IRS slow on security settings, IG says

The Internal Revenue Service has been slow to implement the required security settings on its 98,000 desktop and laptop computers, the Treasury Inspector General for Tax Administration said. The IRS implemented 102 of the 254 required security settings on its computers in October 2008, nine months after the deadline set by the Office of Management and Budget, TIGTA said in a report released today.

OMB required agencies that use Microsoft’s Windows XP or VISTA operating systems to adopt the Federal Desktop Core Configuration (FDCC), a standard set of configuration settings, by Feb. 1, 2008, to improve security and reduce operating costs. As of December 2008, the IRS had implemented 81 percent of the settings, the auditor said.

The service has faced difficulties in establishing the security settings because the tax agency’s 98,000 computers are in 670 locations, and the IRS operates 1,900 software applications, 300 of which were internally developed for specific IRS business processes, the report states. As part of the implementation effort, the IRS must test each application to ensure it operates properly with the FDCC settings, TIGTA said.

The creation of a project team to manage the security effort in January 2008, one week before the deadline, slowed implementation of the settings, TIGTA said. The untimely creation of the project team occurred because some IRS officials mistakenly assumed the IRS’ current common operating environment met the FDCC requirements, according to the report.

Once created, the team did not follow basic project-management practices while testing the applications for FDCC compatibility, the auditor said. For example, the master control list used by the project leaders did not account for many applications that needed to be tested, TIGTA said.

The IRS also has not implemented an automated monitoring application to detect and monitor changes to the settings after installation, said J. Russell George, the Treasury inspector general for tax administration. And the tax agency has not modified its software contracts to make sure that new software operates properly with the settings, he said.

“Taxpayers have every right to expect that the IRS protects their privacy and personal information to the highest possible degree. Without a complete set of security settings on employees' computers, the IRS is at risk of business disruption and unauthorized access to taxpayer data,” George said.

The IRS has improved its testing after consulting with Microsoft and had updated its internal procedures to include the FDCC settings, TIGTA said.

The service said it would follow TIGTA recommendations that it improve its technology project-management practices, consider acquiring an automated monitoring tool and prioritize the updating of software contracts.

The TIGTA report is available here.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.