GAO comes down hard on Cyberfile; doubts system will work

The Internal Revenue Service has spent millions of dollars on Cyberfile, a system that allows taxpayers to file tax returns over the Internet, but has planned and managed its development so sloppily that there is "little assurance" the system will work as intended, the General Accounting Office reported last week.

At a hearing before the Senate Governmental Affairs Committee last Tuesday, Gene Dodaro, assistant comptroller general in GAO's Accounting and Information Management Division, also said the physical security of the system is so weak that it could be easily compromised. Meanwhile, he said, GAO is investigating whether the IRS and the National Technical Information Service (NTIS), which is building Cyberfile, violated federal procurement laws by sole-sourcing the contract for the project.

Sen. Ted Stevens (R-Alaska), chairman of the panel, said he wants a detailed accounting of Cyberfile and the rest of the Tax Systems Modernization (TSM) program and plans several more hearings on the subject. Although Congress has urged the IRS to maximize electronic filing, Stevens questioned whether likely use of Cyberfile justified its costs.

The $30 million Cyberfile project, begun last summer, would let taxpayers use home computers to transmit their tax returns to the IRS through FedWorld, a World Wide Web site run by NTIS. Although it is now on hold, the IRS had planned as late as December to launch Cyberfile as a pilot program in February, even though the system had not been completed.

As of Feb. 29, the IRS had paid NTIS $17 million to build Cyberfile, according to GAO. But Dodaro said the IRS, in a hurry to bring the system on-line, never finished key planning documents, including a security architecture for Cyberfile; failed to perform a thorough analysis of its weaknesses; and developed no formal process to manage the program. Despite past criticism of its software development practices, Dodaro added, the IRS had not taken steps to guarantee that its contractors were writing code for Cyberfile in a disciplined way.

Rona Stillman, chief scientist with GAO, said the IRS failed to follow recommendations she made last year that the agency establish a disciplined management process for its entire TSM program. The lack of such procedures is one reason why lawmakers have threatened not to fund the $8 billion project next year.

"Cyberfile was a golden opportunity for IRS to prove it understood our recommendations and could do one small system well that taxpayers could see," Stillman said. "Instead, they...built it the same way that larger, older systems had been built."

IRS commissioner Margaret Milner Richardson described, as she has at other recent hearings, steps that her agency is taking to counter its management problems as well as benefits the new technology has already brought to the agency. She did not address GAO's criticism of Cyberfile, except when asked by Sen. Carl Levin (D-Mich.) about how contractors were selected for the project.

Richardson said she was "not aware of any allegations" that vendors were hired improperly. "We have an interagency agreement [with NTIS] for our FedWorld page, and it was extended last year to do Cyberfile," she added.

IRS spokeswoman Jodi Patterson said later that "as for risk analysis and vulnerability of systems, we never intended, nor would we ever go forward, with any system until it works perfectly for us or the customer."

Keren Cummins, who manages FedWorld for NTIS, said NTIS "used a rapid prototyping methodology that is widely used in the private sector," but GAO does not approve of it. She said NTIS needed to use this development method to meet IRS deadlines for the project.

She said NTIS is "comfortable" with the level of security in the system, which sources familiar with the project said is based on encryption offered by Netscape Communications Corp.'s Netscape Navigator and on personal identification numbers. "We used the most advanced security and encryption techniques available that could be used by the public," Cummins said.

Describing a recent GAO inspection of the data center where Cyberfile was being installed, Dodaro described "49 specific violations of good security practice." Among them, he said, were doors without locks or hinges and sprinklers that could be easily set off, ruining computer equipment.

Furthermore, GAO reported, there was no "security awareness" program for Cyberfile, and employees were being told to share passwords. In addition, GAO found no backup computer facilities for Cyberfile and reported that NTIS did not have complete plans for handling a system emergency.

Cummins said GAO visited the Agriculture Department's data center, where the system is housed, while it was still under development. "Those issues were to be, and are to be, resolved prior to turning the service on to the public," she said.

GAO is also investigating whether the IRS, through NTIS, should have used a sole-source procurement under the 8(a) set-aside program for small, disadvantaged businesses to give Digicon Corp., Bethesda, Md., a $4.2 million contract for the project. GAO is also questioning whether NTIS or the IRS selected subcontractors in violation of competition requirements.

Cummins said NTIS considers itself to be the prime contractor on the project and that all its procurements were reviewed by officials in the Commerce Department, of which NTIS is a part. "All of the procedures that we followed were appropriate and were reviewed by our procurement officials and servicing agencies," she said. "Everything was done in accordance with federal law."

GAO specifically challenged 33 purchases that were exempted from normal procurement requirements. Those requirements are based on a law that lets agencies limit or dispense with competition if "the executive agency's need is of such an unusual and compelling urgency" that the government must buy items quickly. The purchases included cellular phones for personnel who were to run Cyberfile; the phones were used for at least two months last year, even though the system was not up and running.

Cummins said the phones were purchased for the people who were developing the system so that they could keep in touch with IRS officials. She said equipment had to be purchased quickly because "once you set a time frame for a project that is a significant investment...and something arises that is going to cause it to miss [a milestone], that introduces significant cost to the government."