TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

Monitoring of PRIME Contractor Access to Networks and Data Needs to Be Improved

 

 

 

September 2005

 

Reference Number:  2005-20-185

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

 

Web Site           |  http://www.tigta.gov

 

September 29, 2005

 

 

MEMORANDUM FOR CHIEF INFORMATION OFFICER

                                         CHIEF, MISSION ASSURANCE AND SECURITY SERVICES

                                         DIRECTOR, PROCUREMENT

 

FROM:                            Pamela J. Gardiner /s/ Pamela J. Gardiner

                                         Deputy Inspector General for Audit

 

SUBJECT:                    Final Audit Report – Monitoring of PRIME Contractor Access to Networks and Data Needs to Be Improved (Audit # 200520002)

 

This report presents the results of our review of the monitoring of contractor access to networks and data.  The overall objective of this review was to determine whether Internal Revenue Service (IRS) management implemented adequate controls over the PRIME contractor’s[1] access to IRS networks and data.

The IRS has about 900 contracts with private contractors.  Many of these contractors must be given access to IRS computer systems and taxpayer data to complete their tasks, particularly those tasks that involve developing sensitive computer systems and providing computer hardware and software.  In accordance with the Federal Information Security Management Act (FISMA),[2] contractors are subject to the same security standards, guidelines, and oversight that are required for Federal Government agencies.  Without adequate oversight by the IRS, there is a significant risk of misuse or disclosure of confidential data as well as possible sabotage to these critical systems.

In March 2004, we reported[3] that contractors were not complying with certain IRS security procedures and IRS procurement officials were not aware of the security regulations pertaining to the contractors they were assigned to oversee.  In this audit, we followed up on prior recommendations and focused on work performed by the PRIME contractor.

Synopsis

During Calendar Year 2004, PRIME contractor personnel claimed they were not being granted timely access to systems, which affected their ability to efficiently perform their duties.  As a result, the IRS gave the PRIME contractor the authority to add, delete, and modify its own employees’ user accounts on IRS systems.  Our review showed that the PRIME contractor added 199 user accounts without any oversight by the IRS during this 1-year period.  The IRS, by allowing the PRIME contractor to approve access for its own employees with no oversight, did not comply with the FISMA.

In January 2005, to regain control of the PRIME contractor’s access to IRS systems and data, the IRS assigned an employee to review all requests for PRIME contractor personnel to be added to or deleted from IRS systems.  However, access was granted solely on the request of the PRIME contractor with no justification required.  We do not believe it is feasible to place this responsibility with one person who could not possibly be aware of the PRIME contractor’s access needs for each contract.

IRS procurement officials, specifically Contracting Officer’s Technical Representatives (COTR), should be responsible for granting contractor employees access to IRS systems.  Our findings in this audit indicate these Procurement function officials are still not fulfilling their responsibilities.  More actions are needed to ensure contractors’ access to IRS systems is limited to those who need it to accomplish their responsibilities and is monitored to detect any unauthorized activity.

The IRS worked with the PRIME contractor during January 2005 to identify over 1,000 separated contractor employees who no longer needed access but who could still sign on to IRS systems.  As of May 2005, most of these accounts had been deactivated, but 160 of these contractor employees still had access to IRS systems.

We also found no documentation to indicate the IRS was monitoring the activities of PRIME contractor employees when they were accessing IRS systems.  As a result, the risk of undetected security violations is increased.  A security specialist stated that audit trails are reviewed; however, the reviews are not documented.

The PRIME contractor has remote access to the IRS network so it can perform much of its systems development and test procedures from its offices in the Maryland Technology Center in New Carrollton, Maryland.  We determined the data link between the PRIME contractor’s offices and the IRS was properly encrypted and physical security at the Maryland Technology Center was adequate.

Recommendations

We recommended the Chief Information Officer, in coordination with the Director, Procurement, ensure procurement officials obtain sufficient justification from the PRIME contractor before network access is granted.  Also, a quarterly review of the active access account list should be performed to ensure accounts no longer needed are promptly disabled.  In addition, the Chief, Mission Assurance and Security Services, should ensure audit trail reviews of contractor activity are conducted as prescribed by IRS procedures.

