Security Controls Were Not Adequately Considered in the
Development and Integration Phases of Modernization Systems
August 2005
Reference Number: 2005-20-128
This report has cleared the Treasury
Inspector General for Tax Administration disclosure review process and
information determined to be restricted from public release has been redacted
from this document.
August
26, 2005
MEMORANDUM FOR
CHIEF INFORMATION OFFICER
CHIEF,
FROM: Pamela J. Gardiner /s/ Pamela J. Gardiner
Deputy Inspector General for
Audit
SUBJECT: Final Audit Report - Security Controls Were
Not Adequately Considered in the Development and Integration Phases of Modernization
Systems (Audit # 200420029)
This
report presents the results of our review to evaluate the Internal Revenue
Service’s (IRS) process for incorporating computer security controls into
modernization systems. Currently, the IRS has a unique opportunity during its systems
modernization efforts to develop and integrate adequate security controls
effectively and efficiently. Many of its
core systems are being rebuilt under the Business Systems Modernization efforts. As such, security controls should be provided
during the development phase of the Enterprise Life Cycle (ELC) and tested
during the integration phase.
We judgmentally selected and
reviewed the e-Services, Internet Refund Fact of Filing, Modernized e-File, Custodial
Accounting Project, and Customer Account Data Engine (CADE) modernization
projects. Appendix V provides a
description of these systems.
In
summary, the Mission Assurance and Security
Services (MA&SS) organization, the Business Systems Modernization Office
(BSMO), and the PRIME contractor are responsible for incorporating and
developing security controls into modernization systems and their coordination
is critical to effectively carry out these responsibilities. The MA&SS organization is responsible for
establishing security standards for all systems and testing the security
controls for new systems. It has a
directorate specifically dedicated to ensuring appropriate security controls
are developed, tested, and implemented for modernization systems. The BSMO is primarily responsible for
ensuring security controls are considered, developed, and integrated in
modernization systems. For the systems we
reviewed, the BSMO contracted with the PRIME contractor to develop security
controls in accordance with IRS standards.
The IRS did not adequately consider
security controls in the development phase of the systems. We identified several inadequate security
controls, many of which could have been addressed in the development phase of
the systems. For example, several security
configurations do not comply with IRS standards, audit trails are not useable
for modernization systems, and disaster recovery plans are not adequate for the
systems we reviewed. In addition, documentation
required in the development phase provided only general or outdated descriptions
of security requirements and controls.
Waiting until after implementation to
address these weaknesses will most likely cost significantly more than if the
issues were considered during the development of the systems. These inadequate security
configurations could result in system exploitation by unauthorized individuals
or personnel. In addition, the lack of
disaster recovery planning in the development phase could unnecessarily prolong
the recovery from a natural disaster or terrorist attack. Based on the conditions we identified,
we believe the PRIME contractor primarily focused on delivering systems that would
function but did not provide sufficient emphasis to ensure security controls had
been developed for the systems. Additionally,
the MA&SS organization was not sufficiently involved in the early development
stages of the systems we reviewed. More
involvement was needed to hold the PRIME contractor accountable and to encourage the
PRIME contractor to develop security controls in compliance with IRS security standards
when the systems were being developed.
During the integration phase of the
ELC, applications must be tested with the technical infrastructure to ensure
they interact effectively. The IRS’
testing identified several security control weaknesses, but some were not
corrected before implementation. For
example, the IRS found operating system configurations and file permissions were
inaccurate on all Microsoft Windows computers for two systems. Although the IRS considered this weakness to
be a moderate risk, it did not take any action to correct the weakness prior to
implementation. Testing tools used by
the IRS were generally adequate, but the IRS could use additional free software
to identify additional security control weaknesses, such as the lack of
security patches, before implementing new systems.
To ensure security controls that meet
IRS security standards are adequately considered during the development of new
systems, we recommended the Chief Information Officer
(CIO) provide oversight to ensure coordination between the BSMO and PRIME contractor.
The CIO should revise the ELC to require
disaster recovery planning in the development phase of the system life cycle
and ensure the CADE audit trail data are retained and reviewed to detect
unauthorized accesses. The Chief, MA&SS,
should take the initiative to participate in the development of new systems and
ensure security controls are built into the new systems. To improve testing, we recommended the Chief,
MA&SS, use additional off-the-shelf
security testing tools.
