The Treasury Inspector General for Tax Administration (TIGTA) gave the IRS mixed reviews on its technology program, pointing out several areas where it has performed well and other places where it performed poorly. TIGTA performed its
The review found several positives. For instance, when it came to overseeing the Child Tax Credit change that was implemented during the pandemic, TIGTA determined that most required security controls were implemented, including 37 security controls and enhancements specific to the IRS and the National Institute of Standards and Technology. For the portal itself, the inspection found 78% of applicable security controls from eight security families had been successfully implemented.
At the same time, the report also pointed out several major issues with the IRS's program. One is that sometimes security controls had not been implemented at all, or only partially implemented. For instance, in its review of the assessment and implementation of the media protection controls applicable to the Secure Access Digital Identity system (SADI), only one (11%) of nine media protection controls was implemented. Eight (89%) of the media protection controls were not implemented per agency requirements. It also noted that the agency lacks continuous monitoring for its cloud computing security posture, which it said was a critical oversight. If it had performed such monitoring, it may have discovered that 17% of users with access to the Taxpayer Digital Communication system had access to the Business Entitlement Access Request System without authorization (the IRS is currently working to address this issue).
However, TIGTA also pointed out that when the IRS does remediate or implement security controls, it does not always do so promptly. For instance, the inspectors found that the IRS did
not fully implement privileged access scanning for required devices. According to personnel in the IRS's cybersecurity
function, the Enterprise Vulnerability Scanning group uses either scanning agents or remote credentialed scans to conduct privileged access scanning.
Further, the IRS is not remediating vulnerabilities on a timely basis in accordance with the IRM's required time frames. Similarly, TIGTA was informed of a database vulnerability in October 2021; by March 2022, the vulnerability had still gone unpatched.
For the SADI system in particular, TIGTA found 484 (44 unique) critical vulnerabilities spread across 11 production servers that exceeded the IRS policy of 30 calendar days for remediation; 6 unique high vulnerabilities spread across two production servers that exceeded the IRS policy of 90 calendar days for remediation; and two unique medium vulnerabilities impacting one production server that exceeded the IRS policy of 120 calendar days for remediation.
TIGTA also faulted the IRS for documentation and authorization issues when it came to information technology. For instance, TIGTA reviews found that a related cloud service provider's solution was implemented without an approved agency Authorization to Operate letter and without secure contractual services for fraud analysis and detection.
TIGTA also said the IRS was not adequately monitoring insider threats. During the audit, the IRS was initially unable to provide an accurate number of systems with federal tax information and personally identifiable information. Following further requests in January 2022, TIGTA obtained a list from the Enterprise Security Audit Trails team in March 2022 that contained 365 systems. However, in May 2022, the Enterprise Security Audit Trails team reviewed the accuracy of the number and naming conventions of the systems on the list and provided an updated list that contained 351 systems. Inspectors reviewed the list of systems and determined that 234 (67%) of 351 systems with federal tax information and personally identifiable information were missing from the UBAC inventory and were not subject to user behavior analysis.
"Overall, the IRS needs to ensure that it continues to leverage viable technological advances as it modernizes its major business systems and improves its overall operational and security environments," said the TIGTA report. "While the IRS continues to make progress in many information technology areas, additional improvements are needed. Otherwise, weaknesses within the IRS's computer operations could begin to adversely affect its ability to meet its mission of helping taxpayers comply with their tax responsibilities and enforcing the tax laws with integrity and fairness to all."
