(a) Agencies must have a written mail security policy that applies throughout your agency.
(b) Agencies must have a written mail security plan for each facility that processes mail, regardless of the facility's mail volume.
(c) Agencies must have a security policy for employees receiving incoming and sending outgoing mail at an alternative worksite, such as a telework center.
(d) The scope and level of detail of each facility mail security plan should be commensurate with the size and responsibilities of each facility. For small facilities, agencies may use a general plan for similar locations. For larger locations, agencies must develop a plan that is specifically tailored to the threats and risks at your location. Agencies should determine which facilities they consider small and large for the purposes of this section, so long as the basic requirements for a security plan are met at every facility.
(e) All mail managers are required to annually report the status of their mail security plans to agency headquarters. At a minimum, these reports should assure that all mail security plans comply with the requirements of this part, including annual review by a subject matter expert and regular rehearsal of responses to various emergency situations by facility personnel.
(f) A security professional who has expertise in mail center security should review the agency's mail security plan and policies annually to include identification of any deficiencies. Review of facility mail security plans can be accomplished by subject matter experts such as agency security personnel. If these experts are not available within your agency, seek assistance from the U.S. Postal Inspection Service (https://postalinspectors.uspis.gov/) or the Federal Protective Service (FPS) (http://www.dhs.gov/federal-protective-service).