The Internal Revenue Service is taking issue with a
TIGTA noted in the report it publicly released Monday that the President’s Cyberspace Policy emphasized that agencies need to use SmartID cards to access computer systems. But the IRS has delayed its scheduled September 2011 implementation of the SmartID card authentication system to July 2013, the report noted.
“Upgrading the security of computer systems has never been more important to prevent disruptions in critical IRS processes and to protect taxpayers’ personal information from unauthorized access,” said TIGTA Inspector General J. Russell George in a statement. “The IRS is nearly two years behind its original planned completion date for implementing the new two-factor authentication system and enabling all employees to use SmartID cards for logical access. It is imperative that the IRS move swiftly and surely, doing everything in its power to secure its computer systems.”
The IRS, for its part, disagreed with some of TIGTA’s findings, arguing that the actions the agency has taken are sufficient.
At issue is the implementation and security of the IRS’s two-factor authentication system for accessing computer systems. TIGTA noted that two-factor authentication is a secure approach to verifying employees’ identities on a system and requires the presentation of two identifying factors: something the user knows (a personal identification number) and something the user has (a SmartID card). Two-factor authentication provides significant improvement in computer security in terms of allowing access to systems.
The IRS developed a two-factor authentication system with the required components. However, significant delays prevented the IRS from deploying the new two-factor authentication system as originally planned, TIGTA noted. The IRS originally planned to complete the deployment by September 2011. The deployment is now planned to be completed by July 2013.
In addition, the IRS did not appoint a project manager with the requisite training and experience to lead the Internal Identity and Access Management project, which included the two-factor authentication component. This decision led to numerous issues. The project team did not make adequate progress in some crucial areas, such as developing two-factor authentication for computer administrators, conducting required testing, and completing key documents and processes.
TIGTA reported that usage of the SmartID cards will be further delayed and recommended that the IRS’s chief technology officer direct IRS Labor Relations to notify the National Treasury Employees Union and begin negotiating mandatory use of the SmartID cards. TIGTA also recommended that the assistant chief information officer of cybersecurity at the IRS appoint a certified project manager with the requisite training and experience to lead the Internal Identity and Access Management project and direct the project manager to ensure the required security control assessment is completed, select a method to implement two-factor authentication for administrators, coordinate the activities to ensure all required testing is completed, and complete the required documents and processes that are needed to fully test and evaluate the system.
The IRS agreed with seven of the recommendations and plans to bargain with the National Treasury Employees Union as appropriate on mandatory use of the SmartID Cards, appoint a certified project manager and provide adequate resources to the project, and assign project resources to determine if a viable solution for administrators’ use of SmartID cards exists.
The IRS disagreed, however, with two recommendations regarding the completion of required testing of the new system and stated that testing was completed in accordance with its procedures and additional testing is not necessary.
“The IRS agrees with the general premise of the report that we have not made sufficient progress on implementation of Smart Cards for logical access,” wrote IRS chief technology officer Terence V. Milholland in response to the report. “However, the IRS disagrees with continuing further work related to testing and configuration audits of the Reduced Single Sign On (RSSO) implementation. Testing was completed as established by the Enterprise Life Cycle Project Management Office. In addition, the RSSO implementation is underway with the expected usage of 25,000 IRS users by the end of the year.”
TIGTA said in its report that it remains concerned about the IRS’s disagreement on the issue of testing. The IRS did not conduct the required testing for the most significant part of the two-factor authentication system, which is the part employees will use to authenticate to the IRS network. TIGTA found no evidence that the security, integration, capacity, and performance testing were conducted for this crucial part of the system.