Management’s Response: The CIO
emphasized that the IRS considers security controls at all times, even when
there are pressures to implement systems.
Security design processes are shared with various internal stakeholders
and required life cycle artifacts are thoroughly reviewed. Also, IRS integration, deployment, and
operational processes have matured since the audit was conducted. For example, the IRS modified the PRIME
contract to include updated security requirements and implemented processes to
measure compliance with IRS security settings during testing.
The CIO agreed with four of
our five recommendations. The CIO stated
the ELC and the PRIME contract have been updated to ensure security controls
comply with IRS standards and are considered in the development phase. The ELC will be revised to include disaster
recovery planning in the development phase.
The CIO agreed that the MA&SS organization should be included in the
development phase of new projects. In
addition, the ELC has been updated to ensure security deliverables are
addressed throughout the life cycle. To
enhance security testing, the IRS will review internal processes and determine if additional
tools can better check systems controls. The CIO disagreed with our recommendation to
retain and review audit trail information on the CADE and is not taking any
action because the system cannot be accessed externally. The CIO also disagreed that the Security
Audit and Analysis System (SAAS), which was procured to collect and review
audit trail information for other modernization systems, was not
operating. The CIO stated testing in
September 2004 validated the SAAS was receiving and processing modernized
system audit trail transactions.
Management’s complete response to the draft report is included as Appendix
VI.
Office of Audit Comments: The IRS made
several improvements during our review that should address our conclusions and
improve the security of modernization systems.
IRS updates to the ELC and changes to the PRIME contract are examples of
these improvements. We continue to believe
that audit trail information for the CADE should be retained and reviewed. The CADE contains tax information for over
1.3 million returns that could be accessed by some IRS employees for
unauthorized purposes and potentially used for identity theft purposes. Accordingly, audit trail information must be
maintained to comply with Department of the Treasury requirements. We do not intend to elevate our disagreement
to the Department of the Treasury for resolution at this time. However, we do plan a comprehensive review to
determine whether audit trails for modernization systems are being retained and
reviewed. We will include the CADE and the
SAAS in this follow-up review.
Copies
of this report are also being sent to the IRS managers affected by the report
recommendations. Please contact me at
(202) 622-6510 if you have questions or Margaret E. Begg, Assistant Inspector
General for Audit (Information Systems Programs), at (202) 622-8510.
Security Controls Need to Be Addressed in the Development
Phase
Modernization Systems’ Security Testing Could Be Improved
Appendix I – Detailed Objective, Scope, and Methodology
Appendix II – Major Contributors to This Report
Appendix III – Report
Distribution List
Appendix IV – Enterprise Life Cycle Overview
Appendix V – Description of Modernization Projects Reviewed
Appendix VI – Management’s Response to the Draft Report
The Internal Revenue Service (IRS) relies on approximately 350 computer systems to process tax information and account for over $2 trillion in revenue annually. Security over these systems is critical to prevent hackers, disgruntled employees, and contractors from gaining unauthorized access to taxpayers’ sensitive financial information or from disrupting computer operations.
The IRS has many
security weaknesses in its computer systems that have been difficult and costly
to correct. One explanation for these
weaknesses is that security controls were not adequately considered during the
development of the systems. Many of the
IRS’ legacy systems were developed before the IRS had implemented a rigorous system
development methodology.
Security weaknesses are
almost always more difficult and costly to correct after systems have been
implemented. According to the National Institute of
Standards and Technology (NIST), it costs 30 times as much to fix a defect once
software is built as it does to identify controls needed during requirements
gathering. In another study, Gartner,
Inc. states if 50 percent of software vulnerabilities were removed prior to
production for purchased and internally developed software, enterprise
configuration management costs and incident response costs would be reduced by 75
percent each.
The IRS has a unique opportunity during its systems modernization efforts to develop security controls more effectively and efficiently. Many of its core systems are being rebuilt under the Business Systems Modernization (BSM) efforts.
