The Internal Revenue Service has over 120 IT security recommendations from the Government Accountability Office, over 80 percent of which are from previous audits, according to a July 18 report.
In the GAO’s fiscal year 2018 audit of the IRS, the watchdog agency identified 14 new security control shortfalls relating to the tax collector’s IT security and issued 20 new recommendations.
Overall, the GAO found that the IRS had 127 unaddressed IT security recommendations from the GAO. Ninety-three of those recommendations pertain to access controls, such as authentication and encryption. Of those 93, 82 are left over from prior audits.
Eight of the 14 security shortfalls identified by the GAO relate to access management, while an additional four weaknesses pertain to configuration management. The final two shortfalls pertained to segregation of duties and a contingency plan deficiency.
The GAO said that the deficiencies it identified were not great risks, but needed to receive attention.
“We identified ongoing and new information system security control deficiencies that while not collectively considered a material weakness, were important enough to merit attention by those charged with governance of IRS and therefore represented a significant deficiency in IRS’s internal control over its financial reporting systems,” the GAO wrote.
The IRS doesn’t have several security measures meant to protect critical agency data from unauthorized use. The GAO found that the agency didn’t use multifactor authentication for access to certain agency applications, a violation of policy from the Office of Management and Budget. It also didn’t enforce requirements for electronic signatures and password resets.
The GAO also identified specific IRS shortfalls in its use of encryption to protect confidential information. The GAO report found the IRS did not encrypt certain servers, its email service, or enforce specific encrypted database connections.
In total, there are 36 open recommendations regarding identification and authentication, and 22 encryption recommendations.
The watchdog also found that the IRS wasn’t properly updating or upgrading out-of-date software and implementing “mandatory” access controls.
“Effective configuration management provides reasonable assurance that systems are operating securely and as intended,” the report found.
The IRS also did not have a sufficient contingency plan for its email, with only one person assigned to administering it, the GAO wrote.
“Without effective information system security controls, computer systems are vulnerable to human actions committed in error or with malicious intent,” the GAO wrote. “People acting with malicious intent can use their access to obtain sensitive information, commit fraud and identity theft, disrupt operations, or launch attacks against other computer systems and networks.”
Last year, the IRS told the GAO that it had taken “corrective action” on 87 of 154 of the watchdog’s recommendations from previous audits. But during its audit of the 2018 fiscal year, the GAO found that the IRS had only “effectively addressed” 43 of the 87 recommendations the IRS said it had addressed.
“Financial reporting and sensitive taxpayer data on IRS computer systems will remain vulnerable until the agency addresses the deficiencies for which we previously made 107 recommendations, as well as the 20 new recommendations,” the GAO wrote.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.