GAO takes IRS to task over security weaknesses

A recent Government Accountability Office report found that the IRS has inconsistently implemented its agencywide security controls, constituting a “significant deficiency” in financial reporting and exposing taxpayer and financial data to unnecessary risk.

Among the weakness the GAO cited were insufficient controls for identifying and authenticating users, authorizing users’ level of rights and privileges, encrypting sensitive data, auditing and monitoring network activity and physically securing the facilities that house its IT resources.

Specifically, the agency used easily guessable passwords on servers that support key IT systems; users were granted permissions that exceeded what they needed; and some systems were not configured to encrypt sensitive user authentication data. Additionally, the IRS did not establish proper logging for audit and monitoring for two applications, and it failed to ensure the timely application of security patches.

The GAO also addressed the challenges that the IRS is facing detecting identify theft-based refund fraud. Though the IRS worked with consumers, financial institutions and states to further prevent identity fraud, the agency should implement pre-refund matching of taxpayer returns with information returns from employers and strongly assess the costs, benefits and risks of improving methods for authenticating taxpayers, GAO said.

In order to fully improve information security within its systems and prevent data breaches, the GAO made 43 technical recommendations in a separate report to address 26 new weaknesses in access controls and configuration management.

At a hearing before the Senate Finance Committee regarding the report, IRS Commissioner John Koskinen told committee members that the IRS must maintain a “delicate balance” between keeping criminals out of IRS systems while letting legitimate taxpayers in. He said his agency is working on developing a better-coordinated authentication framework to avoid some of the errors made in the past.

Congress continues to ask the IRS to do more with less by enacting deep and damaging cuts to the agency's budget," Sen. Tom Carper (D-Del.) said. "I'm concerned that these successive budget cuts may be pennywise and pound foolish when it comes to ... the agency's ability to protect American taxpayers' information online."

FCW’s Aisha Chowdhry contributed to this report.

About the Author

Amanda Ziadeh is a former reporter/producer for GCN.


  • 2020 Government Innovation Awards
    Government Innovation Awards -

    21 Public Sector Innovation award winners

    These projects at the federal, state and local levels show just how transformative government IT can be.

  • Federal 100 Awards
    cheering federal workers

    Nominations for the 2021 Fed 100 are now being accepted

    The deadline for submissions is Dec. 31.

Stay Connected