IRS rolls out tax processing systems despite known security risks

Inspector general identifies several weaknesses that could expose taxpayer information.

The Internal Revenue Service deployed two major computer applications despite known security vulnerabilities that put taxpayer information and other sensitive data at risk, according to a report from the IRS inspector general released on Thursday.

Comment on this article in The Forum.The IG concluded in a September annual audit that security weaknesses in the agency's updated tax processing systems could enable malicious intruders to gain unauthorized access to taxpayer information and prevent the IRS from recovering applications during an emergency. The Customer Account Data Engine is a tax processing tool being deployed in phases to replace the existing repositories of taxpayer information, while the Account Management Services systems aim to provide employees with faster and better access to taxpayer account data.

Despite progress in rolling out the technology, "the IRS' processes for ensuring that security controls are implemented before systems are deployed failed because key organizations did not consider the known security vulnerabilities to be significant," the report stated. Furthermore, the Customer Service Executive Steering Committee, which determines whether program milestones have been met, failed to ensure that security controls were implemented, and signed off on CADE milestones despite the existence of known weaknesses. The agency's cybersecurity organization recommended accreditation of the systems, despite also knowing about the existing weaknesses.

The IRS identified the security vulnerabilities in the programs during various rounds of testing in 2007.

"Until security control vulnerabilities are corrected, the IRS is jeopardizing the confidentiality, integrity, and availability of the massive volume of taxpayer data processed and stored by the CADE and the AMS," the audit warned.

Missing security controls in CADE and AMS relate primarily to the protection of sensitive data, system access, audit logging, and disaster recovery, according to the IG. Specific security weaknesses detected in the CADE system included contractors' ability to change configuration settings without notice or approval, the transfer of taxpayers' personal identifiable information without encryption and a failure to properly remove taxpayer data from system memory devices before they're reused.

The AMS system demonstrated similar vulnerabilities.

"Of the security vulnerabilities discussed previously, we are most concerned about the lack of audit logs and disaster recovery capabilities in modernized systems," the IG reported. "It might be understandable that older legacy systems cannot log transactions or comply with other current security and privacy requirements … due to older computer equipment. However, the IRS should ensure that these requirements are included in modernized systems."

Currently in its third deployment, the CADE system processed 28.1 million tax returns and issued 26.8 million refunds from January to April 2008. The first release of AMS, which is being designed to interface with CADE, focused on address change requests. As of January 2008, AMS completed 1,000 of 120,000 requests in real time.

After the audit, IRS officials reported that 11 of the 22 security vulnerabilities detected by the IG had been corrected or determined not to be weaknesses after deployment. Also, in a written response to the audit, the IRS Chief Information Officer Arthur Gonzalez objected to the public release of the report.

"We strongly object to public dissemination of information about IRS security vulnerabilities, as we believe it poses unnecessary and unacceptable risk to our national tax system and economic infrastructure," he said.

This report is the latest in a series of audits on security weaknesses in IRS systems from the agency's IG. Earlier this month, the IG reported on security vulnerabilities in computer systems at the IRS Office of Research, Analysis and Statistics. In September, the IG reported on unauthorized Web servers connected to the agency's networks.