TIGTA faults IRS cybersecurity program on 3 out of 5 metrics

The Treasury Inspector General for Tax Administration said the IRS cybersecurity program should not be considered fully effective, as three out of five of the criteria outlined in the agency's framework were considered to be "not at an acceptable maturity level."

The recent report, released Monday, noted the IRS cybersecurity program has three different function areas:

• Identify (developing an organizational understanding to manage cybersecurity risks to systems, assets and capabilities);
• Protect (developing and implementing appropriate safeguards to ensure delivery of critical services);
• Detect (developing and implementing appropriate activities to identify the occurrence of a cybersecurity event)'
• Respond (developing and implementing appropriate activities to take action regarding a detected cybersecurity event); and
• Recover (developing and implementing appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due a cybersecurity event).

TIGTA said that while the "respond" and "recover" components were effective, it faulted the IRS on the "identify," "protect" and "detect" aspects.
"As examples of specific metrics that were not considered effective, TIGTA found that the IRS could improve on maintaining a comprehensive and accurate inventory of its information systems; tracking and reporting on an up-to-date inventory of hardware and software assets, ensuring that its information systems consistently maintain baseline configuration in compliance with IRS policy; implementing flaw remediation and patching on a timely basis; encrypting to protect data at rest; and implementing multifactor authentication on its facilities and network," said the report.

The IRS disagreed with the inspector general's assessment. In particular, it said it has greatly improved the auditability of events, noting it has gone from 953 million audit trail events last year to 2.3 billion this year. TIGTA disagreed with the IRS's disagreement, and said on this particular point it had done a separate inspection and still felt it came up short, adding that it plans to release a report on its findings in September.