3 Compliance

3-1 United States Postal Service Enforcement and Monitoring

The Postal Service requires the contractual right to monitor and audit the performance of suppliers and subcontractors who collect, process, store, or transmit Postal Service information for compliance with Postal Service policies and requirements.

The Postal Service monitors supplier compliance with information security policies through processes that include, but are not limited to, the following:

  1. Supplier Security Assessments - The Postal Service reserves the right to perform security assessments on suppliers. These assessments will occur no more than once annually unless a security incident has occurred, or the scope of the engagement between the Postal Service and the supplier has changed.
  2. Regular Testing of Security Systems and Processes - Suppliers must test their systems, processes, and custom software regularly. Test results must be made available to Postal Service upon request.
  3. Vulnerability Scans - Suppliers must conduct vulnerability scans on their applications, infrastructure components, and facilities at least monthly to ensure all system components meet security guidelines. Results must be made available to the Postal Service upon request.
  4. Inspections, Reviews, and Evaluations - Suppliers must conduct inspections, reviews, and evaluations of information resources and facilities at least annually to ensure compliance with Postal Service information security policies. Results must be made available to the Postal Service upon request.