Auditors: IRS slow to fix security weaknesses

The Internal Revenue Service implemented its Modernized e-File System with known security vulnerabilities, which has jeopardized the security and privacy of an increasing volume of taxpayer information, the Treasury Inspector General for Tax Administration said in a report released today. The vulnerabilities are related to system access, monitoring system activities, disaster recovery and protection of sensitive data.

The Modernized e-File System will eventually provide a single method for filing all corporate and individual tax returns, information returns, forms and schedules over the Internet, TIGTA said. The IRS is developing the system incrementally and expects to complete it in 2020 at a cost of $673 million to develop, operate and maintain it.

The service has established appropriate system development policies and procedures that require security and privacy safeguards be designed into the early phases of a system’s development life, the report said. However, the MeF project office did not prevent and resolve known security weaknesses before rolling out the system and the accompanying Modernized Tax Return Database of accepted returns and extensions, TIGTA said. The IRS carried over the vulnerabilities through multiple system milestones and from release to release. The IRS even certified and accredited the system as secure, a requirement under the Federal Information Security Management Act despite the vulnerabilities.

“We believe that the lack of attention to security controls during developmental phases can be traced to other business requirements, filing season pressures, and deployment demands. These concerns have taken precedence over security concerns, and executive-level management was not adequately engaged to ensure that security needs and requirements were being implemented,” Russell George, TIGTA’s inspector general, said.

TIGTA identified some of the same security vulnerabilities in previous reports about IRS modernization projects, including a report in September 2008 on Customer Account Data Engine and Account Management Services. The MeF, CADE and AMS projects are the foundation of the IRS Business Systems Modernization program, George said.

"The IRS continues to struggle with security vulnerabilities in its modernized systems while at the same time trying to provide effective and efficient service to taxpayers," he said.

Among its recommendations, TIGTA said the IRS should handle all security vulnerabilities that affect the overall security of these systems before implementation. Although it agreed with TIGTA’s recommendations, IRS corrective actions are focused more on continuing to follow existing processes or strengthening current processes than making sure that security weaknesses were corrected before deployment, George said.

The IRS has fixed nine of the 13 vulnerabilities since completion of the audit, the report said.

In response, the IRS said that data security and taxpayer privacy are of “paramount importance.”

“In managing our large scale information technology programs, we are constantly re-evaluating our approach and mitigating risks,” said Terence Milholland, the IRS’ chief technology officer. He disagreed with TIGTA’s classifying the report for public dissemination, saying it “poses unnecessary and unacceptable risks to our national tax system and economic infrastructure.”

In another report, the Government Accountability Office also found that the IRS was slow to fix security weaknesses. Although the IRS has made some progress, it has fixed or mitigated only 49 of the 115 vulnerabilities it is monitoring, GAO said in a report released Jan. 9.

The IRS has established controls over major financial systems and developed a framework for its agencywide information security program. But a major reason for IRS’ slow progress is that it has not yet fully implemented its agencywide information security program to make sure that controls are appropriately designed and operating effectively, said Gregory Wilshusen, director of GAO’s information security issues.

For example, the IRS did not consistently implement controls that would help to prevent, limit and detect unauthorized access to its systems and information, such as enforcing strong password management, limiting authorized user access to sensitive information and encrypting certain sensitive data, he said.

“Until these weaknesses are corrected, the agency remains particularly vulnerable to insider threats, and IRS is at increased risk of unauthorized access to and disclosure, modification, or destruction of financial and taxpayer information, as well as inadvertent or deliberate disruption of system operations and services,” Wilshusen said.

In addition to correcting the outstanding security vulnerabilities, the IRS should annually review the risk assessments for its computer systems and implement steps to improve the scope of its testing and evaluating information security controls, Wilshusen said.

IRS Commissioner Douglas Shulman agreed with GAO’s recommendations and said he would provide details for correcting the security weaknesses.

The TIGTA report, Internal Revenue Service Deployed Modernized e-File System With Known Security Vulnerabilities, can be found at
www.treas.gov/tigta/auditreports/2009reports/200920026fr.pdf. The GAO report, Information Security:  Continued Efforts Needed to Address Significant Weaknesses at IRS, is at www.gao.gov/cgi-bin/getrpt?GAO-09-136.