To ensure modernization
projects are developed in a disciplined manner, the IRS adopted its Enterprise
Life Cycle (ELC). The ELC processes are
divided into six phases. Three of these
phases (development, integration, and operations and support) are relevant to
incorporating security controls into each system. We concentrated on the development and
integration phases in this review.
We judgmentally selected and reviewed the e-Services, Internet Refund Fact of Filing (IRFOF), Modernized e-File (MeF), Custodial Accounting Project (CAP), and Customer Account Data Engine (CADE) modernization projects. Appendix V provides a description of the modernization systems we reviewed. We tested the security controls of each system and, if security weaknesses were identified, determined whether the security control weakness was considered in the development and integration phases of the system.
This review was performed at the Business Systems
Modernization Office (BSMO) facilities in New Carrollton, Maryland; the
Martinsburg Computing Center (MCC) in
The Mission
Assurance and Security Services (MA&SS) organization, the BSMO, and the PRIME
contractor are responsible for incorporating and developing security controls
into modernization systems, and their coordination is critical to carry out
these responsibilities. The MA&SS is
responsible for establishing security standards for all systems. It has a directorate specifically dedicated
to ensuring appropriate security controls are developed, tested, and
implemented for modernization systems.
The BSMO is primarily responsible for ensuring security controls are
considered, developed, and integrated in modernization systems. For the systems we reviewed, the BSMO
contracted with the PRIME contractor to develop security controls in accordance
with IRS standards.
We identified several security control weaknesses in the modernization systems we reviewed, many of which could have been addressed in the development phase of the systems. For example, audit trails for modernization systems are not functioning and disaster recovery plans are not adequate for the systems we reviewed. In addition, available documentation indicated a lack of emphasis on security controls as it provided only general or outdated descriptions of security requirements and controls. Waiting until systems are implemented to address security controls will most likely cost significantly more than if security controls had been considered during the development of the systems.
For the five systems, we concluded the PRIME contractor
focused on developing systems that would function, but did not provide
sufficient emphasis on the identification and development of security
controls. In addition, the MA&SS organization was not sufficiently
involved during the early development stages of the systems. More involvement was needed to hold the PRIME
contractor accountable and to encourage the contractor to develop adequate security
controls when the systems were being developed.
In January 2005, the IRS began
taking over the role of systems integrator from the PRIME contractor due to
reductions in funding by Congress for the BSM program and concerns about the
adequacy of the PRIME contractor’s performance.
The BSMO will now be responsible for program-level activities such as
risk management and requirements management.
Contractors will continue to be used to deliver projects and provide
support services.
Security configurations needed to deter unauthorized activity did not always comply with IRS standards
Several security configurations in the modernization systems did not comply with IRS standards. In each case, the configurations should have been addressed in the development phase of the systems. These inadequate configurations could result in system security exploitation, unauthorized access to taxpayer data, and disruption of computer operations by unauthorized personnel. Some of the configurations identified are readily exploitable, while others require specialized knowledge of the application installed.
Additionally, we noted two instances in which IRS guidance needs to be improved to increase security. If developers had followed the guidance provided by the IRS in these two instances, authentication controls would have been jeopardized, increasing the opportunities for an unauthorized person to gain access to the systems. Due to the sensitive nature of the security weaknesses identified, we are not disclosing the weaknesses in this report. However, we provided IRS management with detailed information of these security weaknesses.
Audit trails needed to detect unauthorized activity are not operating on modernization systems
The Department of the Treasury requires automated information systems and networks which process, store, or transmit sensitive information maintain an audit trail of user security-relevant events. In addition, the audit trail security feature should be properly implemented and protected from modification. The NIST and the Government Accountability Office also provide guidelines for agencies to comply with Federal information systems security requirements.
Although we did not specifically evaluate audit trail
controls for the systems in our sample, we noted in a prior review that a
system designed to collect audit trail data from certain modernization systems
(including the e-Services, IRFOF, and MeF projects in our sample) was not
functioning as intended. Audit trail data were being stored, but users
could not query the information due to software performance and functionality
problems. The IRS accepted the system
from the PRIME contractor even though it was aware that the system was not
functioning. We were advised by BSMO
management during this review that this audit trail system is still not functioning.
