The IRS Doesn’t Know Who’s Accessing Its Most Sensitive Data

The Internal Revenue Service hasn’t accurately cataloged all the components of its highest value hardware and software systems and doesn’t have a clear count of who has privileged access to those systems, according to an audit released Monday.

The IRS also likely isn’t patching software vulnerabilities on its highest value assets within the 30-day timeframe required for federal agencies, according to the audit from the Treasury Inspector General for Tax Administration.  

Because the agency doesn’t maintain historical data about patching, however, it’s difficult to say for certain how long vulnerabilities are going unpatched, the audit states.

The term “high-value assets,” as used by federal cybersecurity professionals, essentially refers to software and hardware systems that contain the most sensitive information, including personally identifiable information about taxpayers or employees.

Those systems are most likely to be targeted by adversary nation-states and criminal hackers and so require the highest level of protection, according to guidance created following the 2015 Office of Personnel Management breach, which compromised sensitive security clearance information about more than 20 million current and former federal employees.

In the case of the IRS, it took officials three months to provide auditors with a partial list of people with privileged access to its high-value assets and that list only covered about 30 percent of servers associated with those systems, the auditors said.

The process of determining whether a particular person was authorized to access a particular server containing high-value assets was also far too onerous, auditors said, with much of it requiring manual processes.

“Given that the IRS has not been able to provide this basic but critical information, we question whether the IRS has sufficiently inventoried, validated, and minimized the number of privileged users and accounts as required,” the audit states.