key stakeholders we need to engage and bring to the table where we don’t have those skills in the investigative arena to talk about the risks outside of our purview.”
Ray further explained that the ability to customize CERT-RMM to the specific environment and needs of the USPIS and USPS proved essential to the project’s success. “We needed a capability within the RMM to assess how we look at our supply chain,” Ray said, “from mail induction to mail delivery and everything in between…. We created a field instrument for specific products to deploy to our 17 field divisions to assess the effectiveness of our technique in the mail induction and mail revenue assurance areas…. That’s going to help us identify specific gaps and potential solutions going forward.”
Speaking in a CERT podcast, Greg Crabb, inspector in charge of Revenue, Product, and Global Security for the USPIS, noted, “RMM has allowed us to take a very complex, and what some consider overwhelming, task and provide for an appropriate separation of functions managed to a common criteria. It’s been really refreshing to the folks that work for me. They understand what they need to do and the goals that they’re achieving with each of the work products that they’re generating. So, it’s good for everyone involved.”
The USPIS also successfully used CERT-RMM in a project to develop a new and innovative process for export screening that helps ensure that international mail originating in the U.S. complies with U.S. export control laws.
The SEI’s Mehravari is encouraged by the success of the engagement with USPIS and their own creative applications of CERT-RMM. “Our work with USPIS demonstrated that CERT-RMM can be applied to a wide range of business objectives,” he said. “The ability to add new asset types and process areas allows customization to suit many specific environments and needs.”
To learn more about CERT-RMM, please visit http://www.cert.org/resilience/products-services/cert-rmm/.