TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

Increased IRS Oversight of State Agencies Is Needed to Ensure Federal Tax Information Is Protected

 

 

 

September 2005

 

Reference Number:  2005-20-184

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

Web Site           |  http://www.tigta.gov

 

 

September 30, 2005

 

 

MEMORANDUM FOR CHIEF, MISSION ASSURANCE AND SECURITY SERVICES

 

FROM:                            Pamela J. Gardiner /s/ Pamela J. Gardiner

                                         Deputy Inspector General for Audit

 

SUBJECT:                    Final Audit Report – Increased IRS Oversight of State Agencies Is Needed to Ensure Federal Tax Information Is Protected (Audit # 200520005)

 

This report presents the results of our review of security of Federal tax information provided to State agencies.  The overall objective of this review was to determine whether State tax agencies were protecting Federal tax information from unauthorized use and disclosure.

Section 6103 of the Internal Revenue Code[1] requires the Internal Revenue Service (IRS) to disclose Federal tax information to various State and Federal Government agencies.  State tax agencies can use this information to identify nonfilers of State tax returns, determine discrepancies in the reporting of income, locate delinquent taxpayers, and determine whether IRS adjustments have State tax consequences.  Due to the sensitivity of Federal tax information and the potential for its misuse for identity theft, the States are required to have adequate controls in place to prevent unauthorized disclosures of the tax information.

Synopsis

In February 2003, we issued a report[2] in which we concluded that Federal tax information was at risk while in the possession of State tax agencies.  We recommended the IRS broaden the scope of its reviews of States receiving Federal tax information to include a more comprehensive review of computer security and hire or develop an adequate number of technically proficient staff to conduct those reviews.  The IRS agreed with each of our recommendations.

In this review, we visited four large State tax agencies to which the IRS sends Federal tax information.  At all four agencies, we identified significant weaknesses in physical security, user account management, access controls, audit trails, intrusion detection, and firewall systems.  These weaknesses place Federal tax information at increased risk of unauthorized use or theft.  Hackers and unscrupulous State government employees could exploit these security weaknesses to gain unauthorized access to tax data.

The IRS requires the States to review security controls and submit the test results annually to the IRS.  The reviews conducted by the States, however, do not adequately assess whether security controls are in place.  The reviews performed by the four State tax agencies we visited did not identify the security weaknesses we found.  In addition, the scopes of the States’ reviews did not comply with the Federal Information Security Management Act (FISMA),[3] which requires users of Federal tax data to test security controls annually using National Institute of Standards and Technology (NIST)[4] guidance.

The IRS has made improvements in its reviews of the States’ security controls.  The most significant change was reassigning responsibility for these reviews from the Office of Governmental Liaison and Disclosure, within the Communications and Liaison Division, to the Office of Mission Assurance and Security Services (MA&SS).

MA&SS organization computer security specialists followed guidelines, prepared by a contractor, in reviewing the security controls at the States.  These guidelines represent a significant improvement from past practices by testing for more vulnerabilities.  However, they still do not comply with the NIST guidelines used for testing information systems in accordance with the FISMA.

Additionally, the management information system used by the MA&SS organization to monitor the status of corrective actions does not have the capability to record the corrective actions or the proposed completion dates of those actions.  The States, then, are not held accountable for addressing weaknesses found during their tests and the tests conducted by the MA&SS organization.

Recommendations

To reduce the opportunities for unauthorized use of Federal tax information at State agencies, we recommended the Chief, MA&SS, obtain a formal decision from the Office of Management and Budget (OMB) as to the application of the FISMA computer security requirements to State agencies that receive Federal tax information.  We recommended the Chief, MA&SS, require States to submit more useful and indepth annual self-assessments using Recommended Security Controls for Federal Information Systems (NIST Special Publication 800-53).  These self-assessments should be used by the MA&SS organization to better focus the scope of its reviews, resulting in a more efficient use of resources.  Additionally, if FISMA requirements are determined to apply to State agencies receiving Federal tax information, the Chief, MA&SS, should require the States to submit the same documents required by Federal Government agencies to enable the MA&SS organization to monitor corrective actions and follow up on prior issues identified.

To improve the scope of reviews over States’ security controls, we recommended the Chief, MA&SS, ensure the IRS’ reviews of States follow NIST Special Publication 800-53 guidance.  Finally, we recommended the Chief, MA&SS, assign additional staffing to oversee the States’ controls.

