7-2 Process

The process of assessing off site hosted solutions involves the same steps as required for in house IT information resources described above in Chapters 1 through 6 in addition to a Site Security Review. The final accreditation determination however will be in the form of an Letter of Assessment (LOA) indicating whether the solution appears to conform to Postal Service IT resource protection standards or not. The LOA is issued rather than and accreditation determination to ensure that after completing the process the Postal Service brand will not be used as an endorsement for the vendor facility.

  1. Prior to initiating any contract for offsite computing type services as defined above it is important to coordinate with the CISO. Proper planning helps to ensure that an organization derives full benefit from information technology spending. It also helps to ensure that the computing environment is as secure as possible and in compliance with all relevant USPS policies and that data privacy is maintained.
  2. After an EIR entry has been established and an ISSO has been assigned, the ISSO will coordinate a meeting with members of the C&A core team.
  3. CISO will determine if a site security review is necessary and coordinate with the Inspection Service and the vendor to complete the review. This review will assess not only the information technology infrastructure and controls but physical and personnel security issues as well.
  4. A BIA will be completed to establish the sensitivity and criticality of the application.
  5. After completion of the Technical Solution Questionnaire any non-compliance issues will be identified and a risk mitigation plan established.
    1. Any residual high or medium risks identified will result in a letter of assessment indicating the offsite hosted solution appears to not conform to postal standards.
    2. If there are only low or no risks identified, the letter of assessment will indicate the offsite hosted solution appears to conform to postal standards.