CERT Resilience Management Model Extended to Tackle Postal Security Challenges
“In 2010, two packages from Yemen containing explosives were discovered on U.S-bound cargo planes operated by major shipping companies,” said the SEI’s Nader Mehravari, a senior member of the SEI technical staff and member of the CERT Cyber Risk Management Team. “As a result, the United Nation’s Universal Postal Union (UPU) developed two standards to improve security in the transport of international mail and to improve the security of critical postal facilities.” The UPU is the governing body that regulates the transportation of international mail. The USPIS engaged the SEI to help them develop a method to identify gaps in the security of international mail processing centers and similar shipping and transportation processing facilities. This effort is described in an SEI technical note titled A Proven Method for Identifying Security Gaps in International Postal and Transportation Critical Infrastructure.
The USPIS initiated another collaborative engagement, begun in 2011, which resulted in the development of a custom set of extensions to the SEI’s CERT Resilience Management Model (CERT-RMM). These extensions, which address international mail transportation, mail induction (acceptance and verification), and mail revenue assurance, are detailed in three technical notes recently published by the SEI.
The SEI team, which has included Julia Allen, Pamela Curtis, Nader Mehravari, and David White, translated USPS and UPU standards, guidelines, and design criteria into new CERT-RMM extensions and field assessment instruments that the USPIS has used to improve the operational resilience of domestic and international mail operations. This includes ensuring authorized access to mail and the availability, sanctity, custody, and visibility of mail from acceptance to delivery. The three extensions are
CERT Resilience Management Model—Mail-Specific Process Areas: International Mail Transportation (Version 1.0). This extension is designed to ensure that all international mail is transported in accordance with the standards established by the UPU. CERT Resilience Management Model—Mail-Specific Process Areas: Mail Induction (Version 1.0). This extension is designed to ensure that mail is collected and accepted in accordance with USPS standards and requirements for the resilience of mail during the induction process. CERT Resilience Management Model—Mail-Specific Process Areas: Mail Revenue Assurance (Version 1.0). This extension is designed to ensure that the USPS is compensated for all mail that is accepted, transported, and delivered.