Response

The Chief, MA&SS, does not believe that FISMA requirements apply to State agencies receiving Federal tax information primarily because the agencies do not use the tax information on behalf of the IRS.  Therefore, the Chief, MA&SS, disagreed with our first recommendation and did not seek a formal opinion from the OMB on this matter.  Although the Chief, MA&SS, disagreed that FISMA requirements apply to the States, he agreed to revise Tax Information Security Guidelines for Federal, State and Local Agencies (Publication 1075) to incorporate the recommended security controls described in NIST Special Publication 800-53.  Also the MA&SS organization will use Plans of Actions and Milestones as part of a new process to better manage recommended corrective actions.  In addition, the Chief, MA&SS, will improve the scope of IRS Safeguard Reviews by incorporating appropriate NIST Special Publication 800-53 security controls into the computer security Safeguard Review process.  Finally, the Chief, MA&SS, agreed with our recommendation to assign additional staffing to oversee the States’ controls and will determine the staffing needs for the additional workload items presented in this report.  In the interim, MA&SS organization personnel have been identified to assist in conducting the computer security reviews.  Management’s complete response to the draft report is included as Appendix IV.

Office of Audit Comment

We do not agree with the IRS that FISMA requirements do not apply to State agencies receiving Federal tax information.  Based on FISMA reporting guidance provided by the OMB for Fiscal Year 2005, we believe the OMB intends for the FISMA requirements to apply to State agencies receiving Federal tax information.  To resolve this matter, we have requested a formal opinion from the OMB. 

Copies of this report are also being sent to the IRS managers affected by the report recommendations.  Please contact me at (202) 622-6510 if you have questions or Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at (202) 622-8510. 

 

 

Table of Contents

 

Background

Results of Review

Computer Weaknesses Continue to Exist at State Tax Agencies, Jeopardizing the Security of Federal Tax Information

Recommendation 1:

Recommendations 2 and 3:

Recommendation 4:

Appendices

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Management’s Response to the Draft Report

 

 

Background

 

Section 6103 of the Internal Revenue Code[5] requires the Internal Revenue Service (IRS) to disclose Federal tax information to various State and Federal Government agencies.  State tax agencies can use this information to identify nonfilers of State tax returns, determine discrepancies in the reporting of income, locate delinquent taxpayers, and determine whether IRS adjustments have State tax consequences.

As a condition for receiving Federal tax information, State tax agencies must have physical and computer system safeguards designed to prevent unauthorized accesses and use of this information.  Before a State tax agency receives Federal tax information, it must submit a Safeguard Procedures Report to the IRS for approval.  The Report describes how the State will protect and safeguard the tax information.  In addition, States are required to annually file a Safeguard Activity Report to report any changes to their safeguard procedures, advise the IRS of future actions that will affect safeguard procedures, and certify they are protecting the data.

The Federal Information Security Management Act (FISMA)[6] also requires the IRS to provide oversight to ensure the States have adequate security controls in place to protect Federal tax information.  The IRS is responsible for overseeing security over Federal tax information for 276 Federal Government and State entities.  Balancing priorities is clearly an issue; however, the Office of Management and Budget (OMB) has stressed the need for oversight of entities receiving sensitive Federal Government information and evaluates agencies’ oversight activities through the FISMA reporting process.

Prior to October 2003, the IRS Office of Governmental Liaison and Disclosure, within the Communications and Liaison Division, had primary responsibility for ensuring security over tax information provided to State and Federal Government agencies.  In October 2003, this oversight responsibility was shifted to the Office of Mission Assurance and Security Services (MA&SS).

In February 2003, we issued a report[7] in which we concluded that Federal tax information was at risk while in the possession of State agencies.  We recommended the IRS broaden the scope of its reviews of States receiving Federal tax information to include a more comprehensive review of computer security and hire or develop an adequate number of technically proficient staff to conduct those reviews.  The IRS agreed with each of our recommendations.

This review was performed at the MA&SS organization offices in the IRS National Headquarters in Washington, D.C., during the period December 2004 through May 2005.  We also visited and reviewed security at four large State tax agencies in Michigan, Illinois, New York, and Texas that receive Federal tax information.  We did not review the security of the data being shared with nontax State agencies or Federal Government agencies.  The audit was conducted in accordance with Government Auditing Standards.  Detailed information on our audit objective, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

 

Results of Review

 

Computer Weaknesses Continue to Exist at State Tax Agencies, Jeopardizing the Security of Federal Tax Information

 

We identified significant security weaknesses at all four State tax agencies we reviewed.  These weaknesses provide opportunities for hackers, disgruntled employees, and contractors to access Federal tax information for unauthorized use and identity theft purposes.  The weaknesses continue because the States’ self-assessments of security controls have not been adequate.  In addition, while the IRS has improved its reviews of States’ security controls, more oversight is needed.

