102-192.70—What security policies and plans must we have?
(a)
You must have a written mail security policy that applies throughout the agency.
(b)
You also must have a written mail security plan for each facility that processes mail, regardless of the facility's mail volume.
(c)
If a contract that is in place on August 25, 2008 does not fully meet the requirements of this section, the contract must be modified to meet the requirement for a security plan within one year of August 25, 2008, unless the contract will expire prior to that date.
(d)
The scope and level of detail of each facility mail security plan should be commensurate with the size and responsibilities of each facility. For small facilities, you may provide a general, standardized plan that is used in many similar locations. For larger locations, you must develop a plan that is specifically tailored to the threats and risks at your location. Agencies are free to determine for themselves which facilities are “smaller” and which are “larger” for the purposes of this section, so long as the basic requirement for a security plan is met at every facility.
(e)
All mail facility managers should report annually the status of their facility mail security plans to agency headquarters. At a minimum, this report should assure that the facility mail security plan complies with the requirements of this part, including annual review by a subject matter expert and regular rehearsal of responses to various emergency situations by facility personnel.
(f)
An outside security professional who has expertise in mail center security should review the agency's mail security plan annually. Review of facility mail security plans can be accomplished by outside subject matter experts such as agency security personnel. If these experts are not available within your agency, seek assistance from the Postal Inspection Service or other Federal authorities.