IRS must speed up efforts to resolve IT security weaknesses across the agency, watchdog says

TIGTA officials said that the IRS still has more than 500 late action plans to address potential IT security weaknesses.

TIGTA officials said that the IRS still has more than 500 late action plans to address potential IT security weaknesses. STEFANI REYNOLDS / GETTY IMAGES

The IRS’s failure to expeditiously resolve weaknesses in its IT systems puts the agency “at risk for exploitation by threat actors,” according to an audit by the Treasury Inspector General for Tax Administration.

The IRS needs to speed up its process for addressing information technology security vulnerabilities across the agency to better safeguard taxpayers’ data, according to an audit issued by the Treasury Inspector General for Tax Administration — or TIGTA — on Aug. 9.

Although all federal agencies are required to develop a plan of action and milestones process for expeditiously identifying and resolving information security weaknesses, the watchdog found that there were more than 500 late action plans, “including 23 with risk severity ratings of either critical or high.”

TIGTA’s report noted that the IRS created 12,089 such plans between Jan. 1, 2005, and Aug. 26, 2022, of which 2,555 were still open. In a “judgmental sample,” the watchdog found that the IRS failed to timely review 291 — or 73% — of the 401 plans that it selected for analysis. 

“Failure to timely review, track and close [action plans] to resolve the information security weaknesses puts the IRS at risk for exploitation by threat actors,” the report said.

Additionally, TIGTA found that the agency did not perform “the required closure reviews within the 60-day time period for 138 (49%) of 282 plans marked as either accepted, completed or validated.”

Although the report noted that the IRS ultimately completed the closure reviews, TIGTA warned that “the continued extensions of remediation timelines may lengthen the period of exposure of critical tax systems to known information security vulnerabilities which may provide expanded opportunities for threat actors to access and exploit data.”

The report cited “a lack of management oversight and operational staffing shortfalls” as significant factors hindering speedy efforts to mitigate security weaknesses, with the IRS’s POA&M team, in particular, lacking “a formalized escalation process for noncompliant POA&Ms.”

“Due to not having these processes in place, responsible individuals within each business unit lacked the required guidance and oversight needed to ensure that POA&Ms were created timely and to correct noncompliant POA&Ms,” the watchdog said.

TIGTA also said that the diminishing size of the team placed a greater operational burden on full-time employees. The team responsible for managing the reports dropped from 16 employees in 2016 to just eight in 2022. 

That team of eight full time employees was responsible for managing 1,800 active plans. The TIGTA report states that given the large workloads, the team was “able to perform only basic level … oversight.”

TIGTA made four recommendations to the IRS, including calling for the implementation of “a consistent process agencywide to manage security risk remediation” and for the agency to prioritize staffing and resource allocation to better address identified security weaknesses. 

The IRS agreed with TIGTA’s recommendations and noted that the agency is “seeking to use funding from the Inflation Reduction Act of 2022 to request additional full-time employees to address the increased workload.”

The release of the watchdog’s audit comes after the Government Accountability Office outlined 24 open priority recommendations for the IRS to address in a July report, including unresolved efforts to oversee the cybersecurity practices of third-party vendors.