The Treasury Inspector General for Tax Administration said the IRS, while generally diligent in its use of the Cyber Security Assessment and Management application (run by the Department of Justice and used by other federal agencies), could improve its reviews of suspicious activity in the logs and encourage more internal controls.
The
TIGTA inspectors said they requested audit log summary reports from September through November 2022 and the IRS could not provide seven out of 13 that should have been there. Further, the IRS did not provide any evidence that written responses were provided to the DOJ regarding the IRS review of the audit log summary reports. While the IRS told inspectors it meets weekly with the DOJ to communicate cybersecurity issues, TIGTA said the service did not have any official agendas or minutes from them.
TIGTA also faulted the IRS for the reports it did produce, saying it reviewed and compared one of the six user audit log summary reports that the agency received from the DOJ to the actual CSAM user application logs to determine if the summary of user failed logon attempts matched the actual failed logon attempts. The user audit log summary report had six users with failed logon attempts, ranging from three to seven failed attempts. The review found discrepancies with two of the six users after comparing the audit log summary reports to the CSAM user application logs.
Specifically, in one case, the access date reported on the audit log summary report did not match the actual CSAM user application log. In another, the audit log summary report showed only seven logon attempts, while the CSAM user application log showed the user made eight attempts.
"Due to the IRS's inability to provide documented evidence to support it reviews logs and the missing weekly audit log summary reports, we concluded that the IRS is not reviewing the audit logs for suspicious activity on a weekly basis," said the TIGTA report. "The IRS cannot fully determine whether documented events are legitimate and not suspicious without reviewing the audit logs."
Beyond this, TIGTA also faulted the IRS over failure to adequately separate duties, as CSAM system administrators with administrator privileges are reviewing their own audit logs. The IRS stated that it allowed CSAM administrators to review audit logs because system administrators are categorized as security specialists. Also, the DOJ Information System Security Officer reviews all CSAM audit logs, and a report of suspicious activity is generated for IRS administrators to investigate. TIGTA disagreed with the IRS's position.
"Although CSAM system administrators are categorized as security specialists, these employees are conducting system administrator's duties in administering, maintaining, and operating the CSAM which allows administrators to create users and enable or disable access to the CSAM," said the report. "The separation of roles and responsibilities ensures that no one person has the authority or ability to circumvent checks and balances. Enacting this control prevents the potential misuse of administrator privileges in reviewing the system logs or audit reports that could alert an independent reviewer of potential system misuse,."
TIGTA recommended the IRS's chief information officer 1) ensure the CSAM audit logs are reviewed weekly and the results of review are documented; 2) ensure the CSAM system security plan is updated to include clarification for security specialists to review audit logs; 3) create a risk-based decision accepting the risk for allowing accounts to remain on the CSAM after 365 days of inactivity; and 4) coordinate with system owners to ensure that plans of action and milestones with identified weaknesses are updated in the system security plans.
The IRS agreed with two recommendations and stated that weekly audit log reviews are documented and archived, and the information system security officer is included in the weekly review of audit logs. The IRS stated it has processes in place for the two remaining recommendations and requested that TIGTA consider them resolved.
