DHS OIG, OIG-21-27, CBP Faced Challenges in its Inspection Processes and Physical Security at the JFK International Mail Facility (Redacted) (2021)

DHS OIG

Section: CBP Faced Challenges in its Inspection Processes and Physical Security at the JFK International Mail Facility (Redacted)

Effective: 3/12/2021

Bluebook Citation: DHS OIG, OIG-21-27, CBP Faced Challenges in its Inspection Processes and Physical Security at the JFK International Mail Facility (Redacted) (2021)

(cid:41)(cid:50)(cid:53)(cid:3)(cid:50)(cid:41)(cid:41)(cid:44)(cid:38)(cid:44)(cid:36)(cid:47)(cid:3)(cid:56)(cid:54)(cid:40)(cid:3)(cid:50)(cid:49)(cid:47)(cid:60) CBP Faced Challenges in Its Inspection Processes and Physical Security at the JFK International Mail Facility (REDACTED) (cid:58)(cid:36)(cid:53)(cid:49)(cid:44)(cid:49)(cid:42)(cid:29)(cid:3)(cid:55)(cid:75)(cid:76)(cid:86)(cid:3)(cid:71)(cid:82)(cid:70)(cid:88)(cid:80)(cid:72)(cid:81)(cid:87)(cid:3)(cid:76)(cid:86)(cid:3)(cid:41)(cid:82)(cid:85)(cid:3)(cid:50)(cid:73)(cid:73)(cid:76)(cid:70)(cid:76)(cid:68)(cid:79)(cid:3)(cid:56)(cid:86)(cid:72)(cid:3)(cid:50)(cid:81)(cid:79)(cid:92)(cid:3) (cid:41)(cid:50)(cid:56)(cid:50)(cid:12)(cid:17)(cid:3)(cid:39)(cid:82)(cid:3)(cid:81)(cid:82)(cid:87)(cid:3)(cid:71)(cid:76)(cid:86)(cid:87)(cid:85)(cid:76)(cid:69)(cid:88)(cid:87)(cid:72)(cid:3)(cid:82)(cid:85)(cid:3)(cid:70)(cid:82)(cid:83)(cid:92)(cid:3) (cid:87)(cid:75)(cid:76)(cid:86)(cid:3)(cid:85)(cid:72)(cid:83)(cid:82)(cid:85)(cid:87)(cid:3)(cid:90)(cid:76)(cid:87)(cid:75)(cid:82)(cid:88)(cid:87)(cid:3)(cid:87)(cid:75)(cid:72)(cid:3)(cid:72)(cid:91)(cid:83)(cid:85)(cid:72)(cid:86)(cid:86)(cid:72)(cid:71)(cid:3)(cid:90)(cid:85)(cid:76)(cid:87)(cid:87)(cid:72)(cid:81)(cid:3)(cid:70)(cid:82)(cid:81)(cid:86)(cid:72)(cid:81)(cid:87)(cid:3)(cid:82)(cid:73)(cid:3)(cid:87)(cid:75)(cid:72)(cid:3)(cid:50)(cid:73)(cid:73)(cid:76)(cid:70)(cid:72)(cid:3)(cid:82)(cid:73)(cid:3)(cid:44)(cid:81)(cid:86)(cid:83)(cid:72)(cid:70)(cid:87)(cid:82)(cid:85)(cid:3)(cid:42)(cid:72)(cid:81)(cid:72)(cid:85)(cid:68)(cid:79)(cid:17)(cid:3) (cid:11) (cid:41)(cid:50)(cid:53)(cid:3)(cid:50)(cid:41)(cid:41)(cid:44)(cid:38)(cid:44)(cid:36)(cid:47) (cid:56)(cid:54)(cid:40)(cid:3)(cid:50)(cid:49)(cid:47)(cid:60) March 12, 2021 OIG-21-27 FOR OFFICIAL USE ONLY DHS OIG HIGHLIGHTS CBP Faced Challenges in Its Inspection Processes and Physical Security at the JFK International Mail Facility March 4, 2021 What We Found Why We Did This Audit One of CBP’s top priorities is safeguarding the public by preventing imports of opioids and other illegal items mailed from overseas through the USPS. As a follow-up to our September 2018 report, we conducted this audit to determine whether CBP’s airmail, physical security, and inspection processes at the JFK International Airport are adequate to effectively screen, track, and safeguard incoming international mail. What We Recommend We made eight recommendations to CBP that addressed resources, guidance, space, controls, and security needed to prevent imports of illegal drugs and contraband through the JFK IMF. For Further Information: Contact our Office of Public Affairs at (202) 981-6000, or email us at [email protected] U.S. Customs and Border Protection’s (CBP) mail inspection processes and physical security at the John F. Kennedy (JFK) International Mail Facility (IMF) have not improved since our prior audit.

CBP only inspected approximately percent of the 1.3 million pieces of mail it received during our June 2019 site visit. CBP also did not timely inspect and process mail from high-risk countries, creating unmanageable backlogs. These deficiencies were largely due to inadequate resources and guidance. Consequently, more than without physical inspection. pieces of mail were sent out for delivery Successful execution of CBP’s targeting and interdiction of prohibited items was hindered, as CBP could not fully account for the targeted mail provided by United States Postal Service (USPS).

CBP’s targeting of mail for potential violations also had a inconsistent and incomplete advanced data on mail content. Amid these challenges, CBP could not ensure that targeted mail was inspected before delivery. percent detection rate due to Further, physical security controls, such as locks and cameras, were not adequate to fully safeguard mail in CBP’s possession. Deficient physical security controls can lead to unauthorized access to restricted areas, misplacement of prohibited items, or exposure to dangerous substances. Lastly, controls over the information technology infrastructure and systems supporting mail processing were not fully effective.

