IRS slow to implement computer security configurations

The Internal Revenue Service has yet to fully comply with a federal mandate to securely configure computer desktops and laptops, according to a report from the IRS inspector general, who cited poor project management as a factor.

The IG report said the IRS waited until one week before a critical deadline to establish a project team to assess the scope of work needed to implement security standards required by the Federal Desktop Core Configuration mandate. The Office of Management and Budget issued the mandate in March 2007 to improve information security for computers running the Microsoft Windows XP or Vista operating systems. Agencies were directed to comply with 229 standard configuration settings required for computers and laptops by Feb. 1, 2008. OMB also recommended, but did not require, an additional 329 settings to further improve security and reduce risks and costs associated with software vulnerabilities.

As of December 2008, the IRS had implemented 205 -- or 81 percent -- of the total 254 standard configuration settings it deemed necessary for adequate computer security at the agency. The IG reported that the IRS already had 103 -- or 41 percent -- of the 254 settings in place prior before beginning the FDCC project.

"The delay in establishing a project team was the primary reason the IRS was untimely in complying with the FDCC requirement, possibly resulting in inadequate security over taxpayer data and computer operations," said Deputy IG Michael Phillips.

Furthermore, once the project team was established, the master list of requirements was incomplete and did not account for many applications that needed to be tested. The IRS supports more than 98,000 desktop and laptop computers at 670 facilities nationwide. The computers operate more than 1,900 software applications, each of which the IRS must test with the FDCC settings.

"Overall efforts toward implementing FDCC settings on IRS computers have been slow," Phillips said in the report.

In October 2007, the associate chief information officer for cybersecurity sent an e-mail to agency executives advising them to consider the implications of the OMB requirement, but "actions ...were not taken because some IRS officials assumed the existing common operating environment was compliant with the FDCC requirements," Phillips said.

The IG also reported that the IRS failed to implement an automated monitoring tool to detect and monitor changes to the FDCC settings after they were installed, as required by the mandate, or to modify its contracts to ensure software acquired from vendors operated properly with the settings. The IG identified 27 of 30 contracts for new software products that did not include the required FDCC contract language.

IRS Chief Technology Officer Terence Milholland, who was appointed to the position in November 2008, agreed with the IG's recommendations to provide sufficient management training to the FDCC project managers and to instruct project leaders to maintain an accurate master list of all applications that require testing. The watchdog also recommended that the CTO compare the prices of available automated monitoring tools for purchase, and direct the cybersecurity office to coordinate with the procurement division on including the required FDCC contract language in IT acquisitions.