 

Controls to prevent hackers from attacking States’ networks from the Internet are not adequate

 

Security weaknesses at Internet connections give hackers opportunities to exploit and gain unauthorized entry into the internal network.  In accordance with the FISMA, the National Institute of Standards and Technology (NIST)[8] requires Federal Government agencies and those entities receiving Federal tax information to protect networks at Internet connections.  Generally, firewall computers and routers stop traffic from traveling from the Internet to an internal, trusted network.  Intrusion detection systems detect inappropriate, incorrect, or unusual activity on a network.

We identified security weaknesses at Internet connections at all four State tax agencies we reviewed.  The following weaknesses result in the States being unnecessarily vulnerable to attacks by hackers:

·         Firewall computers were not optimally configured and maintained to minimize the possibility of an attack.

  • Password controls on firewalls and routers were weak.  User names and passwords were not required on some equipment and were sometimes shared by system administrators.  Unique user names and passwords help identify persons responsible for changes to router settings.  These weaknesses could allow unauthorized personnel to access connection components and make unauthorized configuration changes.

·         Activity logs and audit trail logs that contain details of accesses to systems were not reviewed and analyzed.  Consequently, the States were hindered in identifying and investigating potential attacks.

·         Intrusion detection capabilities had not been installed at all connections.  Intrusion detection systems provide an organization the ability to monitor activity on its network and look for suspicious and unauthorized actions.

 

Controls to prevent disgruntled employees and contractors from exploiting States’ networks are not adequate

 

Employees and contractors usually have more knowledge of systems than hackers and, as a result, can often cause more damage.  Sufficient management, operational, and technical controls are required for each system to limit the opportunities for misuse of data.  We identified security weaknesses at all four State tax agencies that increased the risk that disgruntled employees and contractors with access to the States’ networks could gain unauthorized access to Federal tax information.  Specifically:

  • Compact discs containing Federal tax information were stored in cabinets that remained unlocked during work hours.  Packages containing tapes with tax information were opened in the mail room and left unsecured prior to delivery.  Inventory controls were not in place for a significant number of compact discs on hand and backup tapes stored offsite.  Employees’ duties were not separated among receiving, accounting for, and inventorying tapes.  These practices make the tax information more susceptible to theft. 
  • States could not determine when employees last accessed systems containing Federal tax information.  
  • Employees who no longer needed access to systems still had active user accounts.
  • End users’ requests for access to Federal tax information were not documented.
  • One State had not provided logon warning messages to end users regarding the consequences of misusing or inappropriately accessing Federal tax information.
  • None of the four State tax agencies reviewed audit trails to detect inappropriate access to Federal tax information. 

 

The States’ self-assessments of security controls have not been adequate

 

We believe State agencies, as users of Federal tax information, are obligated to comply with the FISMA self-assessment security control requirements.  We suggest States use Recommended Security Controls for Federal Information Systems (NIST Special Publication 800-53) when performing self-assessments of security controls.  This Publication is applicable to all computers and systems containing sensitive data.  It clearly outlines key security issues and guides users to determine whether policies and procedures have been developed, implemented, and tested.  States should be required to submit these self-assessments annually with their Safeguard Activity Reports.  The MA&SS organization could then use the self-assessments to focus the scope of its reviews and potentially reduce the staffing required to test computer security controls.

The most recent Safeguard Activity Reports prepared by the four State tax agencies we reviewed do not adequately assess whether security controls are in place.  None of the four agencies used the NIST guidance, and the self-assessments they performed did not identify the security weaknesses we found.  The self-assessments were limited in scope and did not adequately describe the steps taken to evaluate the controls.

These cursory reviews do not provide assurance to the IRS that States are meeting their responsibilities for providing adequate computer security controls to protect Federal tax information.  The IRS has accepted the annual reports without enforcing existing requirements for reporting on controls.

 

The IRS Safeguard Reviews are inadequate and incomplete

 

The IRS’ most recent Safeguard Reviews of the four State tax agencies did not identify the weaknesses we found.  The IRS did not provide sufficient staffing to review States’ security controls, and the reviews that were conducted were not sufficiently indepth to identify all critical control weaknesses.  In addition, the IRS did not use methods required by the FISMA to monitor actions to correct identified weaknesses. 