CBP did not correctly patch a server or ensure system controls of a database containing targeting information. CBP also had not conducted a Privacy Threshold Analysis on a local database at JFK, placing personal data stored in the system at risk. Management Response CBP concurred with recommendations 2, 4, 5, 6, 7, and 8, but did not concur with recommendations 1 and 3. www.oig.dhs.gov OIG-21-27 FOR OFFICIAL USE ONLY FOR OFFICIAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security Table of Contents Background .................................................................................................... 1 Results of Audit ..............................................................................................

5 CBP Inspects a Selected Portion of International Airmail at JFK ............. 6 Improvements Needed to CBP’s Targeting and Interdiction of Prohibited Items in International Mail ................................................. 17 Physical Security Controls to Safeguard International Parcels in CBP’s Possession Needed Improvement ................................................ 22 CBP’s Controls over the IT Infrastructure and Systems Supporting Mail Processing Operations Were Ineffective ........................................

24 Recommendations…………………………………………………………………………..27 Management Comments and OIG Analysis……………………………………………28 Appendixes Appendix A: Objective, Scope, and Methodology ................................. 34 Appendix B: CBP Comment to the Draft Report ................................... 36 Appendix C: Office of Audits Major Contributors to This Report ........... 42 Appendix D: Report Distribution ..........................................................

43 Abbreviations ATS CBP CCTV C.F.R. COI GAO IMF IT JFK MOU TSA U.S.C. USPS Automated Targeting System U.S. Customs and Border Protection closed-circuit television Code of Federal Regulations Countries of Interest Government Accountability Office International Mail Facility information technology John F. Kennedy International Airport Memorandum of Understanding Transportation Security Administration United States Code United States Postal Service www.oig.dhs.gov OIG-21-27 FOR OFFICIAL USE ONLY FOR OFFICIAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security Background U.S. Customs and Border Protection’s (CBP) mission includes preventing contraband, including illegal drugs and terrorist weapons from entering the United States, while also facilitating the flow of legitimate international travel and trade. CBP plays a critical role in interdicting illegal drugs and other contraband at mail facilities. Imports of opioids such as fentanyl, are a serious problem. In 2018, more people in the United States died from opioid-related causes than from traffic accidents.

According to a 2019 report1 by the Council of the Inspectors General on Integrity and Efficiency, opioids are often produced by drug traffickers overseas and illegally trafficked into the United States across its border or through mail or parcel delivery services. Airports are known to be major entry points for illegal drug imports. Given its frontline responsibility to secure the Nation from imports of illegal drugs and contraband, CBP has a major role to play in helping end the opioid crisis. To prevent illegal substances from entering the country, all inbound international airmail is subject to CBP inspection, except for mail known or believed to contain only official documents addressed to U.S. Government officials or ambassadors of foreign countries.2 In addition to collecting duties on imported merchandise, CBP is required to examine mail for contraband or other illegally imported articles, including restricted or prohibited merchandise.3 Additionally, CBP is responsible for inspecting agricultural products mailed from foreign countries to the United States.4 CBP is not the only participant in the international airmail inspection process.

For example, the Transportation Security Administration (TSA) initially requires that foreign airports and air carriers screen international cargo headed to the United States. TSA also inspects air carrier operations at international locations to ensure compliance with security program requirements. The United States Postal Service (USPS) is another key partner in the inspection of international mail. CBP and USPS have established a memorandum of understanding (MOU) on guidelines for working together nationwide to process 1 Combatting the Opioid Crisis: Role of the Inspector General Community, Council of the Inspectors General on Integrity and Efficiency, September 2019.

2 According to the Memorandum of Understanding between CBP and USPS Regarding Cooperation in the Inspection of Goods Imported or Exported through the Post, September 1, 2017 CBP has responsibility for inspection and clearance of all international mail arriving from foreign origins and overseas military post offices, intended for delivery into the Customs territory of the United States and U.S. Virgin Islands. Also, see 19 Code of Federal Regulations (C.F.R) § 145.2(b). 3 Ibid. 4 19 C.F.R., “Customs Duties,” and Public Law, 107-296, Homeland Security Act of 2002. www.oig.dhs.gov 1 FOR OFFICIAL USE ONLY OIG-21-27 FOR OFFICIAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security international mail arriving in FY 2019 at all international mail facilities (IMF) across the Nation.

CBP officials use detection, identification, and targeting capabilities along with advanced data, information sharing, and partnerships as part of its multi- faceted approach to determine what portion of the mail to select for further inspection. More specifically, CBP has a three-tiered approach for scanning and inspecting international airmail at the JFK IMF, including: (1) intelligence gathering for advanced mail targeting, (2) x-ray machine inspection and canine inspection, and (3) CBP’s physical inspection and testing of mail contents. Each step is further described below. 1) Advanced electronic data gathering enables CBP to target individual pieces of mail prior to arrival at JFK airport.

CBP officials use a risk- based approach, as well as past experience, to identify certain mail and packages for inspection. For example, CBP uses its Automated Targeting System (ATS), a decision support tool that compares traveler, cargo, and conveyance information against law enforcement, intelligence, and other enforcement data using risk-based scenarios and assessments, to identify mail more likely to contain narcotics or other contraband. 2) CBP utilizes x-ray machines and canine teams to conduct secondary inspections to further determine whether a package should be seized or returned to USPS for processing. If, during CBP’s examination, a mail item is found to contain prohibited material, such as illegal drugs, the mail package is held for further examination by CBP staff.

3) With limited exceptions, CBP can open mail packages by hand to inspect, or test, its contents. If no anomalies are found, the items are returned to USPS for delivery without further examination by CBP. Figure 2 depicts the end-to-end flow of international airmail processing upon arrival at JFK. www.oig.dhs.gov 3 FOR OFFICIAL USE ONLY OIG-21-27 FOR OFFICIAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security Further, physical security controls, such as locks and cameras, were not adequate to fully safeguard mail in CBP’s possession. Deficient physical security controls can lead to unauthorized access to restricted areas, misplacement of prohibited items, or exposure to dangerous substances.

