Watchdog dings IRS for vendor security lapses
Kent Nishimura/Los Angeles Times via Getty Images
Outdated antivirus software and missing security logs created risks for a key IRS communications platform, according to an inspector general report.
A vendor supplying a key taxpayer communications system to the IRS failed to install high-severity rated updates to antivirus software and ran outdated software for more than a year, according to a report the agency’s internal watchdog released last week.
The report from the Treasury Inspector General for Tax Administration (TIGTA) reported that managed services provider eGain did not apply multiple security fixes that were available – in contravention of IRS information resource management rules for vendors.
The system in question, the Taxpayer Digital Communications (TDC) platform, enables taxpayers to communicate and share documents with IRS representatives in a variety of web-based chat formats. The system runs on Amazon Web Services' GovCloud and, according to its privacy impact assessment, hosts personally identifiable information on taxpayers including Social Security numbers.
TIGTA auditors recommended that the IRS chief information officer take steps to make sure eGain monitor and ensure timely updates are made to antivirus software in keeping with the tax agency's own rules. IRS CIO Nancy Sieger concurred and said that the agency is now getting regular reports on patching and updates from eGain.
The report also found that IRS was not conducting adequate oversight of the AWS GovCloud as required under the Federal Risk and Authorization Management Program for cloud security. According to the report, "there is no clear timeline for IRS to begin its FedRAMP security reviews for continuous monitoring of [cloud services providers]." Auditors stated that the continuous monitoring should begin when cloud providers are FedRAMP approved. Sieger indicated that full security assessments were completed in May 2022 and would be conducted on an annual basis in the future.
The report also found that cybersecurity audit trails had gone unreviewed for years until a recent security assessment prompted by a vendor misconfiguration. The system maintained access for inactive user accounts and permitted vendor default username/passwords to operate in the production environment. "[H]aving test accounts in the production environment unnecessarily exposes the TDC and eGain platforms to unauthorized access, which may result in damage or data loss," the report stated.
Sieger concurred with all 11 recommendations made in the report and proposed plans for corrective actions to be completed by April 15, 2023.