IRS earns `C-minus' rating for security policies

The Internal Revenue Service last week received a "C-minus" grade for work on its information security policies and procedures from a consultant who said the agency's biggest challenge is to match the protection it has developed for data to employees' need for access.

Joseph Mahaffee a principal with Booz-Allen & Hamilton Inc. McLean Va. told the National Commission to Restructure the IRS that most agencies and private companies rate a "C or C-minus" for their network security weaknesses which are compounded by rapid changes in computing technology.

"Some things are being done that would clearly improve" the security of the IRS' data and systems "but we can't remain fixed on what we've done today."

Mahaffee said the agency must decide how much risk it can live with when sharing data and make investments in accordance with an overall security "support structure." Although Booz-Allen has a consulting contract with the Treasury Department the IRS has not been a client a company spokeswoman said and Mahaffee was invited to testify based on his work with national security systems.

The IRS is in the process of developing agencywide standards and policies said Leonard Baptiste Jr. director of the IRS' recently created Office of Systems Standards and Evaluation. Baptiste said security measures are not necessarily integrated across the agency's multiple networks though "a lot of people are doing a lot of good work on the ground."

The commission is reviewing all the IRS' operations and plans to recommend later this year steps that the IRS or Congress should take to improve how the agency does business. Sen. Bob Kerrey (D-Neb.) co-chairman of the commission said he thinks "there is great vulnerability" to the IRS' systems today.The agency has struggled for several years to define its security policies and last year abandoned a system to allow filing of tax returns over the Internet in part because auditors concluded the system was vulnerable to hackers. In a policy paper circulated last month the IRS said security concerns were a major reason why it has not been able to accept more tax returns electronically.

Employee Access a Hurdle

Because of the security risks commission member Josh Weston chief executive officer of Automated Data Processing Inc. questioned whether the IRS should rethink plans it has to improve customer service by providing employees with PCs that they would use to gain access to multiple databases.

Rich Pethia director of the Computer Emergency Response Team a clearinghouse for security information at Carnegie Mellon University Pittsburgh said the IRS has to decide whether its need for wide distributed access is worth the risks that come with this technology.

Pethia said PC networking and Internet technology were not originally engineered "for this unbounded environment" and for use by people who are not technical experts. He said users and systems administrators need to be better trained in how to protect systems and customers have to start demanding that information technology products include better safeguards against intruders.


  • People
    Federal CIO Suzette Kent

    Federal CIO Kent to exit in July

    During her tenure, Suzette Kent pushed on policies including Trusted Internet Connection, identity management and the creation of the Chief Data Officers Council

  • Defense
    Essye Miller, Director at Defense Information Management, speaks during the Breaking the Gender Barrier panel at the Air Space, Cyber Conference in National Harbor, Md., Sept. 19, 2017. (U.S. Air Force photo/Staff Sgt. Chad Trujillo)

    Essye Miller: The exit interview

    Essye Miller, DOD's outgoing principal deputy CIO, talks about COVID, the state of the tech workforce and the hard conversations DOD has to have to prepare personnel for the future.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.