IRS slow on security settings, IG says

The Internal Revenue Service has been slow to implement the required security settings on its 98,000 desktop and laptop computers, the Treasury Inspector General for Tax Administration said. The IRS implemented 102 of the 254 required security settings on its computers in October 2008, nine months after the deadline set by the Office of Management and Budget, TIGTA said in a report released today.

OMB required agencies that use Microsoft’s Windows XP or VISTA operating systems to adopt the Federal Desktop Core Configuration (FDCC), a standard set of configuration settings, by Feb. 1, 2008, to improve security and reduce operating costs. As of December 2008, the IRS had implemented 81 percent of the settings, the auditor said.

The service has faced difficulties in establishing the security settings because the tax agency’s 98,000 computers are in 670 locations, and the IRS operates 1,900 software applications, 300 of which were internally developed for specific IRS business processes, the report states. As part of the implementation effort, the IRS must test each application to ensure it operates properly with the FDCC settings, TIGTA said.

The creation of a project team to manage the security effort in January 2008, one week before the deadline, slowed implementation of the settings, TIGTA said. The untimely creation of the project team occurred because some IRS officials mistakenly assumed the IRS’ current common operating environment met the FDCC requirements, according to the report.

Once created, the team did not follow basic project-management practices while testing the applications for FDCC compatibility, the auditor said. For example, the master control list used by the project leaders did not account for many applications that needed to be tested, TIGTA said.

The IRS also has not implemented an automated monitoring application to detect and monitor changes to the settings after installation, said J. Russell George, the Treasury inspector general for tax administration. And the tax agency has not modified its software contracts to make sure that new software operates properly with the settings, he said.

“Taxpayers have every right to expect that the IRS protects their privacy and personal information to the highest possible degree. Without a complete set of security settings on employees' computers, the IRS is at risk of business disruption and unauthorized access to taxpayer data,” George said.

The IRS has improved its testing after consulting with Microsoft and had updated its internal procedures to include the FDCC settings, TIGTA said.

The service said it would follow TIGTA recommendations that it improve its technology project-management practices, consider acquiring an automated monitoring tool and prioritize the updating of software contracts.

The TIGTA report is available here.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.

Featured

  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group