IRS two-factor authentication system nearly 2 years behind schedule, finds TIGTA


The Internal Revenue Service's efforts to upgrade its systems to use SmartID cards are 22 months behind schedule, according to a Treasury Inspector General for Tax Administration report (.pdf) dated Sept. 28 but only released publicly Nov. 15.

Originally, IRS planned to roll out two-factor authentication by September 2011, but the new goal is July 2013. The agency plans to have 50,000 employees use their SmartID card for logical access by the end of December 2012, write report authors.

The delays have also been costly. The IRS acquired products are compliant with technical specifications, however, two acquired software licenses went unused.

The IRS bought 95,000 ActivClient licenses, costing $1.08 million, to be used from Aug. 31, 2010 to Aug. 30, 2011. It also bought 95,000 licenses for the Oracle ESSO software for the same period of time, costing $1.5 million.

"The licenses were never used because the IRS did not begin deploying the software until May 2012," find auditors.

According to TIGTA, IRS's project manager did not have proper training and experience to lead the project. However, other factors that contributed to the project's delays:

  • The agency opted to support a stronger encryption standard, changing the requirements from secure hash algorithm-1 to secure hash algorithm-256—which is recommended by the National Institute of Standards and Technology.
  • Oracle acquired Passlogix, causing Oracle ESSO to be renamed, but also causing software problems that prevented it from functioning as intended.
  • Negotiations with the National Treasury Employees Union took longer than expected.
  • Filing season moratoriums from Nov. 30, 2010 to May 23, 2011 and Nov. 1, 2011 to May 21, 2012 prevented any changes to production environments during peak processing times.
  • The agency's IT organization felt the Customer Account Data Engine version 2 was a higher priority than any other enterprise operations.

In order to get the SmartID program back on track and prevent future problems, TIGTA recommends that IRS begin negotiating mandatory use of the SmartID cards with its union immediately. TIGTA also recommends that IRS appoint a certified project manager with the requisite training and experience to lead the project. He or she should complete the required security control assessment and fully test and evaluate the system.

Of TIGTA's recommendations, IRS disagreed with the recommendation to require testing of the new system, saying testing was completed in accordance with its procedures. The agency said additional testing is not necessary.

Auditors are concerned about IRS's disagreement on testing. Report authors found no evidence that the security, integration, capacity and performance testing were conducted for the part of the two-factor authentication system employees will use to authenticate to the IRS network.

For more:
- download the TIGTA report, 2012-20-115 (.pdf)

Related Articles:
Risks in Modernized e-File will delay retirement of legacy systems, says TIGTA
IRS unauthorized access audits deficient, finds TIGTA
Patch management lacking at IRS