Lastly, controls over the IT infrastructure and systems supporting mail processing were not fully effective. CBP did not correctly patch a server or ensure system controls of a database containing targeting information. CBP also had not conducted a Privacy Threshold Analysis on a local database at JFK, placing personal data stored in the system at risk. CBP Inspects a Selected Portion of International Airmail at JFK CBP physically inspects only a portion of the incoming international mail received at the JFK IMF daily.

Additionally, CBP does not timely inspect and process targeted mail or mail from high-risk countries, creating unmanageable backlogs. CBP’s physical mail inspection and processing challenges were attributed to inadequate resources and outdated guidance. More than pieces of international mail were sent out for delivery during our 4-day site visit without inspection, increasing the risk that prohibited and harmful items could be delivered to the public. CBP Physical Inspections of High-risk International Airmail According to CBP’s 2001 International Mail Operations and Enforcement Handbook,9 all mail intended for delivery to the United States and the U.S. Virgin Islands is subject to inspection.

The mail requested or targeted by CBP, based on its advanced data gathering, may be inspected by x-ray machines, canine teams, and/or CBP officers. According to the agreement currently in place,10 USPS will make every effort to present individual parcels targeted or requested to the designated Federal inspection area of JFK. The JFK IMF received approximately 1.3 million mail pieces during our 4-day visit from June 17 to June 20, 2019. USPS scans mail through a radiation portal monitor.

The mail inspection volume during this time is shown in Figure 3. 9 Prior to 2003, certain tasks performed by CBP were performed by U.S. Customs Service which authored this 2001 Handbook in use at the time of our audit. 10 Standard Operating Procedures Between U.S. Customs and Border Protection, John F. Kennedy International Airport And The United States Postal Service, New York International Service Center, Regarding Cooperation In The Inspection of Goods Imported Or Exported Through The Post, February 28, 2018. www.oig.dhs.gov 6 FOR OFFICIAL USE ONLY OIG-21-27 FOR OFFICIAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security million per day. 17 Of this amount, CSP estimates that it inspected, on average, of mail each day.

During our visit, we observed backlogs of mail at two key checkpoints: mail inspection and mail processing. Inspection of Targeted Mail CSP could not confirm it inspected all targeted mail from high-risk countries (i.e., mail from countries on COI list.) We reviewed CSP's ATS database at the JFK IMF to determine the exact volume of mail that was targeted from October 1, 2018 to June 30, 2019, and the time it took CSP to complete inspections. The system targeted- percent or total incoming parcels. However, CSP was unable to verify the number of mail pieces it received from high-risk countries or if it had inspected all of the targeted mail.

We also noted during our visit that CSP had a backlog of targeted mail not yet inspected. According to the ATS database, it took CSP an average of 14 days after arrival to inspect the parcels. Figure 7 shows the mail inspection checkpoint, which had mail in postal containers that was more than 1 week old, but had not been inspected by CSP. The containers included mail from the COI list as well as targeted mail.

USPS had provided the mail to CSP for inspection 13 days earlier. Is Figure 7. Backlog of Mail for Inspection Source: OIG photo taken in June 2019 17 CBP estimates of the number of COI mail parcels arriving at the JFK IMF is based on data provided by USPS. The USPS data is based on the total weight of mail provided by air carriers.

18 The only agreement in place is the MOU between CBP and USPS, which does not specify the timeframe. www.oig.dhs.gov 10 FOR OFFICIAL USE ONLY OIG-21-27 FOR OFFICIAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security Figure 10. Unused Postal Chutes in the JFK IMF Figure 11. Unused Postal Chutes Source: OIG photos taken June 2019 In addition to the space constrictions, CSP paid rent on these unused sections of the facility that it could not access. Until the unused chutes are removed, CSP cannot implement its planned improvements at the JFK IMF.

Canine Teams are Not Dedicated to the JFK IMF At the time of our visit, a CSP official stated the JFK IMF had 10 narcotic canine teams trained to detect fentanyl, cannabis, hashish, cocaine, and methamphetamine in mail packages. According to the CSP official, the two agricultural canines are trained to detect meat, fruit, vegetables, seeds for planting, trophies, and live animals inside of packages. However, CSP reported that none of the 12 canine teams were assigned or dedicated solely to the JFK IMF at the time. CSP officials asserted that these canine teams are an essential part of the inspection process.

Canines sniff packages on a 15-foot conveyor belt, as pictured in Figure 12, which helps in detecting controlled substances and other contraband. During our visit, we witnessed the seizure of a prohibited substance, as pictured in Figure 13, resulting from canine detection. www.oig.dhs.gov 15 FOR OFFICIAL USE ONLY OIG-21-27 FOR OFFICIAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security Figure 12. Canine sniffing mail Figure 13. Methamphetamine drug Source: OIG photos taken June 2019 CBP Should Update Its Guidance to Capture Mail Volume and Complexity CBP personnel do not have adequate, up-to-date guidance to manage the rapidly increasing volume and threats associated with international mail.

As we reported in 2018, CBP had not updated its International Mail Operations and Enforcement Handbook26 since August 2001, nearly 20 years earlier. The outdated guidance also did not contain detailed information or procedures for processing newer, designer drugs day-to-day policies, procedures, and guidelines for inspecting emerging categories of mail, such as_, had not been instituted. We previously recommended CBP update its international mail inspection handbook. During a follow up request to CBP, we were informed that the handbook is currently being updated with an estimated completion date of December 31, 2024. such as opioids and fentanyl.

