GAO, TIGTA call out IT shortcomings at IRS

The Internal Revenue Service is still falling short on fundamental information security measures, according to a new Government Accountability Office report.

The July 31 GAO report identified specific issues in the agency’s information security program management, such as inconsistently enforcing effective password security and insufficiently documenting authorizations for mainframe data and processing changes. GAO also said IRS was uneven in its implementation of certain components of its security program.

GAO noted the IRS had made significant progress in improving security, but it also emphasized the importance of continuous improvement. "[C]ontinuing and newly identified control deficiencies," GAO investigators warned, have "limited the effectiveness of security controls for protecting the confidentiality, integrity, and availability of IRS’s financial and tax processing systems."

In addressing 13 of 34 previously listed security deficiencies, the IRS has “improved identification and authentication by enforcing password complexity for several user- and system-level accounts on various servers.” But the agency has failed to implement FIPS 140-2-compliant encryption across all systems, which GAO said presents security gaps that unauthorized users could easily exploit.

The audit called particular attention to the IRS’s failure to implement “access control lists on certain network devices to prevent unauthorized users from logging into the network devices” and to maintain a uniform authentication procedure. Without these types of defenses, GAO warned, systems can be easily compromised, putting financial reporting and taxpayer data at risk of attack. GAO also said the IRS was “unable to provide supporting documentation for 13 changes made to critical mainframe datasets.”

While implementation of a uniform information control policy is crucial, creating and maintaining that policy is equally important. The IRS has recently updated its Internal Revenue Manual, but GAO said the agency fell short of its own standards by its lack of updated audit and monitoring capabilities to continuously improve authentication, activity documentation and patching.

The IRS has gotten a good start on improving its system and data security by addressing almost all previous GAO recommendations for updated hardware and software. Now the issues extend beyond equipment improvement, and the IRS must shift its focus to begin a procedural and eventually a cultural change in the way that it practices information security, GAO said.

The new audit comes just one week after another GAO generally applauded the IRS's information security progress.  But the new warnings are just one part of a critique-filled few days for the tax agency. 

An audit by the Treasury Inspector General for Tax Administration, released July 27, found that IRS CIO Gina Garza has been delegating IT purchase reviews to subordinates.  (The Federal IT Acquisition Reform Act explicitly places the responsibility for such reviews with agency CIOs.) 

Garza told TIGTA in a written response to that audit that her agency "takes FITARA responsibilities very seriously and is working closely with the Department of Treasury to update related guidance and processes."

And a second TIGTA audit, also released July 27, chided the IRS for spending $85 million on an enterprise case management solution that it ultimately could not use.  The IRS agreed with the auditors' recommendations to help "identify a viable ECM solution, and determine program requirements and complete all initial planning activities prior to the start of ECM projects."