The Internal Revenue Service has yet to address more than 100 cybersecurity recommendations made by a federal watchdog, including some that require fixing some basic cybersecurity measures.
According to an audit by the Government Accountability Office released May 13, the IRS hasn’t addressed 114 cybersecurity recommendations from previous audits. In addition, the watchdog made 18 new recommendations, bringing the number of open recommendations to 132.
During the most recent audit, completed Sept. 30, the watchdog found 11 new information security “deficiencies” related to access controls, configuration management and information security management.
The audit evaluated the effectiveness of the IRS security controls, as well as followed up on the status of other cybersecurity recommendations the GAO made in September 2018.
Among the 18 new recommendations were four relating to cryptography that revealed the IRS was failing to encrypt “certain data" in a system that processes taxpayer data and that the agency wasn’t enforcing cryptography standards set forth by the National Institutes Standards and Technology.
The IRS now has a total of 24 cryptography shortfalls, having closed just two recommendations since the September 2018 report. Encryption is considered to be a basic tenet of cybersecurity, especially if a system contains personally identifiable information.
“Effectively designed and implemented encryption controls can help prevent unauthorized access and disclosure of information (confidentiality) and detect changes to information (integrity),” wrote Cheryl E. Clark, director of financial management and assurance, and Vijay A. D’Souza, director of information technology and cybersecurity, in a letter sent to IRS Commissioner Charles Rettig.
The IRS also failed to install multifactor authentication for accessing a “certain information system," they wrote, another basic cybersecurity practice.
“Newly identified and continuing control deficiencies collectively represent a significant deficiency in IRS’s internal control over financial reporting systems. Such deficiencies increase the risk of unauthorized access to, modification of, or disclosure of financial reporting and taxpayer data and disruption of critical operations,” Clark and D’Souza wrote.
The IRS also didn’t have properly signed authorization to operate memos or other documentation signed by proper official allowing use of external systems, such as those not owned by the IRS, the watchdog found.
The IRS also reported to the GAO that it had addressed 14 of the 127 recommendations from prior audits, but the GAO found they had only sufficiently corrected 10.
The IRS concurred with the GAO’s recommendations and told the watchdog that it is “committed” to ensuring the effectiveness of its cybersecurity.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.