After 3 Years, Key IRS Systems Still Aren’t Properly Encrypted

matejmo/istockphoto.com

The inspector general attributed the delays in the agency’s data at rest encryption program to additional mandates and poor adherence to program management best practices.

The federal tax collection agency has spent years researching the best way to encrypt data stored on its networks but has yet to deploy a working solution, according to the Treasury Inspector General for Tax Administration.

The IRS launched the Data at Rest Encryption, or DARE, program in 2018 to evaluate means of locking down data at rest—that is, data not being transferred or used by an app or process—to protect it from threats, malicious or accidental. The program targeted several IRS systems, which together collected “close to $3.5 trillion in gross taxes and process[ed] more than 240 million tax returns and supplemental documents” in fiscal 2020, according to an audit released Monday.

But the program has failed to produce a single solution that can be deployed across the IRS enterprise, according to the IG.

While the agency has run tests on various encryption and key management solutions, “it has not deployed this technology,” largely due to issues with program management, auditors found.

“TIGTA identified specific program issues that have affected the IRS’s ability to meet its goals, delaying the encryption of sensitive data,” the report states, “including data contained on systems classified as High Value Assets,” for which agencies are supposed to ensure added layers of protection.

Finding a single solution capable of working across the IRS’s broad technology stack is a tall order, the auditors admit. The tax collection agency regularly deploys new software and apps, internally and for taxpayers, but also runs some of the oldest functioning systems in government.

But those systems—the total number of which was redacted from the IG report—hold incredibly sensitive data, including personally identifiable information on every taxpayer in the U.S.

Not only is enterprise encryption at rest necessary, it’s doable, according to the agency.

“A March 2018 internal IRS study determined that a data at rest encryption strategy is feasible and can be effective even for a large agency with critical data and a varied infrastructure like the IRS,” the report states. “It also noted that while there is no one-size-fits-all answer to protect data at rest from an enterprise point of view, a centralized approach to development and adoption of data at rest encryption capabilities is recommended.”

Initially, the agency planned to deploy the first implementation of the DARE program by June 2020, with the goal of expanding the program by September of that year and be at full operating capability across IRS by September 2021.

The report says IRS program officials were on track to begin deploying a solution—or in the planning stage of moving to deployment—in the summer of 2020 when an additional mandate to secure High Value Assets was added to the DARE program’s tasks.

Program officials told Treasury Department leadership the plan was to have those assets under the encryption scheme by 2026 and ultimately negotiated a timeline that falls somewhere in between, though the exact dates are redacted from the report.

But the program suffered from a lack of strong program management principles, according to TIGTA, specifically the enterprise lifecycle, or ELC, framework.

The initial program management team started on the ELC path, even picking a specific framework therein for commercial off-the-shelf deployments. But the team combined multiple phases of work and pushed milestone exits—incremental debriefs to assess how the project is progressing—to the end of the first four phases.

Along with causing delays, “This also defeats the purpose of the ELC approach of having the project divided into phases with natural breakpoints, for which the project’s progress can be reviewed periodically and necessary changes can be made,” auditors said.

The management team also failed to update program documents over time and started work before completing the integrated master schedule, or IMS, which is meant to act as a baseline for measuring success.

“Successful programs have common elements, including the need for executive support as well as the existence of clear business objectives, methodologies and project management expertise,” the report states. “Effective program governance is critical to the success of a program.”

The IG cited three specific programmatic issues:

  • Not following enterprise lifecycle program management methodologies.
  • Delays with developing an integrated master schedule.
  • Not prioritizing work related to prior encryption audit recommendations.

“These issues have affected plans for HVA encryption as well as the progress with work related to deploying the DARE Full Operating Capability,” the IG wrote.

The report makes three recommendations to the IRS chief information officer to address these issues. The agency agreed with all three.

The report also cites another encryption issue with third-party collection agencies working with the IRS that had been “prematurely closed.”

A prior TIGTA found that private collection agencies were encrypting data as required. However, the recent audit showed “the IRS was not encrypting data intended for private collection agencies on its own production systems.”

The IG made a fourth recommendation regarding this issue, with which the IRS CIO concurred.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.