IRS fails to identify contractors with access to taxpayer data

The Internal Revenue Service risked disclosing taxpayer information when it failed to identify contractors that had access to financial records and to fix known security weaknesses at facilities where files are stored.

According to an audit released on Tuesday by the Treasury Inspector General for Tax Administration, the IRS did not identify all the vendors that store and process taxpayer data, making it impossible to complete annual security reviews. In addition, at facilities where the IRS did conduct reviews, it failed to check if weaknesses it had identified were corrected.

The IRS provides many contractors with taxpayer data to help it manage the federal tax system. Technology companies also operate information systems that allow users access to the agency's network. Although contractors must comply with the security control requirements the National Institute of Standards and Technology issues for protecting sensitive data, the IRS is responsible for ensuring contractors comply by conducting annual reviews. Currently, all IRS components compile and submit a list of contractors that have access to tax records.

"This process was not effective at identifying all contractors who have been provided IRS taxpayer data," said the inspector general, who noted two cases in which contractors with access to tax records were not among those that were identified as requiring a security review.

Also, in fiscal 2009, the IRS made 1,396 procurement requests that required access to tax data, but due to a heavy workload it failed to review the requests to determine if contractors were provided taxpayer data, which would have required the agency to conduct an annual security review.

The inspector general recommended the IRS rely on procurement requests to provide the most reliable source to identify contractors that require a review. Agency officials agreed and noted plans to modify an existing procurement system to identify contractors.

In the meantime, "without an effective process for identifying these contractors, the IRS cannot ensure that all contractors who have been provided IRS taxpayer data are being reviewed for computer security control weaknesses," the inspector general said. "As a result, the IRS cannot ensure that taxpayer data are protected at all contractor facilities."

At facilities where security reviews were conducted, the IRS failed to check if weaknesses it found were corrected, as required under the 2002 Federal Information Security Management Act. In a sample of eight contractors, all of which the IRS had determined had security weaknesses in their information systems, the inspector general said the agency could not provide a plan to address the vulnerabilities. According to agency officials, the information systems were not required to comply with FISMA regulations.

"We believe the approach for tracking and monitoring security weaknesses should apply regardless of whether or not FISMA applies to the contractor since the weaknesses pertain to the protection of IRS taxpayer data," the inspector general said. "When security weaknesses are not tracked and monitored, the IRS has no assurance that an official within the IRS is taking responsibility."