Additionally, 27 Inadequate Inspection and Processing of International Airmail Increased the Risk of Mishandling or Delivering Dangerous Mail CBP's mail inspection at the JFK IMF was inadequate to prevent illegal drugs and contraband from entering the United States. As previously stated, during our June 2019 site visit, CBP returned million international mail pieces to USPS for delivery across the nation without inspection. Without adequate inspection, prohibited and harmful items could be processed, without being tested, and delivered to the public via the mail system. Finally, without the ability to adequately inspect excessive mail of 1.3 26 Prior to 2003, certain CBP functions were performed by U.S. Customs Service which authored this 2001 Handbook in use at the time of our audit.

27 Designer drugs are illicitly produced as substances that differ slightly from controlled substances in their chemical structure while retaining their pharmacological effects. www.oig.dhs.gov 16 FOR OFFICIAL USE ONLY OIG-21-27 FOR OFFICIAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security Additionally, we determined that CBP did not specifically target mail that required duties and fees. CBP has a statutory responsibility to collect revenue owed to the U.S. Government from the importation of goods into the United States. Revenue collection is one of CBP’s primary and recurring functions and was recently reclassified a Priority Trade Issue.32 For example, an importer of record must pay CBP a merchandise processing fee for commercial goods valued at $2,500 or more.33 However, CBP officers did not request high-risk mail that could require duties or fees upon entry in the United States Inconsistent and Incomplete Data Hampered CBP’s Target Detection CBP officers we interviewed during our visit asserted that CBP’s target detection rate is constrained by a reliance on subjective expertise and incomplete advanced data. These officers stated the advanced data in ATS further improves their ability to determine high risk parcels to target incoming mail from other countries.

For example, advanced data officers in CBP’s ATS Unit conduct targeting by relying on targeting thresholds or risk scores from ATS. However, CBP officers added that mail targeting can be hampered by incomplete advanced data because not all countries are required to provide the advanced data or do not provide complete contents of parcels to USPS. Consequences of Mail Targeting Challenges The limitations with targeted mail did not provide us with assurance that CBP physically inspects all targeted mail prior to delivery. Without tracking the targeted mail it receives, CBP is unaware of whether all mail in its possession is accounted for, and inspected, before being returned to USPS for delivery.

As result, CBP will be unable to timely alert parties, such as the Food and Drug Administration, waiting to inspect the targeted mail. Moreover, CBP may be unaware of whether mail may be missing or stolen while in CBP’s possession. In the meantime, CBP and USPS expend excessive time and resources searching and locating targeted mail for inspection. This mail is subsequently released to USPS when no import violation is found.

Without targeting mail subject to duties and fees, this could result in lost revenue to the United States. CBP is the second largest revenue source in the Federal Government, with the dual role of assisting trade and protecting revenue. Trade operations are focused on creating a level playing field for American businesses, protecting consumers, and reducing trade costs. Such 32 Trade Facilitation and Trade Enforcement Act of 2015, 19 United States Code (U.S.C.) § 4322(a)(5) (2016).

33 19 C.F.R 24.23(b)(1). www.oig.dhs.gov 21 FOR OFFICIAL USE ONLY OIG-21-27 FOR OFFICIAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security operations are placed at risk if shipments are imported into the United States without proper collection of duties and fees.34 Physical Security Controls to Safeguard International Parcels in CBP’s Possession Needed Improvement Physical security controls at the JFK IMF were inadequate to safeguard mail in CBP’s possession. Specifically, CBP did not secure interior and exterior entrances and exits in the JFK IMF because existing staff procedures, according to CBP, negated the need for locked doors. CBP also did not have enough cameras to observe all exterior doors or areas where individual CBP staff processed mail. Deficient physical security controls could lead to unauthorized access to restricted areas, theft or misplacement of prohibited items, or staff’s exposure to prohibited substances.

Lack of Physical Security for Entrances and Exits at JFK IMF According to DHS Sensitive Systems Policy Directive 4300A,35 access to DHS buildings, rooms, work areas, and spaces should be limited to authorized personnel. Moreover, controls for detecting and restricting access to sensitive areas should be in place to safeguard against possible loss, theft, and damage. DHS Instruction Manual on Physical Security36 requires that tenants of multiple Federal organizations in a facility have a Facility Security Committee to establish physical access protocols (identification and screening) for employees, contractors, and visitors. CBP did not adequately secure all interior and exterior doors in several JFK IMF mail processing areas.

During our site visit, we observed that doors in all five mail holding areas remained unlocked, or potentially propped open, as pictured in Figures 16, 17, and 18. The unsecured areas contained tubs and pallets of mail waiting to be inspected; some of the mail contained illegal or harmful contents. Although we were unable to determine whether the doors were alarmed, JFK IMF staff confirmed that they were not.37 We watched CBP and USPS staff enter and exit the holding areas freely through the unsecured doors. Additionally, one exit door in the CBP area of the JFK IMF was propped open and not alarmed.

34 CBP Trade and Travel Report, January 2020. 35 DHS Sensitive Systems Policy Directive 4300A, Version 13.1, July 27, 2017. 36 DHS Instruction Manual 121-01-010-01, Revision #01 Physical Security, 7-21-14. 37 Although alarms are not explicitly required in DHS Sensitive Systems Policy Directive 4300A, it prescribes that components have controls in place for detecting, restricting, and regulating access to sensitive areas. www.oig.dhs.gov 22 FOR OFFICIAL USE ONLY OIG-21-27 FOR OFFICIAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security Figure 16.

Unsecured Registered Mail Cage Figure 17. Enforcement Cage Door Propped Open Source: OIG photos taken June 2019 Figure 18. Exit Door with a Cinder Block Stopper CBP staff said they did not adequately secure all interior and exterior doors because they did not see the need for locked doors. According to CBP staff, the CBP area in the JKF IMF requires staff to use a key card to enter and exit through exterior doors.

