TaxByte 2016-7

Cybersecurity and Protecting Taxpayer Information – IRS Not in Compliance with Federal Cybersecurity Standards

Summary of TIGTA Testimony on April 12, 2016 hearing before the Committee on Finance United States Senate

In a recent hearing before Congress, TIGTA released information on federal government cyberattacks in 2015. The cyber-attacks continue to grow and have increased more than 10% from FY 2014 with a reported 77,183 cyberattacks occurring in FY 2015, of which IRS reported that more than 1,000 security incidents occurred to its systems during the period August 1, 2014, to July 31, 2015.

When we look at our current tax system and the IRS as a whole, they rely extensively on computer technology to process returns, issue refunds and notices, and manage inventory. The programs contain Personal Identifiable Information (PII). Each year more and more individual and business returns depend on IRS computers to process and safeguard this PII.  

The report identified a number of areas where IRS could better protect and improve their data security. Annually, TIGTA must evaluate cybersecurity conditions as required by the Federal Information Security Modernization Act.  In Treasury’s recent evaluation three areas were found to be of concern: (1) Continuous Monitoring Management, (2) Identity and Access Management, and (3) Configuration Management.  None of these three programs met the level of performance specified by the Department of Homeland Security.

Continuous Monitoring Management

IRS is still in the process of implementing this program which monitors asset management and maintains the secure configuration of assets in real time. In a range of one to five with one being the lowest, the IRS program was ranked as "one."  Homeland Security has tools that IRS is now implementing to meet the requirements of the program that will eventually, at full maturity of the system, allow real time cyber risk identification.  

Identity and Access Management

The Identity and Access Management program ensures that only those with a business need are able to obtain access to IRS systems and data. The evaluation found that IRS is not in compliance with using identification procedures for employees or contracts who could have access to the data.

Configuration Management

Configuration Management emphasizes that IRS settings on the computer systems are secure and properly maintained, especially when “patches” are required to update systems. The study found that the IRS “security patches” process were not in full compliance. In addition, at the time of the review, the detection system was not monitoring a significant percentage of IRS servers, and incidents had not been reported as required by Treasury.  To make matters worse, the policies, plans, and procedures were nonexistent, inaccurate, or incomplete.  Finally, IRS was unable to upgrade all of its workstations with the most current Windows® operating system, which means automatic patches and fixes had not been done, and  the IRS had not accounted for the location or migration status of approximately 1,300 workstations. IRS had upgraded only about one-half of its applicable servers.