Cyber Concerns at the IRS

A pair of reports released late last month by the Treasury Inspector General for Tax Administration (TIGTA) revealed areas in cybersecurity the agency must focus on. The first report concentrated on the IRS’ progress with the planned expanded use of Login.gov.

Specifically, TIGTA found that additional security controls must be in place prior to the IRS expanding Login.gov to Identity Assurance Level 2 applications (IAL determines the extent to which identify proofing and credentialing must be used) for taxpayer identity verification services.  Currently, the IRS uses Login.gov (the government-owned single sign-on trusted identify platform) on IAL1 applications, including Form 990-N Electronic Filing System and the Foreign Account Tax Compliance Act-Qualified Intermediary System. Note that the IRS elected to use ID.me as the agency’s identity verification mechanism for its Direct File pilot and FOIA requests to meet IAL2 standards for those applications after issues implementing Login.gov to those applications.

The IRS watchdog uncovered that the agency does not have consolidated guidance for credential service providers (CSPs) to record the pertinent information and audit trail requirements for IAL2 security controls. Moreover, continuous monitoring security reviews for Login.gov were not conducted in a timely and consistent manner, ultimately resulting in the potential sending of personally identifiable information (PII) for IRS users to unauthorized locations outside the U.S. by a Login.gov vendor’s fraud prevention solution.

As a result, TIGTA made six recommendations to the IRS Chief Information Officer, including to update guidance on CSP information to IRS IAL2 applications, as well as improve the accuracy of the quality review process for Login.gov and assess the extent to which vulnerability had on PII transport to unauthorized locations. The IRS agreed with all recommendations in the report.

In TIGTA’s annual report on the IRS Federal Information Security Modernization Act (FISMA) compliance metrics, the inspector general determined that three cybersecurity framework function areas at the IRS were not effective while two areas (RESPOND and RECOVER) were deemed effective, with an overall maturity rating of “Not Effective”. The ineffective assessment was found among IDENTIFY (Risk Management and Supply Chain Risk Management), PROTECT (Configuration Management, Identity and Access Management, Data Protection and Privacy, and Security Training), and DETECT (Information Security Continuous Monitoring) capabilities.

According to the report, “The IRS could improve on maintaining a comprehensive and accurate inventory of its information systems; tracking and reporting on an up-to-date inventory of hardware and software assets; implementing flaw remediation on a timely basis; encrypting to protect data at rest; and implementing multifactor authentication on its systems and facilities.”

In the FY 2025 budget request, the IRS lists $317M total for cybersecurity activities, including $99M towards taxpayer services, $28M for enforcement, and $192M for technology and operations support. Within the request, the agency plans enhancements in areas of multifactor authentication, data-at-rest encryption, and advanced logging and audit trail protections, some of which are in line with correcting TIGTA audit findings.