The CADE has its own audit trail. The CADE, which is eventually expected to replace the IRS’ existing Master File processing systems, was first released in July 2004. As of April 27, 2005, it had processed 1.3 million Form 1040 EZ returns. The audit trail for the CADE is being collected, but it is destroyed after 1-2 days without being reviewed. We were advised by the CADE systems programmer that no IRS manager or employee had expressed a need to review CADE audit trail data, thus it was not being retained. Audit trail information should be reviewed frequently to protect against abuse and to identify abnormal activity by users.
The lack of audit trail functionality on these four modernization systems prevents management from identifying and investigating potential unauthorized accesses to the systems. We cannot comment on the audit trail capabilities of the CAP because it was cancelled before being released.
Disaster Recovery Planning
was not considered during the development phase of the systems
The modernization
systems we reviewed will reside on computers at the MCC. The strategy for disaster recovery at the MCC
is to mirror all modernization applications at the Tennessee Computing Center
(TCC) in
The lack of disaster
recovery planning for modernization systems could unnecessarily delay the
recovery from a natural disaster or terrorist attack. The ELC does not require a detailed Disaster
Recovery Plan for any of the phases of the system life cycle. In lieu of a detailed Disaster Recovery Plan,
the ELC does require a contingency plan that lacks the specific information
needed to restore systems in the event of a disaster.
Available
documentation indicated security controls were not addressed sufficiently
during the development phase
The PRIME contractor is required to prepare several reports for each system including the Systems Requirements Report, Security Risk Assessment, Security Plan, Technical Model View, Physical Technology Model View, and the Version Description Document (VDD). Collectively, these reports should document the risks and security controls relevant to each system so the BSMO, the PRIME contractor, and the MA&SS organization have a common understanding of how the system will be developed and implemented.
We found several reports and plans that contained either general or outdated security requirements. For example, one report stated requirements would be conducted in accordance with the methodology described in an Internal Revenue Manual section that has been outdated since January 2002.
The VDD, in particular, should contain the steps needed to configure and develop the business and security applications needed for the system to operate. However, the VDDs used to build the systems did not include the security controls needed to eliminate the weaknesses we identified.
To ensure security controls that comply with IRS
standards are considered in the development phase of modernization systems, the
Chief Information Officer (CIO) should:
1.
Provide oversight to
ensure coordination between the BSMO and its contractors. Under the new operating model, the BSMO should
retain the overall responsibility for ensuring security controls are provided
in the development phase of new projects.
This responsibility will require the BSMO to ensure it is properly
drafting roles and responsibilities to adequately consider security controls
during the development phase of the ELC.
Management’s Response: The CIO has
designated the Director, Infrastructure Modernization Program Office, to
provide oversight and ensure coordination between the BSMO and contractors. The CIO stated that, although adequate
controls during the design and development phase are reflected in the new ELC,
additional improvements can be implemented.
In addition, the PRIME contract has been updated to reflect updated
security standards and requirements.
2.
Revise the ELC to
require disaster recovery planning in the development phase of the system life
cycle. A complete Disaster Recovery Plan
should be required that addresses all modernization systems. During development, computer capacity and
business resumption requirements should be gathered and considered.
Management’s Response: The Deputy
Associate CIO of Business Integration will include language in the ELC regarding
disaster recovery planning in the development phase of the system life cycle. In addition, corrective actions have been provided
as part of the Disaster Recovery Material Weakness Plan to develop disaster
recovery plans for all major systems supporting the IRS’ most critical business
processes and to update resource requirements for disaster recovery capabilities
for major systems.
3.
Ensure audit trail
data captured for the CADE is retained and reviewed to detect unauthorized
accesses.
Management’s Response: The CIO disagreed
with this recommendation. The log and
audit files used by the CADE system programmers are established for recovery
and diagnostic purposes and do not capture data related to unauthorized
access. Currently, the CADE has no
support for external data inquiry.
Office of Audit Comment: We continue
to believe that audit trail information for the CADE should be retained and
reviewed. The CADE contains tax
information for over 1.3 million returns that could be accessed by some IRS
employees for unauthorized purposes and potentially used for identity theft
purposes. Accordingly, audit trail information
must be maintained to comply with Department of the Treasury requirements.
The Chief, MA&SS, should:
4.
