IRS has cybersecurity material weakness, says GAO
Gaps in Internal Revenue Service cybersecurity controls cumulatively rise to the level of a material weakness in internal controls over financial reporting, says the Government Accountability Office in report dated March 15.
Among the weaknesses apparent during the last fiscal year by the watchdog agency are insufficient access control, unencrypted network devices transmitting sensitive information, unpatched software and employees who have too many access privileges. The GAO identified 37 new weaknesses active during fiscal 2010.
In addition, weaknesses the GAO identified in previous fiscal years--65 of 88 of them--remain unresolved or unmitigated, according to the report. Although the IRS tests its security controls, the GAO says its testing methodology was able to detect vulnerabilties that went unobserved by the tax agency.
An underlying reason for all the weaknesses, the GAO says, is that the IRS does not have a comprehensive information security program. Such a statement can likely be found in almost any GAO cybersecurity report conducted since Congress passed the Federal Information Security Management Act in 2002. FISMA requires agencies to fashion comprehensive cybersecurity plans, but either their creation or GAO satisfaction with them might be accomplishments beyond current human capabilities--if nearly a decade's worth of GAO refrains are anything to go by, that is.
- download the report, GAO-11-308 (.pdf)