IRS auditors call for constraints on contractors' computer access

Treasury Department auditors found that lax security procedures at the Internal Revenue Service have allowed private contractors to put IRS computer systems and sensitive taxpayer data at risk.

IRS security officials discounted the severity of the auditors' assessment but generally agreed with the recommendations of an investigation that Treasury auditors conducted on four private-contractor operations between March and September last year.

The auditors recommended that IRS officials restrict contractors' computer access privileges to the minimum required for them to perform their jobs and that contactors be given updated workstations. Many of the older computer systems assigned to contractors were insecure and could not easily be made secure, according to the auditors. Their findings were published in a report that was labeled for limited public use and was not widely circulated.

The report, with the contractors' names and other sensitive data removed, revealed that root access privileges had been granted unnecessarily to about 50 contractor personnel. Root access permits users to make changes to computer systems without detection. Other contractor employees had violated IRS security procedures by installing e-mail and instant-messaging software on IRS computers.

In some cases, the report says, contractors blatantly circumvented IRS policies and procedures, even when IRS security personnel pointed out the inappropriate practices.

The IRS has more than 900 contracts with private contractors and consultants who perform many tax administration activities.

In a memo to the IRS' chief of mission assurance, an official in Treasury's office of the inspector general, stated his concerns. "Without sufficient oversight," he said, "the involvement of non-IRS employees in critical IRS functions adds to the risk of misuse or unauthorized disclosure of taxpayer data and could lead to loss of equipment or sensitive taxpayer data through theft or sabotage."

Although the IRS never formally announced the release of the report, a copy of it was obtained under the Freedom of Information Act by the National Treasury Employees Union, which opposes having federal jobs go to private contractors.

Colleen Kelley, president of the treasury union, believes federal agencies have been consistently lax in their oversight of contractors. The auditors' findings should be of concern to taxpayers, Kelley said.

"It's an important issue," she said, "especially when you think about the other initiatives the IRS says it wants to embark on, like privatizing tax collections."

Featured

  • Defense
    The Pentagon (Photo by Ivan Cholakov / Shutterstock)

    DOD CIO hits pause on JEDI cloud acquisition

    Dana Deasy set cloud as his office's top priority. But when it comes to the JEDI request for proposal, he's directed staff to "pause" to compile a comprehensive review.

  • Cybersecurity
    By Gorodenkoff shutterstock ID 761940757

    Waging cyber war without a rulebook

    As the U.S. looks to go on the offense in the cyber domain, critical questions remain unanswered around who will take the lead and how clearly to draw the rules of engagement.

  • Government Innovation Awards
    Government Innovation Awards - https://governmentinnovationawards.com

    Deadline extended for Rising Star nominations

    You now have until July 18 to help us identify the early-career innovators and change agents in government IT.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.