IRS IT leaders didn't know about $7M Equifax award
IRS CIO Gina Garza told Congress that she and other tech officials at the tax agency did not sign off on a $7 million contract awarded to Equifax a month after the credit monitoring firm disclosed a massive data breach.
The CIO for the Internal Revenue Service told a congressional panel Oct. 4 that she learned of a $7 million contract awarded to Equifax for fraud prevention and e-authentication "this morning" and did not sign off on the award.
The contract, made public late in the afternoon on Saturday, Sept. 29, was awarded less than one month after the credit monitoring agency disclosed the largest data breach in modern history, where as many as 145 million Americans had their personally identifiable information exposed.
Jeff Tribiano, deputy commissioner for operations support at the IRS, said he also did not sign off on the contract and pointed the House Ways and Means Committee to IRS chief procurement officer Shanna Webbers as the individual with the authority over such matters.
As Tribiano explained to the committee and FCW learned from contracting documents, the award to Equifax was made as a kind of extension or bridge to connect the scheduled conclusion of a previous IRS contract held by Equifax. That contract was re-competed and Equifax lost and protested. That protest is scheduled to be decided Oct. 16 by the Government Accountability Office.
The protest, filed in July, forced the agency to use a bridge contract with Equifax or stop the services until the protest was resolved.
A GAO source said that Experian was the winning bidder.
Rep. Jackie Walorski (R-Ind.) wasn't convinced by explanations from IRS tech officials.
"This is an abject failure," said Walorski. "Frankly the IRS should not be in a position to have major IT acquisitions happening without [leadership] knowing."
Garza said a review of every IRS application determined that taxpayer information was protected, though they did find about 209,000 social security numbers that were identified as being at higher risk. When asked if the IRS had informed the owners of those social security numbers that they were at risk, Garza referred the question to Equifax.
Dave Powner, director of IT management issues at the Government Accountability Office, said current laws, such as the Federal Information Technology Acquisition and Reform Act, have provisions which specify that agency CIOs approve their IT budget and major IT contracts.
That's a provision in the law, and I can tell you right now that was put in there because of this stuff that's happening," said Powner. "There's walls between these organizations, and if we would simply approve major IT contracts by CIOs, it would help solve this problem."
The committee also delved into IRS success in modernizing its IT systems, which are some of the oldest in the federal government.
Danny Verneuille, assistant inspector general for security and information said the IRS dedicates about $500 million of its $2.9 billion per year IT budget on modernization efforts, while Powner pegged the amount at $800 million.
While he called that number "nowhere near ideal," Powner questioned whether the IRS was getting enough return with their current investments, pointing to their number one modernization priority, CADE2, as an example. Despite being under development since 2009 and spending a combined $290 million on updates in 2016 and 2017, the IRS currently has no planned completion date for the system. It was originally supposed to replace the IRS' main tax filing system, the Individual Master File, which has been in use since the 1960's. While the agency does a good job keeping their old systems running during filing season, relying on antiquated systems for the nation's primary source of revenue is" highly risky."
"Our main concern is that we don't see a solid plan with realistic costs and milestone to replace [the Individual Master File]," said Powner, later adding: "We're spending significant money here and we are not delivering at an acceptable rate."
When asked what the timeline and costs for replacing IMF were, Garza said the agency can deliver a system replacing IMF in five years if they can get 50 to 60 new employees, the restoration of direct hiring authority that lapsed in 2016 and an additional $85 million a year.
Chairman Vern Buchanan (R-Fl.) said he was reluctant to support those requests until IRS articulates a long term plan for modernization.
"We need to have a vision and plan in terms of this space…before I'd be willing to commit any dollars, because I'd like to see what the return on that investment would be," said Buchanan.
Verneuille also said that the IRS currently has no timetable for implementation of a cloud strategy.
Representative Dave Schweikert (R-Ariz.) asked why the agency had such difficulty moving its applications to the cloud nearly a decade after then federal CIO Vivek Kundra made cloud-first the official policy of the U.S. government.
Garza pointed to the agency's Infrastructure-as-a-Service portal and its enterprise storage capabilities as examples of the agency's cloud adoption in recent years.
"Although we do not have a cloud strategy documented, we have for the last several years been taking on elements of a cloud strategy," said Garza.