Response

The IRS agreed with our recommendations.  Management stated a Memorandum of Understanding has been drafted outlining the roles and responsibilities of each office involved in ensuring contractor personnel gain access to only those systems needed to perform their work.  A list of applications needed by contractors will be provided for each PRIME contractor project and will be used by the IRS to determine whether contractors’ access requests should be granted.  The Director, Procurement, will require the PRIME contractor to submit a list of terminated employees and an active account list quarterly.  The IRS COTR will identify any accounts that are no longer needed, and the PRIME System Access Manager will deactivate those accounts.

The Chief, Mission Assurance and Security Services, stated that all contractor activities in the PRIME contractor test and development environment will be subject to the same monitoring tools used on any IRS processing environment.  In addition, specific instructions will be sent to administrators of production environment systems directing them to include a review of user access from the PRIME contractor test and development environment as a key component of their standard system auditing activities.  Management’s complete response to the draft report is included as Appendix IV.

Copies of this report are also being sent to the IRS managers affected by the report recommendations.  Please contact me at (202) 622-6510 if you have questions or Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at (202) 622-8510.

 

 

Table of Contents

 

Background

Results of Review

Accesses to Systems Were Not Properly Authorized

Recommendations 1 through 3:

Data Transfers Were Properly Encrypted

Physical Security at the Maryland Technology Center Was Adequate

Appendices

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Management’s Response to the Draft Report

 

 

Background

 

The Internal Revenue Service (IRS) has about 900 contracts with private contractors.  Many of these contractors must be given access to IRS computer systems and taxpayer data to complete their tests, particularly those tasks that involve developing sensitive computer systems and providing hardware and software.  In accordance with the Federal Information Security Management Act (FISMA),[4] contractors are subject to the same security standards, guidelines, and oversight that are required for Federal Government agencies.  Without adequate oversight by the IRS, there is a significant risk of misuse or disclosure of confidential data as well as possible sabotage to these critical systems.

In this audit, we focused on work performed by the PRIME contractor[5] for the IRS.  PRIME contractor employees have access to critical equipment and systems to perform their duties.  We evaluated the hardware and software access privileges, authentication requirements, monitoring of PRIME contractor activities, and security of connections between the PRIME contractor and the IRS computer systems.  We also evaluated the physical security for one contractor-owned work facility that contained a computer network with access to the IRS enterprise network.

This review was performed in the Modernization and Information Technology Services (MITS) organization offices at the Martinsburg Computing Center[6] in Martinsburg, West Virginia, and the contractor-owned Maryland Technology Center (MTC)[7] in New Carrollton, Maryland, during the period November 2004 through May 2005.  The audit was conducted in accordance with Government Auditing Standards.  Detailed information on our audit objective, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

 

Results of Review

 

Accesses to Systems Were Not Properly Authorized

 

To reduce the risks of unauthorized access to Federal tax information, the IRS requires that access to sensitive systems be limited to only those persons needing it to carry out their responsibilities.  The IRS requires employees to be formally authorized by a manager before accessing sensitive systems.  For contractor personnel, the need to access sensitive systems must first be acknowledged by an IRS Contracting Officer’s Technical Representative (COTR) who is responsible for overseeing contractor activities.  The COTR should then prepare the documentation to provide the contractor with access to the necessary IRS systems.

 

Authorizations for PRIME contractor accesses were not properly granted

 

During Calendar Year 2004, the IRS granted proxy rights to the PRIME contractor that allowed it to add, delete, and modify its own employees’ user accounts on IRS systems.  The Business Systems Modernization function of the MITS organization made this decision in response to a claim by PRIME contractor personnel that they were not being granted timely access to systems, which affected their ability to efficiently perform their responsibilities.

We reviewed accesses granted for applications[8] used by the PRIME contractor during 2004.  Of the 423 PRIME contractor personnel with user accounts for these applications, we identified:

  • User accounts added by the PRIME contractor without any approval or oversight by an IRS COTR or manager (128 user accounts).
  • User accounts added without any approval from an IRS COTR or manager or from the PRIME contractor (71 user accounts).  Of the 71 user accounts, 52 were supported by an unsigned Information System User Registration/Change Request (Form 5081).  The IRS had no documentation to show the other 19 user accounts had been added.

As a result, we could not determine who added the accounts to the systems or whether the need for access was justified.  The access decisions were made solely by the PRIME contractor.  The PRIME contractor managers given responsibility for granting access could not provide justification for those decisions.  We are coordinating with the COTRs responsible for overseeing contractor activities on the systems used by the PRIME contractor during 2004 to determine whether accesses by contractor personnel were justified.

