Postal Service Health Benefits System Could Have Security Flaws, OPM IG Says

The Office of Personnel Management‘s internal watchdog has flagged cybersecurity measures taken for information technology systems underpinning the Postal Service Health Benefits system, a new health insurance marketplace for U.S. Postal Service workers.

OPM’s Office of the Inspector General conducted a flash audit focused on Carrier Connect, a system used to share data with health care providers, Federal News Network reported Friday.

The OIG reported that Carrier Connect lacks many required aspects of an authorization to operate package, potentially leaving it vulnerable to security incidents. OPM launched Carrier Connect with a provisional authority to operate because the assessment and authorization process was launched too late in the system’s security development lifecycle.

According to the OIG, the provisional ATO status could make it easier for attackers to infiltrate the agency’s IT environment and compromise enterprise-wide security.

Representatives from the OPM’s Office of the Chief Information Officer told the IG’s office that steps were taken to ensure that cybersecurity measures were completed. They also said Carrier Connect is viewed as lower risk since it is a minimally viable product and does not process personally identifiable information.