Two of the Internal Revenue Service's newest modernized computer systems were deployed with known security vulnerabilities that could expose confidential taxpayer information, according to a new
The Treasury Inspector General for Tax Administration said the IRS's Customer Account Data Engine and Account Management Services contain security weaknesses in controls over sensitive data protection, system access, monitoring of system access and disaster recovery.
"The IRS continues to struggle with security vulnerabilities in its modernized systems," said Inspector General J. Russell George in a statement. "It recognizes, as we all do, the inherent risk in any IT system. In the case of the CADE and AMS, the service was aware of, and even self-identified, these weaknesses. This is very troublesome."
TIGTA found that the IRS has established policies and procedures for security and privacy requirements, but did not follow those guidelines during the planning and design phases for both systems. The report also found that IRS officials did not carry out their responsibilities for ensuring the identified weaknesses had been fully addressed prior to deployment.
TIGTA identified some of these vulnerabilities in prior audit reports. To remedy the vulnerabilities, TIGTA recommended several solutions, including that IRS officials consider all security vulnerabilities affecting the overall security of these systems before implementation. IRS officials generally agreed with TIGTA's recommendations.