TSM on the ropes

Ten years into its development, Tax Systems Modernization is "in serious jeopardy" and could fail unless the Internal Revenue Service substantially improves its network security design and systems architecture, develops performance metrics and upgrades the technical skills of its information management staff, the National Research Council (NRC) reported last month.

"While making management progress...the IRS has had serious technical capability problems that, in the committee's view, cast doubt on the overall success of TSM if they are not solved," charged the NRC panel that was commissioned by the IRS to review the $8 billion program.

The panel studied TSM for five years, issuing a series of reports that raised similar questions, but this final report offers the most detailed criticism of the program to date.

Separately, the Office of Management and Budget said last month that TSM would be the first program to which it will assign its new Presidential Technology Team (PTT), a group of the government's top information technology experts who work directly on the project for six to 18 months. Asked whether the team was being assigned to TSM because the program needs saving, Bruce McConnell, chief of information policy with OMB, said, "Obviously this is a high-visibility program, and a combination of techniques needs to be tried to ensure success," but "this is an innovative idea, and IRS has been a leader in trying innovative ideas."

IRS deputy commissioner Michael Dolan said his agency had asked OMB if there was a were to get experienced federal IT managers to help with TSM.

"That happened to coincide" with OMB's plans to launch the PTT, he said.

Dolan added that the PTT is one of several ways the IRS will answer a major complaint in the NRC report: The IRS "has a serious shortage of competent technical management talent," which has hampered its ability to integrate its systems modernization plans with new business processes.

Among the most serious problems facing TSM is a lack of attention to security controls needed to prevent IRS networks from being penetrated by hackers or by unscrupulous insiders, the NRC said. TSM needs better security defenses than other agencies, according to the study, because its systems "are major targets for highly skilled and dedicated citizen hackers who see the IRS as a legitimate target for information warfare."

The report said that while the IRS has sufficient security policies, the NRC panel "could not identify an adequate set of security specifications" for each TSM project and that the agency has not made available any overall security model or technical framework.

Meanwhile, the report continued, "given the threat and the large body of evidence of network password theft and misuse," the IRS needs to institute better methods for authenticating system users than the single sign-on password scheme it has planned.

Jim Robinette, systems architect with the IRS, said a new security architecture for the agency is now in its final stage of review and that the IRS is testing new encryption and authentication techniques to control access to its networks. "We have done it properly this time," he said.

"Before, we didn't develop a vision of where we wanted to be at the end of TSM. The next step is the difficult part.... We have to do it," he said.

IRS spokesman Frank Keith said, "In the past we've responded aggressively to issues that have been raised, and I think we'll take whatever steps are necessary" to address the NRC's concerns. "Even though we believe we've made significant progress, we certainly recognize the magnitude of what lies ahead for us, and we take their recommendations very seriously."

More Than One Weak Spot

Other weaknesses the NRC noted include the absence of a clear systems architecture, the lack of a comprehensive plan for managing telecommunications throughout the agency and a need for performance metrics that reflect how the systems will meet users' business objectives. The IRS, in its update, said the recent award of the Treasury Communications System contract would enable the agency to complete its telecommunications systems architecture, adding that it has drafted a "high-level" view of its overall design plan and is currently modeling TSM performance measures.

Meanwhile, the IRS said that at the NRC's suggestion, it would highlight one or two programs in its fiscal 1997 budget "to deliver business value to field operations and also serve as a proving ground for future systems development efforts." The agency did not say which programs it would choose, but the NRC recommended the IRS target its Integrated Case Processing System, a collection of applications designed to increase the efficiency with which the agency deals with individual taxpayers.

The NRC report said ICP "forms the basis for the `modern' IRS" and would make use of two of the highest-profile TSM systems: the Document Processing System, for imaging paper returns, and electronic filing.