Letter Report: Planning Efforts to Protect Critical Infrastructure Facilities Are Adequate
Reference Number: 2001-20-111
This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.
July 24, 2001
MEMORANDUM FOR DEPUTY COMMISSIONER FOR MODERNIZATION & CHIEF INFORMATION OFFICER
FROM: Pamela J. Gardiner /s/ Pamela J. Gardiner
Deputy Inspector General for Audit
SUBJECT: Final Letter Report - Planning Efforts to Protect Critical Infrastructure Facilities Are Adequate
This report presents the results of our review of the Internal Revenue Serviceís (IRS) compliance with Federal critical infrastructure policies. In summary, we found the IRS has made progress to support the physical security goals of Presidential Decision Directive 63, which calls for a national effort to ensure the security of the nationís critical infrastructure. The IRS has identified its critical infrastructure facilities, conducted vulnerability assessments, and determined what corrective actions are needed. Management agreed with the information presented in this report, and the full text of their response is included as an appendix.
Copies of this report are being sent to the IRS managers who are affected by the report and to the Presidentís Council on Integrity and Efficiency. Please contact me at (202) 622-6510 if you have questions or Scott E. Wilson, Assistant Inspector General for Audit (Information Systems Programs), at (202) 622-8510.
Objective and Scope
The objective of this review was to evaluate the adequacy of the Internal Revenue Serviceís (IRS) planning and assessment activities for protecting its critical infrastructure facilities, as required by Presidential Decision Directive (PDD) 63. We conducted this review in conjunction with other similar audits being performed by other Inspector General offices, as directed by the Presidentís Council on Integrity and Efficiency (PCIE). We issued an earlier report which addressed the planning and assessment activities of computer-based assets pertaining to the IRSí critical infrastructure.
To accomplish our objective, we determined whether vulnerabilities and actions to reduce the vulnerabilities had been identified. We also determined whether the planned actions had been funded. We interviewed the Chief Infrastructure Assurance Officer (CIAO) and personnel in the Special Projects branch of the Office of Security. We reviewed the IRSí draft Critical Infrastructure Plan and all vulnerability assessments and security/risk reviews of its critical infrastructure facilities conducted within the last 4 years. We performed our audit work between January and April 2001 in the National Headquarters.
This audit was performed in accordance with Government Auditing Standards. Major contributors to this report are listed in Appendix I. Appendix II contains the Report Distribution List.
Government officials are increasingly concerned about attacks from individuals and groups with malicious intentions, such as terrorists and nations engaging in information warfare. PDD 63, signed in May 1998, called for a national effort to ensure the security of the nationís critical infrastructure. The critical infrastructure is defined as systems essential to the minimum operations of the economy and government. The critical infrastructure includes, but is not limited to, telecommunications, banking and finance, energy, and transportation.
In response to PDD 63, the Department of the Treasury completed a Critical Infrastructure Protection Plan (CIPP) as a guide for all of its offices and bureaus. The CIPP requires that all Department of the Treasury offices and bureaus appoint a CIAO who has overall responsibility for protecting his/her organizationís critical infrastructure.
The IRS appointed the Director, Office of Security, as the CIAO. The responsibilities of the CIAO include: identifying all critical infrastructure facilities, determining the appropriate level of security for the facilities, identifying existing vulnerabilities at the facilities, and remedying the vulnerabilities to ensure the appropriate level of security.
The IRS has made progress to support the physical security goals of PDD 63. The CIAO identified the IRSí critical infrastructure facilities and determined the appropriate level of security needed to adequately protect the facilities. The Office of Security conducted vulnerability assessments of the facilities and identified several actions that must be taken to meet the level of security recommended by the CIAO. Some of the security enhancements recommended include physical upgrades to improve the effectiveness of:
As of April 2001, none of the actions identified in the vulnerability assessments had been started and the CIAO could not provide a definitive time period when they will be completed. However, the CIAO has initiated actions to obtain funding for the security upgrades.
The CIAO discussed the proposed level of security with the Financial and Management Controls Executive Steering Committee, which is chaired by the IRS Deputy Commissioner, in March 2001. The Committee approved the level of security proposed by the CIAO.
The upgrades needed to reach that level of security are estimated to cost over $8 million. The CIAO is attempting to obtain funding for the upgrades in Fiscal Year 2001. If funding is not available this fiscal year, the CIAO intends to include the funding for the upgrades in the Fiscal Year 2002 budget.
If funding is not provided to adequately protect the IRSí critical infrastructure facilities, the governmentís primary revenue collector, and other agencies and states that use its data, could be at risk of disrupted operations and processing delays.
The IRS has taken steps to identify its critical infrastructure facilities, assess the vulnerabilities of the facilities, and identify corrective actions. The CIAO has initiated steps to fund these actions. IRS management agreed with the information in this report, and the full text of their response is included as Appendix III.
Major Contributors to This Report
Scott Wilson, Assistant Inspector General for Audit (Information Systems Programs)
Steve Mullins, Director
Kent Sagara, Audit Manager
Bill Lessa, Senior Auditor
David Hodge, Auditor
Report Distribution List
Deputy Commissioner N:DC
National Taxpayer Advocate TA
Chief Counsel CC
Director, Office of Security M:S
Director, Legislative Affairs CL:LA
Director, Office of Program Evaluation and Risk Analysis N:ADC:R:O
Office of Management Controls N:CFO:F:M
Presidentís Council on Integrity and Efficiency
Deputy Commissioner for Modernization & Chief Information Officer M
Managementís Response to the Draft Report
The response was removed due to its size. To see the response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.