IRS Needs Cybersecurity Tools to Secure Its COBOL Apps


The tax collection agency runs some of the oldest IT systems in government and needs cybersecurity tools to match.

The IRS manages IT systems running hundreds of thousands of lines of code written in a programming language few developers bother to learn anymore: COBOL. In response to unspecified “national security demands,” the agency is looking for cybersecurity tools designed to work with these aged systems.

The federal tax collector runs some of the oldest IT systems in government, including the 60-plus-year-old Individual Master File system that intakes and processes individual tax returns. While that system runs on Assembly, many of IRS’ other systems run on a slightly younger programming language: the common business-oriented language, or COBOL.

Despite its age, COBOL continues to get widespread use in some sectors, particularly finance. And as banks and other financial systems connect to the IRS, the agency’s systems must be able to communicate and process the incoming information.

But the IRS also has to make sure those systems are secure, which can be difficult when dealing with older programming languages that aren’t supported by modern security tools.

The agency issued a request for information seeking industry feedback on existing cybersecurity products that can handle multiple versions of COBOL, both for apps that have already been deployed and those still in the production pipeline.

“A large portion of the agency’s current software application portfolio is written in COBOL,” according to the notice, including “approximately 160 COBOL applications, which represent an average of 235,000 lines of source code.”

The agency also uses several versions of COBOL: IBM COBOL for OS/390 & VM, version 2.2; IBM Enterprise COBOL for zOS, version 6.3; and Micro Focus Visual COBOL for Eclipse, version 5.0; as well as four versions the agency is considering phasing out: Flexus COBOL, version 5.0; Fujitsu COBOL, version 5.0; and Micro Focus Visual COBOL, versions 2.3.2 and 6.0.

While the solicitation is in the first stages of market research, IRS officials might ask some respondents to give a 60-minute demo of their product “with the intent and sole purpose of gathering further clarification of potential capability to meet the requirements, especially any development and certification risks.”

Responses are due by 5 p.m. June 28. Questions must be submitted no later than 5 p.m. June 7.