The inspector general attributed the delays in the agency’s data at rest encryption program to additional mandates and poor adherence to program management best practices.
The federal tax collection agency has spent years researching the best way to encrypt data stored on its networks but has yet to deploy a working solution, according to the Treasury Inspector General for Tax Administration.
The IRS launched the Data at Rest Encryption, or DARE, program in 2018 to evaluate means of locking down data at rest—that is, data not being transferred or used by an app or process—to protect it from threats, malicious or accidental. The program targeted several IRS systems, which together collected “close to $3.5 trillion in gross taxes and process[ed] more than 240 million tax returns and supplemental documents” in fiscal 2020, according to an audit released Monday.
But the program has failed to produce a single solution that can be deployed across the IRS enterprise, according to the IG.
While the agency has run tests on various encryption and key management solutions, “it has not deployed this technology,” largely due to issues with program management, auditors found.
“TIGTA identified specific program issues that have affected the IRS’s ability to meet its goals, delaying the encryption of sensitive data,” the report states, “including data contained on systems classified as High Value Assets,” for which agencies are supposed to ensure added layers of protection.
Finding a single solution capable of working across the IRS’s broad technology stack is a tall order, the auditors admit. The tax collection agency regularly deploys new software and apps, internally and for taxpayers, but also runs some of the oldest functioning systems in government.
But those systems—the total number of which was redacted from the IG report—hold incredibly sensitive data, including personally identifiable information on every taxpayer in the U.S.
Not only is enterprise encryption at rest necessary, it’s doable, according to the agency.
“A March 2018 internal IRS study determined that a data at rest encryption strategy is feasible and can be effective even for a large agency with critical data and a varied infrastructure like the IRS,” the report states. “It also noted that while there is no one-size-fits-all answer to protect data at rest from an enterprise point of view, a centralized approach to development and adoption of data at rest encryption capabilities is recommended.”
Initially, the agency planned to deploy the first implementation of the DARE program by June 2020, with the goal of expanding the program by September of that year and be at full operating capability across IRS by September 2021.
The report says IRS program officials were on track to begin deploying a solution—or in the planning stage of moving to deployment—in the summer of 2020 when an additional mandate to secure High Value Assets was added to the DARE program’s tasks.
Program officials told Treasury Department leadership the plan was to have those assets under the encryption scheme by 2026 and ultimately negotiated a timeline that falls somewhere in between, though the exact dates are redacted from the report.
But the program suffered from a lack of strong program management principles, according to TIGTA, specifically the enterprise lifecycle, or ELC, framework.
The initial program management team started on the ELC path, even picking a specific framework therein for commercial off-the-shelf deployments. But the team combined multiple phases of work and pushed milestone exits—incremental debriefs to assess how the project is progressing—to the end of the first four phases.
Along with causing delays, “This also defeats the purpose of the ELC approach of having the project divided into phases with natural breakpoints, for which the project’s progress can be reviewed periodically and necessary changes can be made,” auditors said.
The management team also failed to update program documents over time and started work before completing the integrated master schedule, or IMS, which is meant to act as a baseline for measuring success.
“Successful programs have common elements, including the need for executive support as well as the existence of clear business objectives, methodologies and project management expertise,” the report states. “Effective program governance is critical to the success of a program.”
The IG cited three specific programmatic issues:
- Not following enterprise lifecycle program management methodologies.
- Delays with developing an integrated master schedule.
- Not prioritizing work related to prior encryption audit recommendations.
“These issues have affected plans for HVA encryption as well as the progress with work related to deploying the DARE Full Operating Capability,” the IG wrote.
The report makes three recommendations to the IRS chief information officer to address these issues. The agency agreed with all three.
The report also cites another encryption issue with third-party collection agencies working with the IRS that had been “prematurely closed.”
A prior TIGTA found that private collection agencies were encrypting data as required. However, the recent audit showed “the IRS was not encrypting data intended for private collection agencies on its own production systems.”
The IG made a fourth recommendation regarding this issue, with which the IRS CIO concurred.