IRS launched tax credit website without authority to operate, watchdog reports

The IRS rolled out a web portal to authenticate recipients of the expanded Child Tax Credit in mid-2021 without receiving an "authority to operate" approval from tech officials, according to a May report from the Treasury Inspector General for Tax Administration.

The lag in getting an ATO was chalked up to a 'one-time user error' by the tax agency's top tech official in comments to auditors. Overall the issues identified in the report were largely administrative.  

The CTC portal used ID.me as its authentication tool. The tax agency sped up the launch of its identity project called the Secure Access Digital Identity System, made to replace a legacy authentication process that used records and mobile phone confirmation to verify users' identities, propelling it from a "small-scale pilot program to a full-scale production solution," the report says

The IRS used an existing blanket purchase agreement at the Department of Treasury and issued a delivery order for identity proofing support from ID.me on June 7, 2021. It went live on June 21, but didn't officially get "authority to operate" until about two days later. 

A cloud security threat analysis report required by IRS policies was conducted days before the new identity system and child tax credit portal went live, but a "communication issue" meant that the report and ATO letter didn't get to the authorizing official in a "timely" way.

"By allowing the [cloud service provider's] solution to be implemented without an approved agency ATO letter, the IRS cannot ensure that the [cloud service provider] operates with an acceptable level of risk to IRS operations, IRS assets, other organizations, and taxpayers," the report states.

IRS CIO Nancy Sieger told TIGTA in reply comments that she agreed with the recommendation that systems supported by cloud service providers have an ATO before they're implemented, writing that "the IRS has a robust documented ATO process in place, yet for this instance a one-time user error occurred which is not normal process. We will continue to follow our process and ensure we have quality assurance over the processes being followed."

TIGTA auditors also flagged the agency for the slow pace of addressing dozens of known vulnerabilities in the system. The IRS met requirements to scan for software vulnerabilities, but the report noted that 1,818 critical vulnerabilities for the child tax credit portal and identity system were past IRS timeframes set for remediation.

According to the report, an IRS management official pointed to "older versions of commercial off-the-shelf software being installed during the server build process" as a cause. That official also said that a process is being made to "validate that newly built servers meet minimum compliance requirements," as well as a new vulnerability scan for newly built servers before they go into production.

Sigler agreed with a recommendation in the report suggesting that the IRS prioritize the validation of newly built production servers. That recommendation is set to be implemented in September.