In January 2005, to regain control of the PRIME contractor’s access to IRS systems and data, the IRS appointed a MITS organization employee as the PRIME System Access Manager, to review all requests for PRIME contractor personnel to be added to or deleted from IRS systems.  In the first 6 months after procedures were changed, 24 contractor personnel accounts were added to various applications.  For each of the 24 accounts, access was granted by the PRIME System Access Manager without acknowledgement from a COTR that access was needed.  Accesses were granted solely on the request of the PRIME contractor with no justification as to the need for access.  As a result, the IRS Manager granting access did not have sufficient information to determine whether the PRIME contractor employees needed access to complete their work or whether the level of access being granted was proper for the work to be completed.  We do not believe it is feasible to place this responsibility with one person who could not possibly be aware of the PRIME contractor’s access needs on each contract.

In March 2004, we reported[9] that contractors were not complying with certain IRS security procedures and IRS COTRs were not aware of the security regulations pertaining to the contractors they were assigned to oversee.  In that report, we recommended the Chief, Mission Assurance and Security Services, and the Chief, Agency-Wide Shared Services, ensure the COTRs carry out their responsibilities to periodically review contractor compliance with established security policies.  Management’s response stated the Mission Assurance and Security Services organization would review and update guidance for Contracting Officers and COTRs on applicable security policies.  This guidance was distributed to the COTRs to assist them in monitoring contractor activities.

Our findings in this audit indicate that COTRs are still not fulfilling their responsibilities to review contractor compliance with established security policies.  More actions are needed to ensure contractors’ access to IRS systems is limited to those who need it to accomplish their responsibilities and is monitored to detect any unauthorized activity.

In addition, the decision by Business Systems Modernization management to allow the PRIME contractor to approve access for its own employees with no oversight from the IRS is contrary to FISMA guidance.  FISMA Section 3544(b) requires each agency to provide security over “information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.”  The Office of Management and Budget (OMB) also states agencies must develop policies for information security oversight of contractors and must review the security of other users with privileged access to Federal Government data and systems.[10]

 

PRIME contractor user accounts were not removed when access was no longer required

 

In January 2005, the IRS Procurement function asked the PRIME contractor to identify its personnel who had either separated from the PRIME contractor or no longer worked on any of the applications reviewed but could still sign on to IRS systems.  The PRIME contractor identified 1,045 of its employees meeting these specifications.  As of May 2005, most of these accounts had been deactivated, but 160 of these contractor employees still had access to IRS systems, increasing the risk of unauthorized disclosures and disruptions of operations.  The IRS requires that accounts be deactivated when there is no longer a business need to access an IRS system.  The PRIME contractor did not comply with this requirement, and the IRS did not provide sufficient oversight to ensure PRIME contractor user accounts were promptly disabled when no longer needed.

 

Monitoring of PRIME contractor activity was not sufficient to determine whether data were properly secured

 

IRS policies require system activity to be monitored by producing and reviewing audit trail data.  We found no documentation to indicate the IRS personnel responsible for the security of computer systems are reviewing audit trails on computers used by the PRIME contractor.  As a result, the risk of undetected security violations is increased.  The security specialist stated that audit trail data are reviewed; however, the reviews are not documented.

 

Recommendations

 

Recommendation 1:  The Chief Information Officer, in coordination with the Director, Procurement, should ensure COTRs obtain sufficient documentation from the PRIME contractor to justify access to IRS systems.  Before granting access to a contractor employee, the PRIME System Access Manager should obtain acknowledgement from the respective COTR that the access is needed.

Management’s Response:  Management agreed with this recommendation, stating that a Memorandum of Understanding has been drafted outlining the roles and responsibilities of each office involved in the process of ensuring contractors gain access to only those systems needed to perform their work.  A list of applications needed by contractors will be provided for each PRIME project and will be used by the IRS to determine whether contractors’ access requests should be granted.

Recommendation 2:  The Chief Information Officer, in coordination with the Director, Procurement, should require the PRIME System Access Manager to review the active account list quarterly for all applications used by the PRIME contractor to ensure accounts no longer needed are promptly disabled.

Management’s Response:  Management agreed with this recommendation.  The Director, Procurement, will require the PRIME contractor to submit a list of terminated employees and an active account list quarterly.  The IRS COTR will identify any accounts that are no longer needed, and the PRIME System Access Manager will deactivate those accounts.

