Oversight

Weak controls leave taxpayer data vulnerable

Shutterstock image (by Sergey Nivens): Security concept, lock on a digital screen.

The IRS' IT is not secure due in large part to a lack of patching and access controls, according to a Government Accountability Office report released March 28.

The agency has been making progress, the report notes, but in its reviews of IRS systems, GAO found lingering discrepancies that threaten to compromise sensitive data.

Sometimes there are gaps between IRS policies and practice, while in other cases the policies themselves need updating, the report states.

GAO lauded the IRS for implementing an automated tool to manage password requirements in its Windows environment but also found that in several systems the IRS didn't force periodic password resets -- despite an IRS policy mandating new passwords every 90 days for user accounts and every year for service accounts -- or enabled a "generic" account, undermining access management goals.

The agency also relied on easily guessable passwords on many systems' servers, auditors said.

In addition, GAO found that in several cases, the IRS granted "excessive privileges" to users. For one tax payment system, users who didn't need editing privileges to do their jobs could nonetheless alter tax payment data.

Of 12 systems GAO reviewed, two lacked critical patches, including a patch that had been available since August 2012.

"By not installing critical patches in a timely manner, IRS increases the risk that known vulnerabilities in its systems may be exploited," the report states.

It's a problem the IRS has acknowledged before.

"We've got enough systems that we get literally thousands of patches, upgrades, security upgrades [and] we don't have the resources to implement them all," IRS Commissioner John Koskinen said recently. "We probably wouldn't implement all of them in any event, but there are some that we don't implement simply because we don't have the resources to do it."

GAO recommended that the IRS update its audit plans for systems and applications and update its security plan for information systems to reflect operating environment changes.

Another 43 technical recommendations were submitted out of the public eye.

In response to the report, Koskinen said he agreed with the recommendations but would need to review the feasibility of implementing them.

About the Author

Zach Noble is a staff writer covering digital citizen services, workforce issues and a range of civilian federal agencies.

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.

Click here for previous articles by Noble, or connect with him on Twitter: @thezachnoble.


Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.