Ensure the MA&SS organization is included and
participates in the development phase of new systems and ensure security controls
are built into the systems.
Management’s Response: The CIO agreed that
the MA&SS organization should participate in the development of new systems. In addition, the recent update to the ELC
ensures security deliverables, checkpoints, and milestone exit certification
requirements are addressed throughout the life cycle. The ELC updates will ensure security controls
are built into the systems.
During the integration phase of the ELC, systems must be tested to ensure security controls are adequate and they interact effectively with the technical infrastructure. This is a critical integration phase checkpoint because it is the last opportunity to identify security control weaknesses before implementation. The MA&SS organization is responsible for conducting security testing and identifying security weaknesses on new systems.
The IRS’ security testing identified several security weaknesses
but not all identified weaknesses were corrected. For example, the IRS’ security testing of the
modernization systems we reviewed identified
incorrect registry and file permissions on all Microsoft Windows computers for
two systems. Although the IRS considered
this weakness to be a moderate risk, it accepted the risks and did not correct
the weakness prior to implementation. Based
on the circumstances at the time, the decision to implement without correcting
the weakness may have been appropriate.
However, addressing the weakness earlier in development would have
precluded the IRS from having to accept the associated risks and from
potentially incurring additional costs to correct it after implementation.
The IRS’ testing process could also be enhanced. The IRS limited its testing tools to two products which were developed to test for compliance with IRS standards. The IRS believes its testing methodology adequately addresses security. While we agree the tools used by the IRS are effective, additional security vulnerabilities could be identified using additional cost-effective tools. For example, one free off-the-shelf program evaluates Microsoft Windows workstations for security vulnerabilities. Using this program, we found over 63 percent of the IRS’ Microsoft Windows workstations systems were missing at least 1 critical security patch. The SANS Top 20 Internet Security Vulnerabilities list recommends several additional security testing tools to assist organizations in identifying vulnerabilities.
Furthermore, the IRS’ security tests could have been conducted more efficiently. For example, test commands for mainframe computers were entered manually into the system to gather data. Manual entry of commands is a very time-consuming process and, given the size of the modernization security database, inefficient and ineffective. The modernization mainframe computers already have software installed that could be used to generate test reports more efficiently.
To address the testing of security controls for modernization systems in the integration phase, the Chief, MA&SS, should:
5. Enhance the Security Test and Evaluation process to include the use of additional off-the-shelf security testing tools to identify security vulnerabilities. More efficient tools that are already available to the IRS for generating test reports should also be used.
Management’s
Response: The Deputy Director of Certification,
Testing, Evaluation, and Assessment will review the IRS’ internal process and
determine if additional tools can be used to better check systems controls.
Appendix I
Detailed Objective, Scope, and Methodology
The objective of our review was to evaluate the Internal Revenue Service’s (IRS) process for incorporating computer security controls into modernization systems. To accomplish this objective, we:
I.
Judgmentally selected
a sample of three modernization projects that had been implemented (the
Internet Refund Fact of Filing, e-Services, and Modernized e-File) and two
projects being developed (the Customer Account Data Engine and the Custodial
Accounting Project). Currently, there
are over 21 modernization projects consisting of business projects,
infrastructure projects, and data projects.
We used a judgmental sample because we were not planning to project the
audit results. For the three implemented
systems, we used software tools to evaluate operating system security settings
for the systems at the Martinsburg Computing Center (MCC). We recorded any security weaknesses found in
these systems.
A.
Obtained and reviewed
the most recent Security Test and Evaluation plans and reports and Rational
Database Security tests.
B.
Compared security
vulnerabilities identified by the IRS and our audit team and conducted further
research to determine whether the problem occurred before or after security
testing was conducted.
II.
If a security
vulnerability identified in Step I occurred prior to testing, determined why
the vulnerability was not reduced or corrected during the design phase.
A.
Obtained and reviewed
the Systems Requirements Report, Security Risk Assessment, Security
Plan, Technical Model View, Physical Technology Model View, and the Version Description Document for the three implemented modernization
systems we selected to evaluate the adequacy of the information provided.
B.
Determined whether the
same vulnerabilities existed in the two projects being developed by reviewing applicable
documentation and executing tests conducted in Step I.