Recommendation 3:  The Chief, Mission Assurance and Security Services, should ensure audit trail reviews of contractor activity are conducted as prescribed by IRS procedures.

Management’s Response:  Management agreed with this recommendation.  The Chief, Mission Assurance and Security Services, stated that all contractor activities in the PRIME contractor test and development environment will be subject to the same monitoring tools used on any other IRS processing environment.  In addition, specific instructions will be sent to administrators of production environment systems directing them to include a review of user access from the PRIME contractor test and development environment as part of their standard system auditing activities.

 

Data Transfers Were Properly Encrypted

 

The PRIME contractor has remote access to the IRS network so it can perform much of its systems development and test procedures at its offices in the MTC.  The National Institute of Standards and Technology has determined that sensitive data should be encrypted if they are vulnerable to unauthorized disclosure.  IRS policy requires that encryption shall be used for transmitting sensitive but unclassified information among IRS facilities and between the IRS and other facilities. 

We determined the data link between the PRIME contractor’s offices and the IRS was properly encrypted.  We confirmed the software needed to encrypt and decrypt data transmitted between the two sites was in place and functioning.  As a result, the risk that data being transmitted between them could be intercepted was adequately reduced.

 

Physical Security at the Maryland Technology Center Was Adequate

 

We reviewed the adequacy of physical security at the MTC by inspecting all closets and work areas to determine whether they were secure and accessible only to authorized individuals.  The IRS requires that access to secure areas be closely monitored to prevent access by unauthorized personnel.  Access to these areas was controlled by the use of keycards and security cameras on each floor containing IRS hardware.

Our test of the external perimeter of the facility showed the following three security weaknesses:

  • The security guards did not request identification or ask that vendors sign in and out at the front gate when entering or exiting the facility.
  • The door to the MTC docking area leading into the facility was ajar.
  • A door adjacent to the docking area leading into the facility was ajar.

We informed MTC security personnel of these conditions and explained that a person with malicious intentions could enter through the front gate without being documented and proceed from the docking area into the MTC facility.  The security personnel concurred with our assessment and immediately began a logging procedure for guests and vendors entering through the front gate area.  In addition, an alarm was installed on the door leading to the docking area that would activate when the door was inappropriately accessed.  With these changes in place, we found that physical security at the MTC was adequate.  No other corrective actions are recommended.

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

The overall objective of this review was to determine whether Internal Revenue Service (IRS) management implemented adequate controls over the PRIME contractor’s[11] access to IRS networks and data.  We evaluated the hardware and software access privileges, authentication requirements, audit trail collection and review, and security of connections between the PRIME contractor and the IRS computer systems.  We also evaluated the physical security for one contractor-owned work facility that contained a computer network with access to the IRS enterprise network.  We also followed up on prior recommendations contained on our report dated March 2004.[12]  Specifically, we:

I.       Determined whether the PRIME contractor’s access permissions to IRS networks were limited to those employees who needed it to execute their responsibilities. 

A.    For Calendar Year 2004, determined whether user access was authorized by verifying whether each contractor employee assigned to two specific applications had an Information System User Registration/Change Request (Form 5081) on file for the system on which he or she was listed as a user.  We chose the two applications because they were accessed most frequently by contractor personnel during Calendar Year 2004.

B.     Obtained a listing from the system administrator of users on the system who have not accessed the system within 45 days and 90 days.  We determined whether the accounts were automatically locked. 

C.     Determined the IRS’ and the PRIME contractor’s role in granting network access to the PRIME contractor. 

1.      Determined how the appropriate managers verify that the required background investigation has been initiated or completed. 

2.      Determined whether an Online Form 5081 was used and if this was mandatory, the contractor’s access privileges were correct, and anyone in the IRS questioned the contractor’s need for administrative privilege. 

3.      Determined how a system administrator knows when to remove system access for a separated or transferred contractor employee. 

II.    Determined the extent of the IRS’ review of audit logs of contractor-used computers at the two locations, the Maryland Technology Center (MTC)[13] and the Martinsburg Computing Center.[14] 

A.    Determined who performed the review of audit logs of PRIME contractor computers and how often the reviews were performed.

B.     Attempted to secure copies of any reports on audit logs for computers used by PRIME contractor employees; any reports showing the corrective actions taken because of the monitoring of the audit logs; and any incident reports that were elevated to a higher level of management or to the IRS Computer Systems Incident Response Center, which provides assistance and guidance in incident response and provides a centralized approach to incident handling across the IRS enterprise.  The IRS could not provide any of the audit log reports.