However, we saw non-CBP personnel move in and out of the sensitive areas without key cards. CBP also asserted that the interior doors to each mail holding area needed to remain unlocked to facilitate bringing in USPS containers and access by CBP personnel working in designated areas. Insufficient Camera Coverage for Mail Inspection Areas at the JFK IMF CBP's system of closed-circuit televisions (CCTV) did not provide sufficient visibility in the mail processing areas. During our June 2019 visit, we saw eight cameras within CBP's area of the JFK IMF.

Several areas where CBP staff processed mail did not have adequate camera coverage, as shown in Figure 17. Specifically, there were no cameras in an enclosed, windowless room where a single CBP officer was inspecting letter mail. The cameras nearest the two unalarmed exit doors were not directed at the doors. JFK IMF staff were aware of the inadequate CCTV coverage and submitted a budget request to purchase additional CCTVs. www.oig.dhs.gov 23 FOR OFFICIAL USE ONLY OIG-21-27 FOR OFFICIAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security Figure 19.

CCTV Screens Source: OIG photo taken June 2019 We questioned whether CBP would be aware if mail in its possession were to be removed from the facility without authorization. The absence of proper physical security controls could lead to unauthorized access to restricted areas; theft or misplacement of prohibited items; prohibited items improperly mailed to recipients; or staff exposure to prohibited substances. Inadequate physical security controls also increased the risk of insider theft. Specifically, since the doors were not alarmed, JFK IMF staff could access restricted sections of the mail processing area to steal mail containing prohibited items such as fentanyl.

Individuals with malicious intent could also exit unalarmed doors with prohibited mail and management would be unaware of the breach. CBP Controls over the IT Infrastructure and Systems Supporting Mail Processing Operations Were Ineffective We identified several areas for improvement in CBP IT infrastructure supporting mail-processing operations at JFK IMF. CBP did not adequately patch an ATS server located in Springfield, VA. Also, a CBP database containing targeting information did not have adequate internal controls that could help ensure reliability.

Lastly, CBP had not conducted the required privacy assessment on a database, known as the Unclaimed/ Abandonment database, used to stored names and addresses of recipients for incoming international mail. www.oig.dhs.gov 24 FOR OFFICIAL USE ONLY OIG-21-27 FOR OFFICIAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security Server Supporting International Mail Processing Was Incorrectly Patched According to the DHS Sensitive Systems Policy Directive 4300A,38 components should ensure all recommended and approved security patches are properly installed. We conducted a technical scan of seven ATS servers at the JFK IMF in June 2019. We determined that CBP had not fully applied required system patches to one of the servers. Our technical scan identified four high-risk vulnerabilities because the patches had not been applied to the ATS server, even though CBP’s own internal vulnerability scans had reported the error for several months.

The deficiency occurred because CBP did not correctly update an associated registry key to apply the patch appropriately.39 According to a CBP official, CBP staff had not been instructed to review error logs to determine whether patches had been correctly applied. CBP should have investigated the patch implementation when the vulnerability previously appeared on monthly reports. Without properly applying all recommended and approved security patches, CBP systems are vulnerable to malicious attacks. Systems with missing patches could lead to intruders attacking and gaining unauthorized access to systems, and obtaining and disclosing potentially sensitive information.

CBP’s JFK Targeting Database Contained Inadequate Controls and Incomplete Data40 Federal guidance requires that applications be designed to process transactions accurately to ensure valid and complete data.41 Controls should be established at an application’s interfaces to verify inputs and outputs, such as edit checks. Based on an internal initiative, CBP staff at the JFK IMF developed a temporary local MS Access Targeting Database application to help monitor international mail packages. According to a CBP official, the catalyst for developing the MS Access Targeting Database was the increasing number of mail violations and 38 Version 13.1, July 27, 2017. 39 The registry is a database of information, settings, options, and other values for software and hardware installed on Microsoft Windows operating systems.

The registry key is updated through the Group Policy Objects, a policy setting in the file system and in the Active Directory. 40 We analyzed the MS Access Targeting Database and identified inadequate controls such as missing fields for exam time, exam data, violation type, and arrive date. There were no system checks to ensure data fields were required or complete. However, the database did have all the data fields we needed for quantifying targeted mail.

41 Office of Management and Budget Circular OMB-123. www.oig.dhs.gov 25 FOR OFFICIAL USE ONLY OIG-21-27 FOR OFFICIAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security limited staff to detect them. Previously, staff at the JFK IMF used targeting ledger books to record parcels that had been targeted. Furthermore, CBP officials stated that as each Targeter updates ATS with targets, they export the ATS information into the MS Access Targeting Database application. The CBP officials stated the Targeter also uses a handheld scanner to read the barcode of the targeted mail and update the MS Access Targeting database application to document that CBP received the targeted piece of mail.

CBP’s MS Access Targeting Database did not contain controls to ensure valid and complete data is transferred over from ATS. Specifically, the database had missing or invalid key fields, such as “exam date,” “violation type,” “arrival date,” and “exam time.” To illustrate, we identified 1,551 records did not have valid arrival dates. In some cases, the database was also missing the source of referral, declared description, seizure number, and actual description. The database also contained errors.

For example, we noted instances in which the exam date occurred before the mail arrival date. We identified 12,789 records that had no exam dates and 72 records exam date was before the arrival date. Without reliable data, CBP may be unable to determine the effectiveness of its advanced targeting efforts or of USPS support. Furthermore, CBP staff may infer incorrect conclusions from the collection of incomplete data.

CBP management of the international mail process cannot benefit from inaccurate statistics concerning the number of parcels targeted, the number provided by USPS, and the number found to contain prohibited items. CBP Needed to Complete a Privacy Threshold Analysis on the Unclaimed/ Abandonment Database According to DHS requirements,42 information systems that collect, use, maintain, or disseminate personally identifiable information are subject to privacy compliance documentation. This includes a Privacy Threshold Analysis for submission to the DHS Privacy Office for review and approval for an information system to be designated as operational. The Privacy Threshold Analysis is also necessary for the Privacy Office to determine whether a Privacy Impact Analysis is needed.

