IRS earns `C-minus' rating for security policies

The Internal Revenue Service last week received a "C-minus" grade for work on its information security policies and procedures from a consultant who said the agency's biggest challenge is to match the protection it has developed for data to employees' need for access.

Joseph Mahaffee a principal with Booz-Allen & Hamilton Inc. McLean Va. told the National Commission to Restructure the IRS that most agencies and private companies rate a "C or C-minus" for their network security weaknesses which are compounded by rapid changes in computing technology.

"Some things are being done that would clearly improve" the security of the IRS' data and systems "but we can't remain fixed on what we've done today."

Mahaffee said the agency must decide how much risk it can live with when sharing data and make investments in accordance with an overall security "support structure." Although Booz-Allen has a consulting contract with the Treasury Department the IRS has not been a client a company spokeswoman said and Mahaffee was invited to testify based on his work with national security systems.

The IRS is in the process of developing agencywide standards and policies said Leonard Baptiste Jr. director of the IRS' recently created Office of Systems Standards and Evaluation. Baptiste said security measures are not necessarily integrated across the agency's multiple networks though "a lot of people are doing a lot of good work on the ground."

The commission is reviewing all the IRS' operations and plans to recommend later this year steps that the IRS or Congress should take to improve how the agency does business. Sen. Bob Kerrey (D-Neb.) co-chairman of the commission said he thinks "there is great vulnerability" to the IRS' systems today.The agency has struggled for several years to define its security policies and last year abandoned a system to allow filing of tax returns over the Internet in part because auditors concluded the system was vulnerable to hackers. In a policy paper circulated last month the IRS said security concerns were a major reason why it has not been able to accept more tax returns electronically.

Employee Access a Hurdle

Because of the security risks commission member Josh Weston chief executive officer of Automated Data Processing Inc. questioned whether the IRS should rethink plans it has to improve customer service by providing employees with PCs that they would use to gain access to multiple databases.

Rich Pethia director of the Computer Emergency Response Team a clearinghouse for security information at Carnegie Mellon University Pittsburgh said the IRS has to decide whether its need for wide distributed access is worth the risks that come with this technology.

Pethia said PC networking and Internet technology were not originally engineered "for this unbounded environment" and for use by people who are not technical experts. He said users and systems administrators need to be better trained in how to protect systems and customers have to start demanding that information technology products include better safeguards against intruders.


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.