This report presents the results of our review of the Internal Revenue Service’s (IRS) compliance with Federal critical infrastructure policies. In summary, we found the IRS has made progress to support the physical security goals of Presidential Decision Directive 63, which calls for a national effort to ensure the security of the nation’s critical infrastructure. The IRS has identified its critical infrastructure facilities, conducted vulnerability assessments, and determined what corrective actions are needed. Management agreed with the information presented in this report, and the full text of their response is included as an appendix.

Copies of this report are being sent to the IRS managers who are affected by the report and to the President’s Council on Integrity and Efficiency. Please contact me at (202) 622-6510 if you have questions or Scott E. Wilson, Assistant Inspector General for Audit (Information Systems Programs), at (202) 622-8510.

The objective of this review was to evaluate the adequacy of the Internal Revenue Service’s (IRS) planning and assessment activities for protecting its critical infrastructure facilities, as required by Presidential Decision Directive (PDD) 63. We conducted this review in conjunction with other similar audits being performed by other Inspector General offices, as directed by the President’s Council on Integrity and Efficiency (PCIE). We issued an earlier report which addressed the planning and assessment activities of computer-based assets pertaining to the IRS’ critical infrastructure.

To accomplish our objective, we determined whether vulnerabilities and actions to reduce the vulnerabilities had been identified. We also determined whether the planned actions had been funded. We interviewed the Chief Infrastructure Assurance Officer (CIAO) and personnel in the Special Projects branch of the Office of Security. We reviewed the IRS’ draft Critical Infrastructure Plan and all vulnerability assessments and security/risk reviews of its critical infrastructure facilities conducted within the last 4 years. We performed our audit work between January and April 2001 in the National Headquarters.

This audit was performed in accordance with Government Auditing Standards. Major contributors to this report are listed in Appendix I. Appendix II contains the Report Distribution List.

Government officials are increasingly concerned about attacks from individuals and groups with malicious intentions, such as terrorists and nations engaging in information warfare. PDD 63, signed in May 1998, called for a national effort to ensure the security of the nation’s critical infrastructure. The critical infrastructure is defined as systems essential to the minimum operations of the economy and government. The critical infrastructure includes, but is not limited to, telecommunications, banking and finance, energy, and transportation.

In response to PDD 63, the Department of the Treasury completed a Critical Infrastructure Protection Plan (CIPP) as a guide for all of its offices and bureaus. The CIPP requires that all Department of the Treasury offices and bureaus appoint a CIAO who has overall responsibility for protecting his/her organization’s critical infrastructure.

The IRS appointed the Director, Office of Security, as the CIAO. The responsibilities of the CIAO include: identifying all critical infrastructure facilities, determining the appropriate level of security for the facilities, identifying existing vulnerabilities at the facilities, and remedying the vulnerabilities to ensure the appropriate level of security.

The IRS has made progress to support the physical security goals of PDD 63. The CIAO identified the IRS’ critical infrastructure facilities and determined the appropriate level of security needed to adequately protect the facilities. The Office of Security conducted vulnerability assessments of the facilities and identified several actions that must be taken to meet the level of security recommended by the CIAO. Some of the security enhancements recommended include physical upgrades to improve the effectiveness of:

• Property and building access controls.
• Guard force capabilities.
• Surveillance and alarm capabilities.

As of April 2001, none of the actions identified in the vulnerability assessments had been started and the CIAO could not provide a definitive time period when they will be completed. However, the CIAO has initiated actions to obtain funding for the security upgrades.

The CIAO discussed the proposed level of security with the Financial and Management Controls Executive Steering Committee, which is chaired by the IRS Deputy Commissioner, in March 2001. The Committee approved the level of security proposed by the CIAO.

The upgrades needed to reach that level of security are estimated to cost over $8 million. The CIAO is attempting to obtain funding for the upgrades in Fiscal Year 2001. If funding is not available this fiscal year, the CIAO intends to include the funding for the upgrades in the Fiscal Year 2002 budget.

If funding is not provided to adequately protect the IRS’ critical infrastructure facilities, the government’s primary revenue collector, and other agencies and states that use its data, could be at risk of disrupted operations and processing delays.

The IRS has taken steps to identify its critical infrastructure facilities, assess the vulnerabilities of the facilities, and identify corrective actions. The CIAO has initiated steps to fund these actions. IRS management agreed with the information in this report, and the full text of their response is included as Appendix III.

Scott Wilson, Assistant Inspector General for Audit (Information Systems Programs)

Steve Mullins, Director

Kent Sagara, Audit Manager

Bill Lessa, Senior Auditor

David Hodge, Auditor

Commissioner N:C

Deputy Commissioner N:DC

National Taxpayer Advocate TA

Chief Counsel CC

Director, Office of Security M:S

Director, Legislative Affairs CL:LA

Director, Office of Program Evaluation and Risk Analysis N:ADC:R:O

Office of Management Controls N:CFO:F:M

President’s Council on Integrity and Efficiency

Audit Liaison:

Deputy Commissioner for Modernization & Chief Information Officer M

The response was removed due to its size. To see the response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.