The Treasury Inspector General for Tax Administration faulted the IRS’s cybersecurity program as ineffective, since it failed 17 out of the 20 relevant metrics on which it was judged.
The metrics themselves come from the Fiscal Year 2022 Core Inspector General Metrics Implementation Analysis and Guidelines, and cover nine security “domains,” each of which have several specific metrics attached to it: risk management (five metrics), supply chain risk management (one metric), configuration management (two metrics), identity and access management (three metrics), data protection and privacy (two metrics), security training (one metric), information security continuous monitoring (two metrics), incident response (two metrics) and contingency planning (two metrics).
The TIGTA report said that while the program generally aligned with the relevant standards and regulations, its components had not yet reached an acceptable maturity level, which led it to fail 17 core inspection metrics, and was considered ineffective overall by the inspector general.
“As examples of specific metrics that were not considered effective, TIGTA found that the IRS could improve on maintaining a comprehensive and accurate inventory of its information systems; tracking and reporting on an up-to-date inventory of hardware and software assets; maintaining secure configuration settings for its information systems; implementing flaw remediation and patching on a consistent and timely basis; and ensuring that security controls for protecting personally identifiable information are fully implemented,” said the report.
For instance, the report said the IRS cannot always ensure that information systems included in its inventory are subject to the monitoring processes defined within its Information Security Continuous Monitoring (ISCM) Program Plan because of gaps in tools used to monitor its system inventories. Yet the IRS, according to TIGTA, has not closed the scanning tool gaps necessary to perform checks for unauthorized hardware components or devices and to notify appropriate organizational officials.
There was only one area that TIGTA thinks has been “optimized” at full maturity: incident response. The report said the IRS uses dynamic reconfiguration (e.g., changes to router rules, access control lists, and filter rules for firewalls and gateways) to stop attacks, misdirect attackers and isolate components of systems.
For the remainder of the program, though, TIGTA was less than impressed.
“The IRS needs to take further steps to improve its security program deficiencies and fully implement all security program components in compliance with FISMA requirements; otherwise, taxpayer data could be vulnerable to inappropriate and undetected use, modification, or disclosure,” said the report.