One of the major considerations behind the transfer of responsibility for overseeing States’ security controls to the MA&SS organization was the availability of technically proficient information technology staff to conduct the technical portions of the IRS Safeguard Reviews.  However, due to budget constraints, only two computer security specialists were assigned to the MA&SS organization’s Safeguards Program.  Both specialists had been reassigned from the Office of Governmental Liaison and Disclosure.  The only additional staff provided by the MA&SS organization has been two individuals to perform ad hoc physical security reviews.  To supplement its staff, the MA&SS organization acquired contractor support for the technical portions of the Safeguard Reviews.  However, IRS procedures require the MA&SS organization to review the security over Federal tax information at least once every 3 years for approximately 276 Federal Government and State entities, thus requiring approximately 90 reviews each year.  In Fiscal Year 2004, the IRS conducted only 66 reviews, which included 26 State tax agencies, 32 State child support and welfare agencies, and 8 Federal Government entities.  Additional staffing is needed to meet the IRS’ oversight responsibilities.

In addition, the scope of the reviews was not sufficient.  The contractor hired by the IRS developed 15 matrices that are used by the MA&SS organization specialists and the contractor staff when evaluating the States’ computer security controls.  The matrices are designed to evaluate operating systems most commonly found in the States such as Windows 2000, Windows NT, and UNIX.

The matrices are an improvement from past practices because they test for more vulnerabilities.  However, the matrices do not address controls prescribed in NIST Special Publication 800-53.  Application controls are the last line of defense in protecting the IRS’ sensitive data.  In addition, several controls that require human involvement are still not addressed, such as ensuring employees with significant security responsibilities are adequately trained.  The matrices also do not address privacy issues, such as the unauthorized browsing and/or theft of Federal tax information while in the custody of the States.

We also determined the MA&SS organization’s management information system does not track the corrective actions planned by the agencies under review, nor does it track the actual corrective action completion dates.  The FISMA requires agencies to formulate Plans of Actions and Milestones to record all identified security weaknesses, list specific corrective actions to address those weaknesses, and include dates by which those corrective actions will be completed.

The management information system used by the MA&SS organization to monitor the status of corrective actions does not have the capability to record the corrective actions or the proposed completion dates of those actions.  The States, then, are not held accountable for addressing weaknesses found during their tests and the tests conducted by the MA&SS organization.  As a result, the IRS cannot be certain that deficiencies found during Safeguard Reviews are timely and efficiently corrected.

 

Recommendations

 

To reduce the opportunities for unauthorized use of Federal tax information at State agencies, the Chief, MA&SS, should:

Recommendation 1:  Obtain a formal decision from the OMB as to the application of the FISMA computer security requirements for systems at State agencies that receive Federal tax information.

Management’s Response:  The Chief, MA&SS, disagreed with this recommendation stating that, currently, FISMA legislation and the applicable NIST standards are not mandated for the State agencies receiving Federal tax information because the State agencies do not use the information for the benefit, aid, or support of the IRS.  In addition, State agencies are not accessing, connecting to, or using IRS major information systems to collect, maintain, process, store or transmit this information for, or on behalf of, the IRS.

Office of Audit Comment:  We do not agree with the IRS that FISMA requirements do not apply to State agencies receiving Federal tax information.  FISMA reporting guidance provided by the OMB states, “… agency IT security programs apply to all organizations (sources) which possess or use Federal information – or which operate, use, or have access to Federal information systems – on behalf of a Federal agency.  Such other organizations may include contractors, grantees, State and local governments, industry partners, etc.”  Later in the same paragraph, the guidance states, “Agencies must develop policies for information security oversight of contractors and other users with privileged access to Federal data.  Agencies must also review the security of other users with privileged access to Federal data and systems.”  Although the States may not be using the data on behalf of the IRS, they clearly have privileged access to the data and, therefore, we believe the OMB intends for the States to be included in the IRS’ security program.  To resolve this issue, we have requested a formal opinion from the OMB.  

Recommendation 2:  If States receiving Federal tax information are required to comply with the FISMA requirements, require States to submit more useful and indepth self-assessments annually, using NIST Special Publication 800-53, with their Safeguard Activity Reports.  These self-assessments should be used by the MA&SS organization to better focus the scope of its Safeguard Reviews, resulting in a more efficient use of resources.  Additionally, as part of the oversight of entities receiving Federal tax information, the Chief, MA&SS, should require the States to submit Plans of Actions and Milestones to track corrective actions at the States and follow up on prior issues identified.

