The Internal Revenue Service had made an executive decision that caused the agency to reduce vulnerability scans on its databases, in defiance of its own formal written policy, for at least three years.
This is the conclusion made in a recent
"The IRS's written policy remained in compliance with National Institute of Standards and Technology guidance and a Department of the Treasury Directive. However, the new strategy to not perform privileged database vulnerability scanning on all the system databases, including the mainframe applications that are considered high-value asset systems, was not compliant with the IRS's formal written policy or federal guidance," said the report.
The IRS's explanation was that it was unable to address the vulnerabilities of all databases in a timely manner.
However, at least in the case of cloud databases, even when a scan was performed, the IRS did not always follow up. The agency tended to rely on vendor-designed reports versus looking at the raw data themselves. These reports, furthermore, tended to lack security vulnerability details. TIGTA noted, though, that even these reports were not always read because, depending on the vendor, the IRS was only able to download reports in some instances but not others.
"As a result, the IRS inconsistently received or was unable to review vulnerability details from cloud service providers across its FISMA cloud systems. We also determined that the IRS does not receive monthly vulnerability reports," said the TIGTA report.
The inspector general also faulted the IRS for inconsistently patching security vulnerabilities when they were discovered. Patches were updated in some databases but not others. TIGTA noted several specific vulnerabilities, the precise nature of which was redacted in the report, with the agency's Microsoft and Oracle databases.
TIGTA did note that the IRS began increasing its vulnerability scans shortly after beginning this inspection.
TIGTA recommended that the IRS:
- Update the Internal Revenue Manual to reflect the proper security requirements;
- Have its information system security officers develop a formal process for recommending approval or disapproval of policy deviations;
- Perform privileged vulnerability scans on cloud systems when possible;
- Provide oversight to cloud service providers and obtain detailed scan results;
- Create plans of action and milestones for unresolved issues from database vulnerability scans; and,
- Patch or upgrade databases to the latest version, or at least a version within the acceptable risk tolerance.
A final recommendation was redacted.
The IRS agreed with the recommendations.