III.
Determined whether
audit trails were functioning for the modernization systems we reviewed.
A.
Followed up on a prior
Treasury Inspector General for Tax Administration audit report to determine
whether actions had been taken to provide audit trail data for modernization
systems, including the e-Services, Modernized e-File, and Internet Refund Fact
of Filing projects.
B.
Interviewed MCC
officials regarding the availability and use of audit trail data for the
Customer Account Data Engine system.
IV.
Determined whether the
modernization systems had adequate contingency plans.
A.
Evaluated the adequacy
of available Disaster Recovery Plans for each system in our sample.
B.
Ascertained whether
disaster recovery training had been provided to responsible officials.
C.
Determined whether
disaster recovery plans were maintained off-site.
D.
Determined whether
disaster recovery requirements were included in the Enterprise Life Cycle.
V.
Evaluated the
effectiveness of IRS security testing.
For vulnerabilities identified by the IRS, we determined whether the
problems were corrected, waived, or neglected.
A.
Reviewed the IRS’
processes and controls over security testing.
B.
Evaluated the testing
methodology for the three implemented modernization systems to determine
whether the testing was adequate.
C.
Reviewed the tests to determine
whether information was correctly recorded and tested.
Appendix II
Major
Contributors to This Report
Margaret E. Begg, Assistant Inspector General for Audit (Information
Systems Program)
Stephen Mullins, Director
Thomas
Polsfoot, Audit Manager
Cari Fogle, Senior
Auditor
Myron Gulley, Senior
Auditor
Michael Howard, Senior
Auditor
Jimmie Johnson, Senior Auditor
Jacqueline Nguyen,
Senior Auditor
Midori Ohno, Senior
Auditor
Larry Reimer, Senior
Auditor
Appendix III
Commissioner C
Office of the
Commissioner – Attn: Chief of Staff C
Deputy Commissioner
for Operations Support OS
Associate Chief
Information Officer, Business Systems Modernization OS:CIO:B
Associate Chief
Information Officer, Information Technology Services OS:CIO:I
Director,
Acting Director,
Regulatory Compliance OS:MA:RC
Acting Director,
Strategy, Program Management, and Personnel Security OS:MA:SP
Chief Counsel CC
National Taxpayer
Advocate TA
Director, Office of
Legislative Affairs CL:LA
Director, Office of
Program Evaluation and Risk Analysis
RAS:O
Office of
Management Controls OS:CFO:AR:M
Audit Liaisons:
Chief Information
Officer OS:CIO
Chief,
Appendix
IV
Enterprise Life Cycle
Overview
The Enterprise Life Cycle (ELC) defines the processes, products, techniques, roles, responsibilities, policies, procedures, and standards associated with planning, executing, and managing business change. It includes redesign of business processes; transformation of the organization; and development, integration, deployment, and maintenance of the related information technology applications and infrastructure. Its immediate focus is the Internal Revenue Service (IRS) Business Systems Modernization (BSM) program. Both the IRS and its contractors must follow the ELC in developing/acquiring business solutions for modernization projects.
The life-cycle processes of the ELC are divided into
six phases, as described below:
·
Vision and Strategy - This phase establishes the
overall direction and priorities for business change for the enterprise. It also identifies and prioritizes the
business or system areas for further analysis.
·
Architecture - This phase establishes the
concept/vision, requirements, and design for a particular business area or
target system. It also defines the
releases for the business area or system.
·
Development - This phase includes the
analysis, design, acquisition, modification, construction, and testing of the
components of a business solution. This
phase also includes routine planned maintenance of applications.
·
Integration - This phase includes the
integration, testing, piloting, and acceptance of a release. In this phase, the integration team brings
together individual work packages of solution components developed or acquired
separately during the Development phase. Application and technical
infrastructure components are tested to determine if they interact
properly. If appropriate, the team
conducts a pilot to ensure all elements
of the business solution work together.
·
Deployment - This phase includes
preparation of a release for deployment and actual deployment of the release to
the deployment sites. During this phase,
the deployment team puts the solution release into operation at target sites.
