IRS Needs to Implement an Enterprise Cloud Strategy

Published: August 17, 2017

Cloud ComputingCybersecurityIRSTREASWaste, Fraud, and Abuse

The Treasury Inspector General for Tax Administration (TIGTA) is faulting IRS for not having an enterprise-wide cloud strategy, which heightens risk of data exposure and gives no clear guidelines for offices seeking to deploy cloud solutions.

TIGTA conducted an audit with the IRS to review its enterprise-wide cloud strategy and implementation progress. However, TIGTA found that the IRS had no enterprise-wide cloud strategy. Without a clearly documented cloud strategy, IRS may deploy solutions that do not meet federal security guidelines and that could potentially expose federal tax information. 

IRS did form a working group in July 2016 to develop a strategy, but to date, it is not complete and there is no timeline in place for completion.  Additionally, IRS inventories of cloud systems are compiled manually and lack key information regarding the system, such as its stage of development and the owner.

TIGTA also found that IRS began using a public cloud service in 2016 to publish information on returns from organizations that are exempt from income tax (Form 990).  The Form 990 cloud project was implemented with little involvement from the IRS IT organization.  This project did not comply with OMB guidance for agencies to use FEDRAMP to conduct risk assessments, perform security authorizations, and grant Authorities to Operate (ATOs) for cloud services. 

This is not the first time TIGTA has criticized IRS for lax practices around cloud systems. TIGTA advised IRS that better-defined service level agreements and objectives are needed to shore up data security for its Enterprise Storage Acquisition contract awarded to Unisys in 2012. Also, in an audit published in the fall of 2016, TIGTA found that the IRS had spent $12M on an enterprise-wide cloud-based email system in an attempt to comply with requirements for preservation of staff emails, but the system did not integrate well with the agency’s existing IT environment.

In this most recent cloud audit, TIGTA recommends the CIO do the following:

  • Prioritize and complete an enterprise-wide cloud strategy in alignment with federal guidance
  • Ensure that the process of managing the IRS’s cloud inventory is formalized using automated methods and updated on a periodic and ongoing basis
  • Designate an authorizing official, complete the FEDRAMP Security Assessment Report, and issue an agency-specific Authority to Operate letter for the Form 990 cloud service
  • Ensure that the Form 990 cloud service includes a service level agreement

The IRS agreed with two recommendations, partially agreed with one recommendation, and disagreed with the last recommendation. The IRS did not agree with the recommendation that service level agreements were necessary for the Form 990 cloud service because its data are meant for public access.