When it comes to monitoring third-party tax software providers and paid tax preparers, the IRS has limited jurisdiction and controls in place to protect taxpayer information from cyberattacks, according to a report from the Government Accountability Office released Thursday, May 9.
With 90 percent of tax returns in 2018 filed electronically with the help of paid preparers or software, most taxpayers submit sensitive information to a third party before it reaches the IRS, but requirements like FISMA (the Federal Information Security Modernization Act) are not in place for third parties, and security controls vary.
While the IRS has an authorized e-file provider program that sets security requirements for tax software, it does not outline a set of minimum security standards for paid preparers or the systems of program participants. IRS officials said they don’t have the authority to extend regulations to third-party systems, leading GAO to recommend that Congress take action on that front.
To provide some remedy, the IRS and the National Institute of Standards and Technology (NIST) have worked with the Security Summit – a voluntary group of tax software providers – to establish 140 controls for companies to certify compliance. However, the standards remain voluntary. The Security Summit chose to adopt only some of the controls from NIST SP 800-53, and not all providers have adhered to them. GAO recommended that the IRS include greater security controls for authorized e-file providers to drive adoption.
The e-file provider program also came under scrutiny for not substantially updating security controls since 2010, according to GAO.
“For example, IRS’s current guidance refers to an outdated encryption standard,” the report states. “As a result, IRS and taxpayers have limited assurance that their taxpayer data are protected according to NIST guidelines and industry leading practices.”
GAO recommended that the IRS centralize its oversight of cybersecurity, require software providers to follow NIST SP 800-53, review and update existing security requirements, and improve monitoring of cybersecurity during compliance reviews of authorized e-file providers.
The IRS agreed with three recommendations, including one to review and update requirements for software providers, but disagreed with most recommendations, citing “the lack of clear and explicit authority it would need to establish security requirements for the information systems of paid preparers and others who electronically file returns.”