Weak controls leave taxpayer data vulnerable

Shutterstock image (by Sergey Nivens): Security concept, lock on a digital screen.

The IRS' IT is not secure due in large part to a lack of patching and access controls, according to a Government Accountability Office report released March 28.

The agency has been making progress, the report notes, but in its reviews of IRS systems, GAO found lingering discrepancies that threaten to compromise sensitive data.

Sometimes there are gaps between IRS policies and practice, while in other cases the policies themselves need updating, the report states.

GAO lauded the IRS for implementing an automated tool to manage password requirements in its Windows environment but also found that in several systems the IRS didn't force periodic password resets -- despite an IRS policy mandating new passwords every 90 days for user accounts and every year for service accounts -- or enabled a "generic" account, undermining access management goals.

The agency also relied on easily guessable passwords on many systems' servers, auditors said.

In addition, GAO found that in several cases, the IRS granted "excessive privileges" to users. For one tax payment system, users who didn't need editing privileges to do their jobs could nonetheless alter tax payment data.

Of 12 systems GAO reviewed, two lacked critical patches, including a patch that had been available since August 2012.

"By not installing critical patches in a timely manner, IRS increases the risk that known vulnerabilities in its systems may be exploited," the report states.

It's a problem the IRS has acknowledged before.

"We've got enough systems that we get literally thousands of patches, upgrades, security upgrades [and] we don't have the resources to implement them all," IRS Commissioner John Koskinen said recently. "We probably wouldn't implement all of them in any event, but there are some that we don't implement simply because we don't have the resources to do it."

GAO recommended that the IRS update its audit plans for systems and applications and update its security plan for information systems to reflect operating environment changes.

Another 43 technical recommendations were submitted out of the public eye.

In response to the report, Koskinen said he agreed with the recommendations but would need to review the feasibility of implementing them.

About the Author

Zach Noble is a staff writer covering digital citizen services, workforce issues and a range of civilian federal agencies.

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.

Click here for previous articles by Noble, or connect with him on Twitter: @thezachnoble.


  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.