Monitoring of IRS network security is flawed, report says

The process used by IRS officials to monitor network security at the agency is "flawed and ineffective," according to a report released this month by the office of the Treasury Inspector General for Tax Administration.

Specifically, the report claimed that the IRS drastically understated the number of weaknesses in its technology systems. In September 2004, the agency reported 319 system-level weaknesses.

"We cannot determine the actual number of weaknesses for each system," the report said. "However, we estimate that it would be many times more than the number reported to the Department of Treasury."

The study was conducted early last year and was designed to study the "Plans of Action and Milestones" process that the IRS uses to monitor network security readiness. The Office of Management and Budget lists information technology security as a vital component of the e-government initiative on the President's Management Agenda. To achieve a satisfactory grade for IT security, agencies are required to show that they are making progress in reducing network weaknesses. According to the inspector general's report, however, the information provided to the Treasury Department and to OMB "has been inaccurate and misleading."

"The IRS has prepared POA&Ms to track both program-level and system-level weaknesses. However, the process it uses to identify weaknesses and report progress is flawed and ineffective," the report found. "The number of program-level weaknesses was significantly understated. The system-level POA&Ms did not accurately and completely describe the security weaknesses and milestones, understated the number of weaknesses, and overstated progress in addressing the weaknesses."

IRS security officials concurred with the findings and said they already had begun to implement some remedies last year, according to IRS officials and the inspector general's office. The head of the Mission Assurance and Security Services office has established an IRS working group to focus on managing the network security process and ensuring that it meets the requirements of the Federal Information Security Management Act.

The Mission Assurance and Security Services unit also seeks to acquire new technology to standardize and streamline the process for tracking network security, Daniel Galik, the MA&AS chief, wrote in a response to the inspector general's report.

The security office will also "coordinate with the [chief information officer] and business unit owners to accurately report the results of efforts to correct security weaknesses."