8-4.5 Security Considerations

Information security policies apply to all information, in any form, related to Postal Service business activities, employees, or customers that have been created, acquired, or disseminated using Postal Service resources, brand, or funding. Information security policies apply to all technologies associated with the creation, collection, processing, storage, transmission, analysis, and disposal of information. Information security policies also apply to all information systems, infrastructure, applications, products, services, telecommunications networks, computer-controlled mail processing equipment, and related resources, which are sponsored by, operated on behalf of, or developed for the benefit of the Postal Service.

Protecting Postal Service information and information resources (including customer and employee personally identifiable information (PII)) is an essential element of IT requirements. Therefore, purchase/SCM teams within all Supply Management Category Management Centers (CMCs) where information and information resources are being procured as an element of a purchase, must coordinate with the requiring organization to ensure that the requiring organization’s specifications or SOW for IT purchases and resulting associated RFPs and contracts address information security requirements (in addition to the security clearance requirements discussed in Section 7-13, Supply Chain Security, if applicable). When the protection of information and information resources is required, Handbook AS-805-I, USPS Information Security Requirements for Suppliers, is to be included within solicitations. The handbook is available at: https://about.usps.com/handbooks/as805i.pdf. Also see Sections 8-4.8, Solicitation Provisions, and 8-4.9, Clauses, for a prescription of their use.

Due to the fact that purchases of IT or other information processing and information gathering services can frequently involve the generation of or access to employee and customer PII, purchase/SCM teams must also ensure that the Postal Service’s privacy protection requirements are addressed as necessary (see Section 7-14, Privacy Considerations or consult the Privacy Office).

Further, to ensure that Postal Service information and information resources are protected, purchase/SCM teams must coordinate their activities with the Corporate Information Security Office (CISO). This coordination should take place during purchase planning and occur before issuance of the solicitation.

Procedures to consider when purchasing IT or other information processing and information gathering services are as follows:

8-4.5.1 Placement of Postal Service Data on Laptop or Other Devices

To further ensure that PII is protected on all forms of IT equipment, suppliers must obtain consent from the contracting officer before placing any Postal Service data onto laptops or other mobile media. The contracting officer must forward such requests to CISO for review and approval. This requirement is further outlined in Clause 4-22: Certification and Accreditation of Information Systems.

8-4.5.2 Cloud Computing Security Requirements

Cloud computing focuses on leveraging current technologies, information security safeguards, alignment of business objectives and responsibilities, infrastructure, risk mitigation, legal and contractual obligations, privacy requirements, integrated with the exchange and sharing of Postal Service data, and information resources. Prior to soliciting for Cloud technology, the contracting officer should assess whether the procedures described within MI AS-800-2014-4, Cloud Computing Policy were followed as applicable.

Clause 4-23: Cloud Computing Security Requirements should be included when performance of the contract calls for using cloud computing to provide information technology services and products.

8-4.5.3 Contract Close-Out

If the contract concerns the generation or collection of customer or employee PII, see Section 7-14, Privacy Considerations, for information regarding its disposal.