The Internal Revenue Service (IRS) wants to expand its use of authentication services that employ the Login.gov sign-on service developed by the General Services Administration (GSA), but the Treasury Inspector General for Tax Administration (TIGTA) said in a July 23 report that IRS is facing security hurdles in that process.
A recent TIGTA report said that while the IRS has done well with analyzing Login.gov’s FedRAMP security package and those results were accepted by the Login.gov authorizing official, “this acceptance was made with the understanding that system flaws would be monitored and mitigated at the appropriate time.”
“Additional security controls need improvement,” TIGTA said, adding that “the IRS does not have consolidated guidance, but rather various policies and related documents requiring CSPs [credential service providers] to capture audit trail requirements for IAL2 applications. In addition, the policies and related documents do not include all audit trail, including investigative, data elements.”
Login.gov is a single sign-on tool for U.S. government services that enables users to log in to numerous government agencies’ services using the same username and password.
The IRS plans to use the government-operated identity tool as a method for taxpayers to verify themselves online for IRS identity assurance level (IAL) 2 applications – verification processes requiring a higher level of assurance. The IRS has been using Login.gov for IAL1 applications which require low levels of assurance.
TIGTA said that the CSP baseline requirements are currently missing key elements specified in its audit trail needs document, resulting in security concerns.
The report says that despite TIGTA’s warnings about using Login.gov for IAL2 applications, the “IRS continued planning efforts and expending resources, e.g., personnel and funds, to evaluate implementing Login.gov” for these applications.
“Security concerns raised by IRS leadership and TIGTA’s Office of Investigations about Login.gov have not been fully resolved by the GSA,” the report reads. “This means that the IRS is investing in evaluating a system that may still have unresolved security issues, potentially putting their applications at risk.”
The report also says that the IRS inconsistently completed and submitted continuous monitoring reports – ongoing security review processes – for Login.gov after it was authorized to use it as a CSP in November 2022.
A continuous monitoring report in January 2023 said that over 600,000 users authenticated during this period and a “critical vulnerability” occurred resulting in sending personally identifiable information (PII) to unauthorized locations outside of the U.S. through a Login.gov vendor. This was not promptly reported to the authorizing official responsible for the system’s operation, according to TIGTA.
Login.gov in May 2024 stated that some users’ information, including users accessing IRS applications at the IAL1 level, may have been sent to a Login.gov vendor, but there is no conclusive evidence.
TIGTA provided recommendations to the IRS chief information officer (CIO) to address this in the future including ensuring current continuous monitoring security review guidelines are followed each month and submitted in a timely manner, and that IRS management works with Login.gov to assess the extent and impact of the possible PII share.
Other security improvement recommendations provided by TGITA include that the CIO update Data Integration and Reporting Applications guidelines to include a review process for accuracy; develop and update consolidated guidance for all audit trail data elements and ensure all audit trail data elements are captured and provided to Login.gov before its CPS services are used for higher identify assurance applications; and ensuring that FedRAMP guidelines and report templates are updated to include essential report elements.
IRS CIO Rajiv Uppal agreed with all recommendations and said that the IRS has “already begun to address deficiencies.”
