The IRS is scrambling to plug IT security gaps after a Treasury watchdog found that the tax agency has done a bad job in making sure its computer systems aren’t vulnerable to cyberattacks that could steal or otherwise compromise sensitive taxpayer information.
Federal laws require all federal agencies to identify IT security vulnerabilities, create plans to fix the gaps, and then document the resolution of the problem.
But of the 12,089 remedial plans that were created and earmarked for implementation, the IRS has failed to finalize 2,555, with efforts to complete them still ongoing.
Litany of Failures
The plans have eight different status categories: accepted, canceled, completed, draft, duplicate, in-progress, late, and validated.Of the 12,089 corrective plans that were supposed to be completed, more than 500 had a “late” classification, including 23 with risk severity ratings of “critical” or “high.” Of those 23, four relate to security vulnerabilities that were identified as far back as six years ago.
Business units within the IRS were also found to not be creating corrective plans in a timely way or failing to enter the required information needed to generate the plans. The worst-performing business units—those with the highest percentage of late and noncompliant plans—didn’t have any internal management processes for handling the corrective action plans.
“Finally, the IRS is not accurately identifying and tracking resources required to resolve information security weaknesses,” the watchdog wrote.
While the IRS completed remediation efforts for 3,139 corrective action plans between 2018 and 2022 at a cost of $134.5 million, the watchdog faulted the agency for failing to reevaluate the estimated budget and update it with actual costs during the closure process.
The watchdog recommended that the IRS determine its best business unit practices for IT security and, on that basis, develop an agencywide process for fixing security gaps. It also recommended that the IRS prioritize its staffing and resource allocations to better address information system vulnerabilities and tighten its budgeting for remedial action.
The IRS stated that it agrees with the watchdog’s findings, blaming staffing shortages and acknowledging that it had failed to keep pace with increasing workloads.
“The IRS is committed to fully and effectively addressing information technology security weaknesses,” Kaschit Pandya, IRS acting chief information officer, said in a written response to the findings.
It pledged to take a series of steps to bolster IT security, including increasing staffing in problem areas and seeking input from key stakeholders on how to most effectively narrow the gaps.
“We expect these efforts will help reduce risk, ensure system integrity, and maximize system availability for taxpayers,” Mr. Pandya wrote.
The IRS stated that it hopes to use some of the $80 billion in additional funding under the Inflation Reduction Act to address IT security weaknesses.
IRS Loses Track of Millions of Sensitive Records
A review by TIGTA of how the IRS stores old tax records faulted the tax agency for being careless in how it handles sensitive taxpayer information that could be used by criminals to commit identity theft and tax fraud.“The IRS is not in compliance with records management requirements,” the Aug. 8 report reads.
The watchdog pointed to “significant deficiencies” in the way the IRS safeguards, stores, and accounts for microfilm cartridges that are used to back up and store photographic records of business and individual tax information.
“Deficiencies result in the inability of the IRS to account for thousands of microfilm cartridges containing millions of sensitive business and individual tax account records,” the watchdog said in the report.
In one case, at a facility in Ogden, Utah, the IRS lost track of as many as 168 microfilm cartridges containing up to 2,000 photographic images each that were supposed to have been held in seven boxes that the watchdog discovered were empty.
In another, at a facility in Kansas City, Missouri, the tax agency was unable to account for 9,500 cartridges, putting the potential number of missing images of sensitive business tax account information at 19 million.
As in the case of IT security weaknesses, the watchdog issued a series of remedial recommendations, including that the IRS should carry out a detailed inventory of all microfilm cartridges it has in its possession—as well as those that are missing or discarded—and ensure that the cartridges are properly stored and preserved.
The IRS mostly agreed with the findings and recommendations while blaming long-term underfunding and staff attrition for the problems.
