IRS spent $1.2 million on unused data security software, auditors say

In 2010, IRS began implementing a large data loss prevention solution to protect taxpayer data. Nearly a decade later, only one-third of the system is operational.

Shutterstock photo ID: photo ID: 245503636 By Mark Van Scyoc Sign outside the Internal Revenue Service building in downtown Washington, DC on December 26, 2014.

The IRS has spent at least $1.2 million in software for components of a nearly decade-old data loss prevention (DLP) solution that still aren't operational, according to a new oversight audit.

The agency first began implementing a system to safeguard the personally identifiable information (PII) and account data of taxpayers in 2010. The system was originally designed to protect sensitive data at the agency in three states: while in motion (passing through internet routers and gateways), at rest (while stored in an internal database) and while being accessed by software systems or individual users.

IRS initially planned to fully implement the entire solution by 2014, but because of repeated delays, it didn't finish the first component covering data in motion until 2015, according to the Treasury Inspector General for Tax Administration (TIGTA).

Tests by auditors found that the data in motion portion was working as intended, but the other capabilities are still incomplete more than nine years after the project first started.

Auditors found "very little evidence" of progress on the remaining two portions between 2015 and 2017, and the latest update provided by the IRS indicated that it would not meet a revised June 2020 deadline for fully operationalizing the system.

"Continued delays have prevented the risks of PII being inadvertently or intentionally released during the course of normal duties from being fully addressed and the full benefits of the DLP solution from being realized," auditors wrote.

IRS has continued to pay a third-party contractor licensing fees for the data at rest and data in use capabilities even though it hasn't been able to use either. The inspector general report estimated the total cost of licensing for the unused capabilities to be $1.5 million over four years, $1.2 million of which was paid out by IRS.

Auditors are also concerned about whether the solution is being implemented with sufficient controls in place to guard against data theft by insiders. IRS and Treasury have experienced a number of high-profile incidents over the past year where employees have been caught accessing and leaking taxpayer or financial enforcement data, drawing the attention of lawmakers who want to know what the agency is doing to stop employees from abusing their access.

The agency has also toyed with the idea of deploying AI tools to help sniff out insider threats.

TIGTA made three recommendations, all of which IRS concurred with: deploy the missing components, ensure better project documentation to help managers and ensure that any negotiations with the National Treasury Employees Union related to the project are identified and promptly negotiated to avoid further delays.

In a written response to the report, acting CIO Nancy Sieger said the DLP system was "just one of numerous ongoing efforts to secure our systems and protect sensitive information," citing other cybersecurity programs like Continuous Diagnostics and Mitigation. She also disputed TIGTA's estimated costs for unused software, claiming the overall discounts the agency received from purchasing licenses for all three components were "extraordinary" and "extremely advantageous to the government."

"The total savings exceeded nearly $10 million, which far surpasses the $1.2 million for the four-year period noted in your report," Sieger wrote.