Oversight

GAO finds IRS still struggling with IT security

keyhole digital

The Internal Revenue Service may have stronger IT security in place since last year’s Government Accountability Office audit, but it still needs to address several vulnerabilities to avoid compromising financial and sensitive taxpayer data, the watchdog concluded.

During fiscal year 2012, the IRS dealt with several of the information security control deficiencies GAO previously identified. For example, improvement was seen in controls over the encryption of data transferred between accounting systems, and upgrades to critical network devices on the IRS internal network system. Cross-functional working groups were also launched to identify and fix specific at-risk control areas.

However, a review released March 15 found that although the IRS said it had dealt with 58 of the previous information system security-related recommendations GAO made in 2012, more than 20 percent were in fact never resolved. For example, the IRS had not adopted effective controls for identifying and authenticating users, such as enforcing password complexity on certain servers. The agency also failed to restrict access to its mainframe environment and monitor the mainframe environment well enough.

Additionally, the IRS did not ensure up-to-date patches were installed on systems to protect against known vulnerabilities – a familiar problem for the agency. As recently as November 2012, the Treasury Inspector General for Tax Administration rapped the IRS for failing to take an enterprisewide approach to installing and monitoring software patches.

However, the IRS’ challenges with swift implementation of security elements date back several years. A 2009 report from TIGTA found the agency implemented 102 of the 254 required security settings on its computers - nine months after the deadline imposed by the Office of Management and Budget.

Most of IRS’ current weaknesses resulted from the agency’s failure to fully implement its information security program. For example, the IRS lacked a procedure to reconcile certain access privileges, and its policies did not cover situations where systems share data storage. Additionally, the IRS’ security standards for systems supporting tax processing and financial management had outdated information.

The IRS has agreed with GAO’s recommendations to more effectively implement portions of its information security program, and address newly identified control weaknesses.

About the Author

Camille Tuutti is a former FCW staff writer who covered federal oversight and the workforce.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.