However, CBP has not conducted the required Privacy Threshold Analysis of its Unclaimed/Abandonment database, used to store names and addresses of recipients of incoming international mail. The Unclaimed/Abandonment database also contains information about personal use items such as medicines.43 The data stored in the 42 DHS 4300A, Sensitive Systems Handbook (Version 12.0, November 15, 2015) and DHS Sensitive Systems Policy Directive 4300A (Version 13.1 July 27, 2017). 43 Personal use items are described as quantities too small to seize but still prohibited to deliver to the addressee. www.oig.dhs.gov 26 FOR OFFICIAL USE ONLY OIG-21-27 FOR OFFICIAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security Unclaimed/Abandonment database could be compromised absent the necessary security controls. CBP did not conduct the required Privacy Threshold Analysis of the Unclaimed/Abandonment database because the database resided on the local area network at the JFK IMF.

According to a CBP official at the JFK IMF, a Privacy Threshold Analysis was not required because the Unclaimed/Abandonment database is a stand-alone and local system. However, the DHS Privacy Office requires44 systems to have a Privacy Threshold Analysis as a prelude to determining whether a Privacy Impact Analysis is also needed. Furthermore, a memorandum45 issued by the Department on June 26, 2020, states that “even though systems are developed in the field to meet operational needs, it is important to implement security and privacy controls.” The memorandum states “if a system lacks security and privacy documentation, it must be taken offline and brought into compliance with Federal policies.” Until CBP completes a Privacy Threshold Analysis of the Unclaimed/ Abandonment database, it may be placing personally identifiable information stored on the database at risk. Moreover, by not having adequate privacy documentation, CBP may be in violation of required privacy regulations.

Recommendations We recommend the Acting Assistant Commissioner for the Office of Information Technology, and the Executive Assistant Commissioner for the Office of Field Operations, and Acting Executive Assistant Commissioner for Operations Support: Recommendation 1: Provide the support staff and equipment necessary at the JFK IMF to adequately inspect mail in a timely manner. We recommend the Executive Assistant Commissioner for the Office of Field Operations and Acting Executive Assistant Commissioner for Operations Support: Recommendation 2: Ensure that information on seizure of prohibited substances or items at JFK IMF is recorded in SEACATS within 24 hours, as required. 44 Privacy Threshold Analysis is required whenever a new information system is being developed or an existing system is significantly modified. PA9.m Adobe Section 3.1.4.2 45 CBP Information System Security and Privacy Requirement, June 26, 2019. www.oig.dhs.gov 27 FOR OFFICIAL USE ONLY OIG-21-27 FOR OFFICIAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security Recommendation 3: Conduct an analysis and revise the targeting methodologies as appropriate for JFK IMF to increase the effective rate of the mail targeting process.

Recommendation 4: Establish a process for JFK IMF to identify and reconcile targeted mail that is not provided by USPS. Recommendation 5: Implement the necessary controls to secure mail in CBP’s possession at the JFK IMF. We recommend the Acting Assistant Commissioner for the Office of Information and Technology: Recommendation 6: Create policy and procedures to ensure that all required system patches and registry keys are correctly applied. We recommend the Executive Assistant Commissioner for the Office of Field Operations: Recommendation 7: Develop a plan to improve the controls and reliability of the local database used to monitor targeted international mail.

We recommend the Acting Assistant Commissioner for the Office of Information and Technology, Executive Assistant Commissioner for the Office of Field Operations, and Acting Executive Assistant Commissioner for Operations Support: Recommendation 8: Work with the DHS Privacy Office to ensure the Unclaimed/Abandonment database complies with DHS privacy policies. Management Comments and OIG Analysis We obtained written comments on a draft of this report from the Senior Component Accountable Official at CBP. In the comments, the Official stated CBP appreciates the recognition of its ability to screen large volumes of incoming international mail. However, CBP did not concur with all of our findings.

The Official provided specific comments regarding each of CBP’s concerns. We reviewed CBP’s comments, as well as the technical comments previously submitted under separate cover, and made changes to the report as appropriate. Following is our evaluation of CBP’s general comments, as well as www.oig.dhs.gov 28 FOR OFFICIAL USE ONLY OIG-21-27 FOR OFFICIAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security a response to each recommendation in the draft report provided for agency review and comment. OIG Response to General Comments The Senior Component Accountable Official at CBP stated the OIG’s draft report contained inaccurate and misleading statements, misrepresentations of facts and metrics, as well as misunderstandings and misrepresentations of CBP’s staffing needs, effectiveness of SEACATS and other national systems, and global targeting methodology and processes.

We disagree with this assertion. We ensured CBP was fully aware of the extent of the OIG’s audit fieldwork and contacts with component personnel at the JFK IMF. Specifically, our project included meetings with CBP staff at the JFK IMF, including the Program Manager, Chief of Staff, Assistant Port Director, IMF Chief, agricultural staff, and canine staff, as well as CBP officials at the National Targeting Center. We assessed a compilation of CBP policies and procedures for processing, selecting, targeting, examining, and interdicting inbound international mail at JFK.

We also observed CBP staff operations, mail inspection equipment, and JFK facilities. We believe the range of audit information compiled was a sound and ample basis from which to form our audit conclusions and recommendations. Further, the Senior Component Accountable Official at CBP stated the OIG lacked understanding of CBP’s targeting, screening, and processing strategies and methodologies. The Official explained that CBP employs a layered approach using numerous methods to identify packages for inspection, including analysis of advanced electronic data through an automated targeting system, narcotics detection canines, and non-intrusive inspection technologies.

