A recent report from the Treasury Inspector General for the Tax Administration (TIGTA) based on fiscal year 2022 auditing of Internal Revenue Service (IRS) cybersecurity arrangements is finding mostly “ineffective” ratings for the agency’s cybersecurity program, which TIGTA said could put taxpayer data at risk.
TIGTA evaluated IRS progress on cybersecurity according to FISMA (Federal Information Security Management Act) metrics between July 2021 and May 2022. “Along with our review of pertinent documents and discussions with IRS subject matter experts, we based our evaluation on a representative subset of seven information systems and the implementation status of key security controls as well as considered the results of TIGTA and GAO audits,” the IG said.
As a result of that review, “we found that the Cybersecurity program was effective in three and not effective in 17 of 20 Fiscal Year 2022 Core Inspector General Metrics,” TIGTA said.
Based on the review, “we rated the Cybersecurity program as ‘not effective,’” TIGTA said.
“As examples of specific metrics that were not considered effective, TIGTA identified that the IRS could improve on maintaining a comprehensive and accurate inventory of its information systems, tracking and reporting on an up-to-date inventory of hardware and software assets, maintaining secure configuration settings for its information systems, implementing flaw remediation and patching on a consistent and timely basis, and ensuring that security controls for protecting Personally Identifiable Information are fully implemented,” TIGTA said.
“The IRS needs to take further steps to improve its security program deficiencies and fully implement all security program components in compliance with the FISMA requirements; otherwise, taxpayer data could be vulnerable to inappropriate and undetected use, modification, or disclosure,” the IG said.
“The trillions of dollars that flow through the IRS each year make it an attractive target for criminals who want to exploit the tax system in various ways for personal gain,” TIGTA said. “The proliferation of stolen Personally Identifiable Information poses a significant threat to tax administration by making it difficult for the IRS to distinguish legitimate taxpayers from fraudsters.”
“Tax-related scams and the methods used to perpetrate them are continually changing and require constant monitoring by the IRS,” TIGTA continued. “The IRS’s ability to continuously monitor and improve its approach to taxpayer authentication is a critical step in defending the agency against evolving cyber threats and fraud schemes and in protecting trillions of taxpayer dollars.”
Elsewhere in the report, TIGTA found that at least one cloud service provider solution was implemented without going through the proper channels of agency approvals.
“Reviews found that a related cloud service provider’s solution was implemented without an approved agency Authorization to Operate [ATO] letter and without secure contractual services for fraud analysis and detection,” said the watchdog.
The ATO is a certification in which cloud service providers meet certain security standards that enable agencies to manage risks in their network.
“We disagree with some of TIGTA findings – The IRS continues to make progress deploying secure cloud service and we have a detailed corrective action plan to make additional improvements,” the IRS said in a response included in the report.