·
Operations and Support - This phase addresses the ongoing
operations and support of the system. It
begins after the business processes and system(s) have been installed and have
begun performing business functions. It
encompasses all of the operations and support processes necessary to deliver
the services associated with managing all or part of a computing environment.
The Operations and Support phase includes the scheduled activities, such as planned maintenance, systems backup, and production output, as well as the nonscheduled activities, such as problem resolution and service request delivery, including emergency unplanned maintenance of applications. It also includes the support processes required to keep the system up and running at the contractually specified level.
Besides the life-cycle processes, the ELC also
addresses the various management areas at the process level. The management areas include:
·
IRS Governance and
Investment Decision Management - This area is responsible
for managing the overall direction of the IRS, determining where to invest, and
managing the investments over time.
·
Program Management and
Project Management - This area is responsible for organizing, planning,
directing, and controlling the activities within the program and its
subordinate projects to achieve the objectives of the program and deliver the
expected business results.
·
Architectural
Engineering/Development Coordination - This area is responsible
for managing the technical aspects of coordination across projects and
disciplines, such as managing interfaces, controlling architectural changes,
ensuring architectural compliance, maintaining standards, and resolving issues.
· Management Support Processes - This area includes common management processes, such as quality management and configuration management that operate across multiple levels of management.
The ELC establishes a set of repeatable processes and a system of milestones, checkpoints, and reviews that reduce the risks of system development, accelerate the delivery of business solutions, and ensure alignment with the overall business strategy. The ELC defines a series of milestones in the life-cycle processes. Milestones provide for “go/no-go” decision points in the project and are sometimes associated with funding approval to proceed. They occur at natural breaks in the process where there is new information regarding costs, benefits, and risks and where executive authority is necessary for next phase expenditures.
There are five milestones during the project life cycle:
·
Milestone 1 - Business Vision and Case for Action.
In
the activities leading up to Milestone 1, executive leadership identifies the
direction and priorities for IRS business change. These guide which business areas and system
development projects are funded for further analysis. The primary decision at Milestone 1 is to
select BSM projects based on both the enterprise-level Vision and Strategy and
the enterprise architecture.
·
Milestone 2 - Business Systems Concept and Preliminary
Business Case. The activities leading up to
Milestone 2 establish the project concept, including requirements and design
elements, as a solution for a specific business area or business system. A preliminary business case is also produced. The primary decision at Milestone 2 is to approve
the solution/system concept and associated plans for a modernization initiative
and to authorize funding for that solution.
·
Milestone 4 - Business Systems Development and
·
Milestone 5 - Business Systems Deployment and
Postdeployment Evaluation. In the activities leading up
to Milestone 5, the business solution is fully deployed, including delivery of
training on use and maintenance. The
primary decision at Milestone 5 is to authorize the release of
performance-based compensation based on actual, measured performance of the
business system.
Appendix V
Description of
Modernization Projects Reviewed
e-Services - The e-Services is a suite of web-based products that will allow tax
professionals and taxpayers to do business with the IRS electronically.
The Internet Refund Fact of Filing (IRFOF) – The IRFOF is a web-based
application that provides Form 1040-series taxpayers with refund status via the
Internet. The Form 1040 series involves
individual taxpayers.
Modernized e-File (MeF) - The MeF provides taxpayers the option to
electronically file a U.S. Corporation Income Tax Return (Form 1120), U.S.
Income Tax Return for an S Corporation (Form 1120S), U.S. Income Tax Return for
Certain Political Organizations (Form 1120-POL), Return of Organization Exempt
From Income Tax (Form 990), Short Form Return of Organization Exempt From
Income Tax (Form 990-EZ), and Application for Extension of Time To File an
Exempt Organization Return (Form 8868) through the Internet.
The Custodial
Accounting Project (CAP) - The CAP will be a single, integrated data repository
of taxpayer account information, integrated with the general ledger and
accessible for management analysis and reporting. The IRS cancelled this project in January
2005.
The Customer Account Data Engine
(CADE) - The CADE is an online
modernization data infrastructure that will house the authoritative taxpayer
account and return.
Appendix VI
Management’s Response to the
Draft Report
The response was
removed due to its size. To see the
response, please go to the Adobe PDF version of the report on the TIGTA Public
Web Page.