We find this assertion inconsistent with our report, which clearly states, “CBP has a multi-layered approach for scanning and inspecting international airmail at the JFK IMF. This 3-tier approach includes: (1) intelligence gathering for advanced mail targeting, (2) x-ray machine inspection and canine inspection, and (3) CBP’s physical inspection and testing of mail contents.” (See page 3 of our report). Response to Report Recommendations In the formal written comments, the Senior Component Accountable Official at CBP concurred with recommendations 2, 4, 5, 6, 7, and 8, but did not concur with recommendations 1 and 3. A copy of CBP’s responses in its entirety is included in Appendix B. A summary of CBP’s response to each recommendation and OIG’s analysis follows. www.oig.dhs.gov 29 FOR OFFICIAL USE ONLY OIG-21-27 FOR OFFICIAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security CBP Comments to Recommendation 1: Non-concur.

Regarding staffing, the Senior Component Accountable Official said CBP’s limited resources mitigate threats in all environments. The CBP Office of Field Operations Workload Staffing Model estimates a staffing shortage of 2,000+ CBP officers across the Nation, throughout all environments, including mail facilities. CBP continuously evaluates and adjusts its limited staff resources to effectively meet all its mission needs, including timely inspection of mail at the JFK IMF, as appropriate. Regarding equipment at the JFK IMF, CBP has initiated several equipment and facility-related projects to modernize the JFK IMF.

CBP commissioned a feasibility study to be conducted for the JFK IMF during FY 2020, including assessment of structure, equipment and potential future needs. In addition, CBP has received funding to update the current infrastructure and technology at the JFK IMF. Enhancements include the installation of mail sorting equipment to increase operational efficiency and allow CBP to screen a larger portion of international mail than is currently being processed. The estimated completion date is November 30, 2021.

OIG Analysis of CBP Comments: We agree with CBP’s plan to conduct the feasibility study of the structure, equipment and potential future needs at the JFK IMF. We also encourage CBP to conduct a similar study or analysis of the staffing levels at the JFK IMF. We made similar recommendations, to which CBP concurred, in our prior audit report, CBP’s International Mail Inspection Processes Need Improvement at JFK International Airport, (OIG-18-83) in which we requested that CBP conduct an analysis of staffing levels at the JFK IMF. Given CBP’s non-concurrence, we consider this recommendation open and unresolved.

CBP Comments to Recommendation 2: Concur. CBP’s Seized Asset Management and Enforcement Procedures Handbook (HB 4400-01B) already has multiple sections outlining the requirements for capturing and recording information pertaining to seizures of prohibited substances within 24 hours. In addition, SEACATS, CBP’s law enforcement system of record, has a system of internal checks in place to notify case initiators and supervisors of actions pending completion associated with these seizures. CBP will provide supporting documentation under separate cover.

CBP requested that OIG consider this recommendation resolved and closed as implemented. OIG Analysis of CBP Comments: We do not consider the actions outlined to be responsive to the recommendation. We recommended CBP ensure the information about seizure of prohibited substances or items at JFK IMF be recorded in SEACATS within 24 hours, as required. We are aware that CBP’s www.oig.dhs.gov 30 FOR OFFICIAL USE ONLY OIG-21-27 FOR OFFICIAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security OIG Analysis of CBP Comments: CBP’s actions are responsive to the intent of this recommendation.

This recommendation will remain open and resolved until CBP provides documentation showing that all planned corrective actions are completed. CBP Comments to Recommendation 5: Concur. CBP Office of Field Operations will implement security measures necessary to secure mail in CBP’s possession at the JFK IMF. These measures include a review of security policies and practices, training materials, quarterly reviews of policies and procedures effectiveness, and tracking of the security of mail in CBP’s possession.

The estimated completion date is June 30, 2021. OIG Analysis of CBP Comments: CBP’s actions are responsive to the intent of this recommendation. This recommendation will remain open and resolved until CBP provides documentation showing that all planned corrective actions are completed. CBP Comments to Recommendation 6: Concur.

The CBP Office of Information Technology demonstrated the patch to the server in question had already been applied and existing policies and procedures for patch deployment were followed. However, the office acknowledged the same server was missing a registry entry at the time because the automated group policy orchestrator encountered a communication problem with the host. The Office of Information Technology will make it a priority to institute verification of the successful application of group policy orchestrator policies on a more frequent and ongoing basis so that anomalies like this are detected and addressed earlier. Specifically, the office will more proactively communicate with Windows Admins to identify failures in registry key updates and group policy orchestrator failures and will continue its semi-monthly Nessus scan result reviews on the Windows servers with peer verification.

The estimated completion date is March 31, 2021. OIG Analysis of CBP Comments: CBP’s actions are responsive to the intent of this recommendation. This recommendation will remain open and resolved until CBP provides documentation showing that all planned corrective actions are completed. CBP Comments to Recommendation 7: Concur.

The Office of Field Operations’ New York Field Office will develop an action plan to address reliability of the database used to monitor targeted international mail. This effort will include evaluating the tracking database to determine which, if any, data elements should continue to be gathered, or whether the database should be discontinued. The estimated completion date is April 30, 2021. www.oig.dhs.gov 32 FOR OFFICIAL USE ONLY OIG-21-27 FOR OFFICIAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security OIG Analysis of CBP Comments: CBP’s actions are responsive to the intent of this recommendation. This recommendation will remain open and resolved until CBP provides documentation showing that all planned corrective actions are completed.

CBP Comments to Recommendation 8: Concur. CBP’s Office of Field Operations Cargo and Conveyance Security, New York Field Office, Office of Information and Technology, Chief Counsel, and the Privacy and Diversity Office will evaluate the Unclaimed/Abandonment database to bring it into compliance with DHS’ privacy policy or identify an existing system of record capable of capturing the necessary data. The estimated completion date is April 30, 2021. OIG Analysis of CBP Comments: CBP’s actions are responsive to the intent of this recommendation.

