The IRS should continue improving its electronic authentication security controls to better protect public-facing applications, the Treasury Inspector General for Tax Administration (TIGTA) said in a report last week.
In an analysis of the IRS’s 52 public-facing applications, 26 of them did not meet electronic authentication levels of assurance based on older National Institute of Standards and Technology (NIST) guidelines.
TIGTA pointed out that NIST overhauled its guidelines in June 2017 – the Office of Personnel Management expects agencies to adhere to those changes within one year of publication – and TIGTA said none of the 52 IRS public-facing applications have yet to adopt the updated requirements.
However, TIGTA acknowledged that the IRS did make some improvements in addressing risks. As of April 2018, for instance, the IRS secured 14 high-risk and eight moderate-risk applications according to the old NIST guidelines. It also provided training on the new guidelines in August 2017, and is currently developing a compliance plan.
The IRS also established the Electronic Authentication Risk Assessment Compliance Initiative to help secure its applications, and it has continued to mitigate risks related to using the Short Messaging Service as part of the authentication process – two moves TIGTA said have shown progress toward more security.
But despite the improvements, TIGTA said it is imperative for the IRS to secure electronic authentication on its public-facing applications because they hold personal and tax return information.
“These applications collect, process, and store large amounts of Personally Identifiable Information and tax return data,” TIGTA said. “Because this information is considered extremely valuable, the IRS has become a target of criminals and identity thieves.”
In light of the report’s findings, TIGTA recommended that the IRS CIO ensure that public-facing applications are compliant with the newer NIST guidelines, and that the agency develop an implementation plan with specific timelines for reaching full compliance.
The IRS partially agreed with the recommendation, which concerned TIGTA because the IRS did not include an implementation plan, adding that “the completion date proposed by the IRS will leave it noncompliant with the NIST guidelines until February 2023.”