41 C.F.R. Appendix B to Part 102–192—Mail Center Security Plan
Title 41 - Public Contracts and Property Management
Introduction I. The mail center is a major gateway into any business or government agency. Each day, the typical mail center handles hundreds or thousands of items from routine letters to confidential documents, high value parcels, and even money. Security is critical for this critical nerve center. An effective mail center security program should address: A. Risk Analysis B. Employee Safety C. Physical Security D. Inbound Mail Procedures E. Postage Security F. Contractors G. Continuity of Operations Planning H. Communications I. Training J. Plan Review II. Some agencies have satellite locations with no official mail centers. Responsibilities for processing mail are divided among administrative and support staff. Although the security plan for mail operations may be limited for these smaller sites, each of the sections A. through J. of the appendix should be adopted when appropriate. III. A strong plan supplemented with regular training and reviews will help instill a culture that emphasizes the importance of good security. Maximize the success of the security plan by involving all members of your team—managers, employees, security managers and union representatives—during development. A. Risk Analysis The first step in effective security is to conduct a risk analysis for your mail operation. While there are minimum standards that every agency should follow, your particular posture should reflect the mission of your agency. B. Employee Safety The anthrax attacks reminded us all how important employee safety is. We do not know whether there will be another attack, so we should take the proper steps to ensure the safety of our employees. 1. Personal protection equipment should be made available for all employees. These include gloves and masks. When using any form of respiratory equipment, the manager must make sure that proper OSHA standards are met. See appendix D of OSHA's Respiratory Protection standard for information about the use of respirators when such use is voluntary (29 CFR 1910.134, appendix D). 2. Also, instruct employees to wash hands regularly with soap and water. At a minimum, hands should be washed when gloves are removed, before eating, and at the end of a shift. C. Physical Security Managers need to address the physical security of the mail center. 1. Place the mail center in an enclosed room, with defined points of entry. Limit access to those employees who work in the mail center, or who have immediate need for access, such as known couriers. 2. Where appropriate, install controlled access equipment; key control, card readers or buzz entry are a few options. Additionally, each access point should be alarmed and monitored for after hours activity. Secure areas, such as safes or locked cabinets, should be established inside the mail center for meters, express shipments and valuables. 3. Managers should draft detailed procedures for opening and closing the mail center. Logs with checklists should be posted and signed daily. D. Inbound Mail Procedures 1. The inbound mail operation should be separate from the rest of the mail center. All incoming mail should be isolated in an area where it can be inspected. Delivery personnel should have limited access to the facility and should be serviced at a counter. 2. Establish a closed-loop manifest system for all accountable letters and packages (e.g., certified mail, UPS, FedEx). Verify the delivery manifest sheet to ensure that you have received all packages listed. All accountable mail should be signed for whenever possession changes. Always require a signature at the final point of delivery. File copies of the manifest by date. 3. If possible, acquire an x-ray machine to scan mail. All mail, regardless of carrier, should be x-rayed. If volume does not permit this, x-ray all packages. 4. Mail center employees should be trained to recognize and report suspicious packages. Characteristics of a suspicious package or letter can vary depending upon the type of mail your operation regularly processes (see http://www.fbi.gov/pressrel/pressrel01/mail3.pdf for more information). E. Postage Security Postage theft is a Federal offense and managers should be proactive in this area. 1. Managers should integrate accounting procedures for all forms of postage—meters, stamps and permits. Meter logs must be accurately kept, and meters should be locked when not in use. Where feasible, the meter should be removed from the equipment and stored in a locked cabinet during off-hours. 2. Establish additional controls to ensure proper access and accountability for permit envelopes and labels. Controls should be established for stamps and other carriers as well. F. Contractors Some agencies use contractors to process their mail. This could be either an outsource provider that runs your mail center or a lettershop that handles your presort. It's important to remember that security of the mail is still the responsibility of the agency. Include the key points from your security plan in every contract, and conduct periodic reviews separate from the contract process. G. Continuity of Operations Planning 1. Managers should have a written continuity of operations plan (COOP) to deal with emergency situations. The plan should include: a. Name(s) of Mail Security Coordinator/Response Team b. Procedures on how to respond to a threat or incident c. Who to contact in the event of an emergency d. Location and contents of “fly-away kit” e. Location/phone numbers of backup facility f. A list of critical documents and mail required for the agency to complete its mission 2. Copies of this plan should be stored in easily accessible areas, including off-site. 3. Also, you need to test the plan on a quarterly basis. Verify that all the information is up-to-date, that contacts, facilities access, and the call trees are correct. H. Communications A good communications program is part of any successful mail operation and is critical for security issues. Make sure that the information being shared is factual, not opinion, and verify that it is up-to-date. 1. Schedule regular meetings with a representative from the senior management of your agency (Executive Secretariat, Administrator, etc.). Review the steps you've taken to secure the mail, and address any outstanding issues. 2. Develop a communications plan to be executed when responding to a threat. This plan should cover how to both acquire and distribute information. Prepare a list of trusted resources to acquire timely and accurate information (e.g., GSA, USPS, CDC, etc.). Organize a protocol for the approval and distribution of information on the status of the mail operation. I. Training Education and awareness are the essential ingredients to preparedness. Employees must remain aware of their surroundings and the packages they handle. You must carefully design and vigorously monitor your security program to reduce the risk for all. 1. Through training you can develop a culture of security awareness in your operation. Essential to ensuring employee confidence in their safety is the inclusion of union representatives or other employee representatives in developing and giving training. Managers should consider security training a critical element of their job. 2. A complete training program will include: a. Basic security procedures; b. Recognizing and reporting suspicious packages; c. Proper use of personal protection equipment; d. Responding to a biological threat; and e. Responding to a bomb threat. 3. Maintain a log of all employees and training attended, including the date completed. Follow up with refresher training on a regular basis. 4. In addition to educating the employees who work for you, you must educate all employees who work in the facility on best mail practices including security measures. Employee awareness of the measures you have taken leads to confidence in the safety of the packages that are delivered to their desktops. J. Plan Review The General Services Administration strongly recommends external review of your security plan. This may include a review by a consultant, your agency security department, or a peer review.
Title 41: Public Contracts and Property Management
PART 102–192—MAIL MANAGEMENT
Subpart I—GSA's Responsibilities and Services
Appendix B to Part 102–192—Mail Center Security Plan
