Report: IRS underestimates IT security weaknesses

IRS underestimates IT security weaknesses

The process the IRS has used to track IT program and system security weaknesses is flawed and ineffective, the Treasury Inspector General for Tax Administration's office said in a report released this week. As a result, the IRS provided the Treasury Department and the Office of Management and Budget with inaccurate and misleading information related to the Federal Information Security Management Act.

'The system-level (Plans of Action and Milestones) did not accurately and completely describe the security weaknesses and milestones, understated the number of weaknesses, and overstated progress in addressing the weaknesses,' said Gordon Milbourn III, Treasury's assistant inspector general for audit, in the report.

The review took place in April and May but auditors took into account IRS progress in its next FISMA report dated September.

IRS prepared near-identical plans for each system, noting broad categories of weaknesses instead of specific weak points. The agency did not provide detailed actions to correct the problems nor the names of the managers responsible for them, according to the report.

In its most recent action report, IRS listed 319 weaknesses for its 80 major systems. But those weaknesses only represent management control problems, such as lack of certification and accreditation, security and tested contingency plans. They do not include operational and technical control weaknesses, the report said.

IRS assumed that if a system had been certified and accredited, most noted weaknesses could be closed. 'This assumption is not valid since certified and accredited systems can still have security weaknesses,' the IG said.

IRS has since established a working group of IT modernization and business unit executives to figure out how best to manage the process for correcting security problems, said Daniel Galik, chief of IRS mission assurance and security services. IRS will provide detailed corrective actions by line item instead of grouping the actions 'to ensure there is not a perception of underreporting of corrective actions,' he said in a written response earlier this month.

IRS will also team with Treasury to acquire an automated application that will standardize and streamline all action plan reporting and tracking across the department, he said. Treasury is adapting its process for reporting and tracking financial management weaknesses through its Joint Audit Management Enterprise System in order to synchronize its security reporting. This will create one source for tracking corrective actions related to audits by TIGTA and the Government Accountability Office, Galik said.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.