Management’s Response:  Although the Chief, MA&SS, disagreed that the FISMA requirements apply to State agencies receiving Federal tax information, he agreed to revise Tax Information Security Guidelines for Federal, State and Local Agencies (Publication 1075) to incorporate the recommended security controls described in the NIST Special Publication 800-53.  The MA&SS organization will use Plans of Actions and Milestones as part of a new process to better manage recommended corrective actions.

Recommendation 3:  Improve the scope of the IRS Safeguard Reviews by following NIST Special Publication 800-53 guidance.

Management’s Response:  The Chief, MA&SS, agreed with this recommendation and will incorporate NIST Special Publication 800-53 standards into the computer security Safeguard Review process.  However, the Chief, MA&SS, stated that, because the States are not subject to the FISMA, it may not be practical to incorporate all of the recommended controls from NIST Special Publication 800-53 into the Safeguard Review methodology.  IRS Publication 1075 will be updated to incorporate the viable recommended security controls in NIST Special Publication 800-53, allowing for some flexibility in the requirements imposed for the States as appropriate.

Recommendation 4:  Assign more staffing to the MA&SS organization’s Safeguards Program so adequate oversight can be provided to the States.

Management’s Response:  The Chief, MA&SS, agreed with this recommendation and will determine the staffing needs for the additional workload items presented in this report.  In the interim, MA&SS organization personnel have been identified to assist in conducting the computer security reviews.

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

The objective of this review was to determine whether State tax agencies were protecting Federal tax information from unauthorized use and disclosure.  To accomplish this objective, we:

I.          Visited four large State tax agencies located in Michigan, Illinois, New York, and Texas to review physical and computer security controls over Federal tax information.  From a population of 50 States, we selected the 4 most populous States that the IRS had not scheduled for review in Fiscal Years 2004 and 2005.

A.    Reviewed the States’ physical security over Federal tax information.

B.     Reviewed the States’ controls over access to Federal tax information.

C.     Determined whether the States used audit trails to detect improper accesses to computers used to process and store Federal tax information.  We determined whether audit trails were turned on and reviewed on a regular basis.

D.    Determined whether the States used firewalls to prevent improper access to computers that process and store Federal tax information.

E.     Determined whether intrusion detection systems were used to continuously monitor systems that process and store Federal tax information and how intrusion detection systems were deployed.

F.      Determined the extent to which the States self-reviewed their systems.

II.        Reviewed coverage given to computer security during the Internal Revenue Service  Safeguard Reviews.

A.    Reviewed procedures and guidelines used by Internal Revenue Service reviewers and computer security specialists for performing Safeguard Reviews and for performing the computer security portion of Safeguard Reviews.

B.     Reviewed the coverage given to computer security during Safeguard Reviews.  We obtained documentation on Safeguard Reviews for the four State tax agencies. 

III.            Reviewed the Mission Assurance and Security Service organization’s monitoring of corrective actions.  We determined how it ensured State tax agencies implemented meaningful and timely corrective actions to computer security deficiencies in Safeguard Review Reports.

 

Appendix II

 

Major Contributors to This Report

 

Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)

Stephen R. Mullins, Director

Gerald H. Horn, Audit Manager

Dan Ardeleano, Senior Auditor

Bret D. Hunter, Senior Auditor

Louis Lee, Senior Auditor

Abraham Millado, Senior Auditor

Joan Raniolo, Senior Auditor

 

Appendix III

 

Report Distribution List

 

Commissioner  C

Office of the Commissioner – Attn.: Chief of Staff  C

Deputy Commissioner for Operations Support  OS

Chief Counsel  CC

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Management Controls  OS:CFO:AR:M

Audit Liaison:  Chief, Mission Assurance and Security Services  OS:MA

 

Appendix IV

 

Management’s Response to the Draft Report

 

 The response was removed due to its size.  To see the response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.



[1] Internal Revenue Code § 6103 (2003).

[2] Computer Security Weaknesses at State Agencies Put Federal Tax Information at Risk (Reference Number 2003-20-064, dated February 2003).

[3] Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).

[4] The NIST, under the Department of Commerce, is responsible for developing standards and guidelines for providing adequate information security for all Federal Government agency operations and assets.

[5] Internal Revenue Code § 6103 (2003).

[6] Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).

[7] Computer Security Weaknesses at State Agencies Put Federal Tax Information at Risk (Reference Number 2003-20-064, dated February 2003).

[8] The NIST, under the Department of Commerce, is responsible for developing standards and guidelines for providing adequate information security for all Federal Government agency operations and assets.