IRS didn’t obey federal policy when deploying cloud service
The Internal Revenue Service doesn’t have a cloud technology strategy and didn’t adhere to federal government policy when it implemented a cloud service, according to a new report.
The report, from the Treasury Inspector General for Tax Administration, noted that in December 2010, the U.S. government’s chief information officer, Vivek Kundra, directed all federal agencies to move to a “cloud first” policy. However, nearly seven years later, the IRS still doesn’t have an enterprise-wide cloud strategy. Although the agency formed a working group in July 2016 to develop such a strategy, it’s incomplete.
Not having a documented enterprise-wide cloud strategy creates a significant risk that organizations outside of the IRS Chief Information Officer and Information Technology organization could deploy systems and potentially expose federal tax information, the report pointed out, and there’s no reasonable assurance the systems meet federal security guidelines. The IRS could also miss out on the opportunity to deliver public value by increasing operational efficiency and responding faster to the needs of taxpayers.
Instead, the IRS makes do by updating its inventory of cloud systems manually whenever Change Management Requests are submitted. But the inventory doesn’t distinguish between deployed systems and systems in development, nor does it include system ownership and other details.
The IRS also didn’t adhere to some other federal policies on cloud computing. It didn’t comply with guidance from the Office of Management and Budget that agencies use the Federal Risk and Authorization Management Program to conduct risk assessments, perform security authorizations, and grant Authorities to Operate for cloud services.
The IRS started using a public cloud service last year to allow public access to data from certain Form 990, Return of Organization Exempt from Income Tax, returns. Tax-exempt organizations, nonexempt charitable trusts and Section 527 political organizations need to file the form to comply with the tax laws.
The Form 990 cloud project, which spanned more than 20 months, was implemented with limited input from the IRS Information Technology organization. In October 2015, the IRS’s Tax Exempt and Government Entities Division discussed the Form 990 project with the IRS’s associate chief information officer for enterprise services. However, the Tax Exempt and Government Entities Division wasn’t told to appoint an authorizing official, generate an Authority to Operate letter, or incorporate service level agreements within the cloud service user agreement.
TIGTA recommended the IRS’s chief information officer make a priority of completing an enterprise-wide cloud strategy in accordance with federal guidance. The IRS should also ensure the process of managing its various cloud applications is formalized using automated methods and updated on a periodic, ongoing basis, the report suggested. The IRS should also designate an authorizing official, complete a Federal Risk and Authorization Management Program Security Assessment Report, and issue an agency-specific Authority to Operate letter for the Form 990 cloud service, according to the report. In addition, the report recommended the IRS ensure the Form 990 cloud service includes a service level agreement.
The IRS agreed with two of TIGTA’s recommendations, partially agreed with one suggestion, and disagreed with one of the other recommendations. The IRS didn’t agree with TIGTA’s recommendation that service level agreements were necessary for the Form 990 cloud service because its data is meant for public access.
The IRS plans to have a strategy in place by October. “Developing an enterprise-wide cloud strategy is of critical importance to the Internal Revenue Service,” wrote IRS Chief Information Officer S. Gina Garza in response to the report. “We have established a cross-functional team to formulate, socialize and publish an enterprise-wide strategy with a planned delivery date of October 2017. Additionally, we have documented policy that defines security controls for IRS Cloud Computing Systems.”