IG to IRS: Expand secure messaging or drop it

IG to IRS: Expand secure messaging or drop it

The IRS has a program that can protect taxpayers' sensitive financial data when agency employees share it via e-mail; the problem is not all employees use the encrypted messaging, a new inspector general report says.

As of last fall, two years after the agency began its Secure Messaging program, only 76 percent of the IRS' 82,000 e-mail mailboxes had been enrolled, the audit from the Treasury Department IG for tax administration found. Both the sender and recipient of an e-mail must use the encryption service for it to work.

'Even those enrolled in the program are not using it consistently,' said Pamela Gardiner, deputy IG for audit on the tax administration team. The IG reviewed e-mail exchanges that took place from April to September.

Secure Messaging incurs additional administration costs and demands more of the IRS' telecommunications and computer storage systems. The IG recommended the agency weigh the costs and benefits of continuing the program. If the IRS decides it should keep the program, it needs to make sure all employees who send sensitive data enroll in Secure Messaging, the report concluded.

CIO Todd Grams said the agency has no choice but to continue with the program. He cited a mandate in Homeland Security Presidential Directive 12 that requires all agencies to develop common identification standards. 'While this directive does not specifically speak to messaging authentication and signing, it does mandate that all government agencies migrate to logical access controls based on public-key infrastructure technology in the near term,' he said.

The IRS ultimately plans to replace its Secure Messaging program with PKI for infrastructure authentication, he said. The audit, however, concluded that the presidential directive has no effect on the IRS' Secure Messaging effort.

Grams said the IRS would do more to educate employees about Secure Messaging and require managers to review employees' use to ensure compliance.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.