IRS challenged by logical access with HSPD-12 cards
Efforts at the Internal Revenue Service to use the mandatory governmentwide identity cards required by Homeland Security Presidential Directive-12 for logical access threaten to run into more delays, says the Treasury Inspector General for Tax Administration.
In an annual audit (.pdf) of IRS compliance with the Federal Information Security Management Act--auditors say the tax agency "generally complies" with it--TIGTA also notes that the IRS has experienced significant delays in deploying the HPSD-12 cards for logical access. It originally had intended to start using the cards for employee computer access in September 2011, auditors note, but now says its target is July 2013.
Even that date could slip away, auditors add, due to issues ranging from the fact that the National Treasury Employees Union could forestall a mandatory logical access requirement to the 1,888 IRS applications not yet identity card enabled, and a lack of money to update them.
Although auditors don't state it, IRS is hardly alone in this regard--many agencies have found logistical, organizational and monetary difficulties in using the cards as intended by the 2004 directive that established them--as a means for electronically controlling physical as well as logical access.
As for FISMA compliance in general, auditors say that based on reviews of a representative sample of 10 major IRS systems, the tax agency generally met its obligations in 8 of 11 information security program areas during the past fiscal year.
The three where it didn't--besides identity and access management--were configuration management and security training.
Among the difficulties the IRS encountered with configuration management was finally implementing an enterprisewide continuous monitoring tool for Windows and Unix servers after starting an effort to do so in April 2008.
The IRS has deployed a security content automated protocol-complaint tool known as the Treasury Enhanced Security Initiative for scanning desktops, but the tool lacks the ability to discover all assets on the IRS network and identify noncompliant security configurations for specific workstations, auditors say.
Tool upgrades have undergone several delays since the IRS has said it's a relatively lower priority than other development needs.
Patching--like logical access with HSPD-12 cards, a perennial and widespread federal issue--also was lacking. A March 2012 report showed that 7,329 potential vulnerabilities remained on IRS servers due to 23 critical patches not being installed, with some patches being released as far back as April 2011.
- download the report, 2012-20-114 (.pdf)