GAO finds IRS still struggling with IT security

keyhole digital

The Internal Revenue Service may have stronger IT security in place since last year’s Government Accountability Office audit, but it still needs to address several vulnerabilities to avoid compromising financial and sensitive taxpayer data, the watchdog concluded.

During fiscal year 2012, the IRS dealt with several of the information security control deficiencies GAO previously identified. For example, improvement was seen in controls over the encryption of data transferred between accounting systems, and upgrades to critical network devices on the IRS internal network system. Cross-functional working groups were also launched to identify and fix specific at-risk control areas.

However, a review released March 15 found that although the IRS said it had dealt with 58 of the previous information system security-related recommendations GAO made in 2012, more than 20 percent were in fact never resolved. For example, the IRS had not adopted effective controls for identifying and authenticating users, such as enforcing password complexity on certain servers. The agency also failed to restrict access to its mainframe environment and monitor the mainframe environment well enough.

Additionally, the IRS did not ensure up-to-date patches were installed on systems to protect against known vulnerabilities – a familiar problem for the agency. As recently as November 2012, the Treasury Inspector General for Tax Administration rapped the IRS for failing to take an enterprisewide approach to installing and monitoring software patches.

However, the IRS’ challenges with swift implementation of security elements date back several years. A 2009 report from TIGTA found the agency implemented 102 of the 254 required security settings on its computers - nine months after the deadline imposed by the Office of Management and Budget.

Most of IRS’ current weaknesses resulted from the agency’s failure to fully implement its information security program. For example, the IRS lacked a procedure to reconcile certain access privileges, and its policies did not cover situations where systems share data storage. Additionally, the IRS’ security standards for systems supporting tax processing and financial management had outdated information.

The IRS has agreed with GAO’s recommendations to more effectively implement portions of its information security program, and address newly identified control weaknesses.

About the Author

Camille Tuutti is a former FCW staff writer who covered federal oversight and the workforce.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group