IRS needs better grip on contractors with taxpayer data access, says TIGTA

The Internal Revenue Service isn't quite sure how many private sector employees it should review each year for security purposes because of their access to taxpayer data, according to a new audit.

The IRS--like much of the government--relies extensively on companies in support roles. Accenture operates and maintains IRS.gov. Northrop Grumman provides technology that scans tax returns. AT&T delivers telework networking.

However, when the IRS infrastructure security and reviews office each year has wanted to conduct security checks of contractors working on those support IT systems, it left it up to the companies to identify to the IRS which employees worked on those systems, according to a new report from the Treasury Inspector General for Tax Administration, based on an investigation conducted from June 2009 through January 2010.

Based on that data call, the IRS then prepared a list of contractors targeted for security review, based in part to the type of tax data processed by the contractor.

It has not been an effective process, and it missed two individuals who should have been reviewed, auditors say. Instead, the IRS should have its own IT system for identifying which private sector employees in proximity to the IRS should undergo annual review, a recommendation that the IRS says it will implement.

The audit also faults the IRS for not following cybersecurity reviews of contractor systems with a tracking document known as a "Plan of Action and Milestones," which is required under the Federal Information Security Management Act and is known mostly by its acronym, POA&M.

The IRS did review contractors IT systems and did identity correction actions along with planned implementation dates, but did not develop POA&Ms for the weaknesses, the audit states.

When asked why, the IRS told auditors that it did not consider the systems in question because they were not FISMA-reportable.

"While there might be confusion over what is or is not FISMA reportable, we believe the approach for tracking and monitoring security weaknesses should apply regardless," auditors wrote. In a review of eight contractor facility systems, auditors found 24 repeat weaknesses left over from fiscal 2008.

The IRS will start to develop POA&Ms for previously uncovered contractor IT systems, the agency promised auditors.

For more:
- read TIGTA audit 2010-20-051 (.pdf)

Related Articles:
Prisoners fraudulently claim $9.1 million in homebuyer tax credits
TIGTA finds IRS configuration management lacking in tax scofflaw contact system
TIGTA: IRS should chill