A Treasury Inspector General for Tax Administration audit alleges that the IRS obtained cloud services without a proper ATO certification, among other cyber concerns within the agency. Chip Somodevilla / Getty Images
Taxpayer Data Is at Risk Due to Cybersecurity Deficiencies at IRS, a Report Warns
An annual assessment of the IRS' information technology program alleges critical cybersecurity deficiencies in the agency's handling of taxpayer data privacy.
Taxpayer data may be vulnerable to inappropriate and undetected misuse or disclosure due to deficiencies in the IRS' security program, according to an annual assessment of the agency's information technology program.
The Treasury Inspector General for Tax Administration published a report on April 6 that found critical failures within the IRS' cybersecurity program, and other issues surrounding its handling of taxpayer data privacy and system environment security.
According to the TIGTA audit, the agency implemented a cloud service provider solution without an approved Authorization to Operate letter "and without secure contractual services for fraud analysis and detection," potentially jeopardizing the security of sensitive taxpayer information. The ATO certification ensures a cloud service provider's system meets IRS security standards, and without it, systems may lack adequate safeguards to protect against cyber intrusions.
While the report found that the IRS had taken "preliminary steps" to address IT supply chain risks, like researching and developing a supply chain risk management framework, it also said that the agency lacked a complete inventory of systems to track remediation efforts and provide proper oversight. Other problems were also reported with the IRS' IT technology asset management, as well as efforts to update and modernize operations.
An audit of the IRS' vulnerabilities on network devices found insufficient oversight and indicated that the agency's patch and vulnerability group only provides remediation oversight for "high-priority, enterprise-wide vulnerabilities" and remediation efforts for high-visibility programs. The group also failed to consistently track and report vulnerability remediation metrics, the report said.
The IRS hit back at the report in its response to the audit. Agency officials said they had implemented corrective actions to address 78 previous recommendations while investing "in a highly effective and multi-layered cybersecurity program."
The agency also said that some findings included in the audit "are inaccurate" and specifically noted that the audit report associated with its deployment of cloud services "does not accurately reflect the agency's cloud security posture and also includes several misleading statements without appropriate context."
Still, the agency noted that it has "struggled for many years without sufficient resources" and that the additional multi-year funding included in the Inflation Reduction Act will allow it to add critical technology resources over the following years.
The IRS published its strategic operating plan for fiscal 2023 through 2031 on April 5, featuring plans to retire legacy applications and consolidate dozens of core applications into secure, commercial, cloud-based platforms.
The operating plan also includes plans to modernize IT infrastructure as part of an effort to automate and standardize many of the agency's current manual processes.