Weak controls leave taxpayer data vulnerable

Shutterstock image (by Sergey Nivens): Security concept, lock on a digital screen.

The IRS' IT is not secure due in large part to a lack of patching and access controls, according to a Government Accountability Office report released March 28.

The agency has been making progress, the report notes, but in its reviews of IRS systems, GAO found lingering discrepancies that threaten to compromise sensitive data.

Sometimes there are gaps between IRS policies and practice, while in other cases the policies themselves need updating, the report states.

GAO lauded the IRS for implementing an automated tool to manage password requirements in its Windows environment but also found that in several systems the IRS didn't force periodic password resets -- despite an IRS policy mandating new passwords every 90 days for user accounts and every year for service accounts -- or enabled a "generic" account, undermining access management goals.

The agency also relied on easily guessable passwords on many systems' servers, auditors said.

In addition, GAO found that in several cases, the IRS granted "excessive privileges" to users. For one tax payment system, users who didn't need editing privileges to do their jobs could nonetheless alter tax payment data.

Of 12 systems GAO reviewed, two lacked critical patches, including a patch that had been available since August 2012.

"By not installing critical patches in a timely manner, IRS increases the risk that known vulnerabilities in its systems may be exploited," the report states.

It's a problem the IRS has acknowledged before.

"We've got enough systems that we get literally thousands of patches, upgrades, security upgrades [and] we don't have the resources to implement them all," IRS Commissioner John Koskinen said recently. "We probably wouldn't implement all of them in any event, but there are some that we don't implement simply because we don't have the resources to do it."

GAO recommended that the IRS update its audit plans for systems and applications and update its security plan for information systems to reflect operating environment changes.

Another 43 technical recommendations were submitted out of the public eye.

In response to the report, Koskinen said he agreed with the recommendations but would need to review the feasibility of implementing them.

About the Author

Zach Noble is a former FCW staff writer.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.