III. Determined the level of physical security at the MTC using the National Institute of Standards and Technology (NIST) Security Self-Assessment Guide for Information Technology Systems (Special Publication 800-26).[15]

A.    Determined whether access to facilities was controlled through the use of guards, identification badges, and entry devices such as key cards, biometrics, and locks; management periodically reviewed the list of persons with physical access to the facility; emergency exit and reentry procedures ensured only authorized personnel were allowed to reenter after fire drills, etc.; and visitors to sensitive areas were required to sign in and were escorted.

B.     Determined whether physical accesses were monitored through audit trails, apparent security violations were investigated and remedial actions taken, and suspicious access activity was investigated and appropriate actions were taken.

C.     Determined whether visitors, contractors, and maintenance personnel were authenticated with preplanned appointments and identification checks.

IV. Determined whether data transfers between the IRS and the PRIME contractor were encrypted and adequately secured. 

A.    Verified the methods used to transfer data files between the IRS network and PRIME  contractor personnel by physically observing file transfers. 

B.     Ascertained the protocols used and obtained an explanation of the security features of those protocols. 

 

Appendix II

 

Major Contributors to This Report

 

Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)

Stephen R. Mullins, Director

Gerald Horn, Audit Manager

David Brown, Senior Auditor

William Lessa, Senior Auditor

Thomas Nacinovich, Senior Auditor

William Simmons, Senior Auditor

Stasha Smith, Senior Auditor

 

Appendix III

 

Report Distribution List

 

Commissioner C

Office of the Commissioner- Attn: Chief of Staff C

Deputy Commissioner for Operations Support OS

Deputy Commissioner for Service and Enforcement  SE

Chief Counsel  CC

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Management Controls  OS:CFO:AR:M

Audit Liaisons:

            Chief Information Officer  OS:CIO

            Chief, Mission Assurance and Security Services  OS:MA

            Director, Procurement  OS:A:P

 

Appendix IV

 

Management’s Response to the Draft Report

 

The response was removed due to its size.  To see the response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.



[1] The PRIME contractor is the Computer Sciences Corporation, which heads an alliance of leading technology companies brought together to assist with the IRS’ efforts to modernize its computer systems and related information technology.

[2] Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).

[3] Insufficient Contractor Oversight Put Data and Equipment at Risk (Reference Number 2004-20-063, dated March 2004).

[4] Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).

[5] The PRIME contractor is the Computer Sciences Corporation, which heads an alliance of leading technology companies brought together to assist with the IRS’ efforts to modernize its computer systems and related information technology.

[6] IRS Computing Centers support tax processing and information management through a data processing and telecommunications infrastructure.

[7] The MTC, located adjacent to the New Carrollton Federal Building in New Carrollton, Maryland, is the principal site at which the PRIME contractor develops and tests systems to support the IRS’ modernization efforts.

[8] We reviewed accesses for the Inventory Tracking Asset Management System (ITAMS) and the Integrated Financial System (IFS) applications.  The ITAMS provides tracking information on computer assets.  The IFS provides detailed financial, cost accounting, property accounting, and procurement data to authorized users.  The IFS Release 1 implements the core processes of general ledger, accounts payable, accounts receivable, budget execution, cost accounting, administrative tax and travel accounting, cost performance management allocations, some tax processing functionality, budget formulation, and budget execution decision support.

[9] Insufficient Contractor Oversight Put Data and Equipment at Risk (Reference Number 2004-20-063, dated March 2004).

[10] Fiscal Year 2005 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (OMB Memorandum M05-15, dated June 13, 2005).

[11] The PRIME contractor is the Computer Sciences Corporation, which heads an alliance of leading technology companies brought together to assist with the IRS’ efforts to modernize its computer systems and related information technology.

[12] Insufficient Contractor Oversight Put Data and Equipment at Risk (Reference Number 2004-20-063, dated March 2004).

[13] The MTC, located adjacent to the New Carrollton Federal Building in New Carrollton, Maryland, is the principal site at which the PRIME contractor develops and tests systems being developed to support the IRS’ modernization efforts.

[14] IRS Computing Centers support tax processing and information management through a data processing and telecommunications infrastructure.

[15] The NIST, under the Department of Commerce, is responsible for developing standards and guidelines for providing adequate information security for all Federal Government agency operations and assets.