This recommendation will remain open and resolved until CBP provides documentation showing that all planned corrective actions are completed. www.oig.dhs.gov 33 FOR OFFICIAL USE ONLY OIG-21-27 FOR OFFICIAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security Appendix A Objective, Scope, and Methodology Department of Homeland Security Office of Inspector General was established by the Homeland Security Act of 2002 (Public Law 107−296) by amendment to the Inspector General Act of 1978. We conducted this audit to determine whether CBP’s airmail, physical security, and inspection processes at JFK International Airport IMF are adequate to effectively screen, track, and safeguard incoming international mail. To accomplish our audit objective, we reviewed CBP policies and procedures for processing, selecting, targeting, examining, and interdicting inbound international mail at JFK. Specifically, we reviewed the MOU and standard operating procedures to determine roles, responsibilities, and agreements between CBP and USPS.

We also reviewed floor plans to assess space allocation between CBP and USPS and determine where international mail is stored before and after inspection. We reviewed internal controls and protocols for ATS security to verify the completeness and accuracy of the data it produces. We assessed the adequacy of physical controls necessary for CBP to safeguard international mail suspected of containing contraband at JFK IMF. We coordinated with staff from USPS OIG to assist us in this effort.

We obtained from USPS an inventory of mail arriving at the JFK IMF during June 2019. USPS personnel extracted the data from its GBS. We obtained from USPS the specific mail pieces CBP requested for inspection based on the COI list and the individual mail pieces that were targeted. While we did not directly test the reliability of this data, we obtained a statement from the USPS to attest that the GBS data was reliable.

Furthermore, we reviewed the USPS’ Advance Electronic Data Holds and Reliability46 report to gain understanding of how USPS test the reliability of its data generated from USPS’ systems. We also interviewed USPS OIG officials who were knowledgeable about the data. Lastly, our Data Analytics team reviewed the data for completeness and obvious inconsistency errors, and identified insignificant errors in the raw data. We determined that the data was sufficient for the audit.

To gain an understanding of the international mail inspection process, roles, and responsibilities, we met with selected CBP officials, such as CBP cargo staff at the National Targeting Center in Sterling, VA. Additionally, we conversed with the information system security manager and the technology specialist with management oversight of ATS in Northern Virginia. We visited 46 Office of Inspector General USPS, Advance Electronic Data Holds and Reliability, Report Number MS-AR-19-002, July 12, 2019 www.oig.dhs.gov 34 FOR OFFICIAL USE ONLY OIG-21-27 FOR OFFICIAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security the JFK IMF to evaluate inspection equipment, processes, and physical security. We interviewed CBP staff, including the program manager, chief of staff, assistant port director, IMF chief, agricultural staff, and canine staff at the JFK IMF.

We observed CBP officials performing technical scans on ATS servers at the component’s Springfield, Virginia data center. Further, we followed up on the status of CBP’s corrective actions to address deficiencies identified from our previous audit. We used the work of specialists from the DHS OIG Information Assurance and Testing Branch to determine whether servers supporting JFK mail inspection meet IT security control requirements and DHS standards. The specialists completed the following: • Performed a Defense Information Systems Agency Security Technical Implementation Guide configuration management assessment on all servers within the CBP ATS system authorization boundary. • Performed a patching vulnerability assessment on all servers within the CBP ATS system authorization boundary. • Performed a scan to identify unsupported operating systems on all CBP ATS servers assessed.

The results of their work are incorporated as appropriate in our findings. We also used the work of specialists from the DHS OIG-Wide Analytics and Support, who assisted the audit team with reviewing and analyzing data records from USPS, and CBP’s ATS data, and presenting the information graphically. The results of their work are incorporated as appropriate in our findings. We conducted this performance audit between May 2019 and February 2020 pursuant to the Inspector General Act of 1978, as amended, and according to generally accepted government auditing standards.

Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based upon our audit objectives. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based upon our audit objectives. We appreciate the efforts of CBP management and staff to provide the information and access necessary to accomplish this audit. Major OIG contributors to the audit are identified in Appendix C. www.oig.dhs.gov 35 FOR OFFICIAL USE ONLY OIG-21-27 FOR OFFICIAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security Appendix C Office of Audits Major Contributors to This Report Kevin Burke, Director, Information Systems and Controls Charles Twitty, Supervisory IT Auditor Sonya Davis, Senior IT Auditor Raheem Wilson, Program Analyst Robert Williams, Senior Program Analyst Donna Zavesky, IT Auditor Stephen Wheeler, Program Analyst, OIG-Wide Analytics and Support Ruksana Lodi, Program Analyst, OIG-Wide Analytics and Support Mai Huynh, Program Analyst, OIG-Wide Analytics and Support Thomas Rohrback, Branch Chief, Information Assurance and Testing Jason Dominguez, IT Specialist, Information Assurance and Testing Taurean McKenzie, IT Specialist, Information Assurance and Testing Rashedul Romel, IT Specialist, Information Assurance and Testing Richard Joyce, Independent Referencer Gary Alvino, Independent Referencer Deborah Mouton-Miller, Communications Analyst www.oig.dhs.gov 42 FOR OFFICIAL USE ONLY OIG-21-27 FOR OFFICIAL USE ONLY OFFICE OF INSPECTOR GENERAL Department of Homeland Security Appendix D Report Distribution Department of Homeland Security Secretary Deputy Secretary Chief of Staff Deputy Chiefs of Staff General Counsel Executive Secretary Director, GAO/OIG Liaison Office Under Secretary, Office of Strategy, Policy, and Plans Assistant Secretary for Office of Public Affairs Assistant Secretary for Office of Legislative Affairs Commissioner of CBP CBP Liaison Office of Management and Budget Chief, Homeland Security Branch DHS OIG Budget Examiner Congress Congressional Oversight and Appropriations Committees www.oig.dhs.gov 43 FOR OFFICIAL USE ONLY OIG-21-27

Chat with this agency guidance using AI

Ask CiteLaw's AI Navigator anything about this agency guidance, verify citations, and research related authorities. Sign up for CiteLaw free today to get started.