TREASURY INSPECTOR GENERAL FOR TAX
ADMINISTRATION
Monitoring of PRIME
Contractor Access to Networks and Data Needs to Be Improved
September
2005
Reference Number: 2005-20-185
This report has cleared the Treasury
Inspector General for Tax Administration disclosure review process and
information determined to be restricted from public release has been redacted
from this document.
Web Site
| http://www.tigta.gov
September 29, 2005
MEMORANDUM FOR CHIEF
INFORMATION OFFICER
CHIEF,
DIRECTOR,
PROCUREMENT
FROM: Pamela
J. Gardiner /s/ Pamela J. Gardiner
Deputy
Inspector General for Audit
SUBJECT: Final Audit
Report – Monitoring of PRIME Contractor Access to Networks and Data Needs to Be
Improved (Audit # 200520002)
This
report presents the results of our review of the monitoring of contractor access
to networks and data. The overall
objective of this review was to determine whether Internal Revenue Service
(IRS) management implemented adequate controls over the PRIME contractor’s[1]
access to IRS networks and data.
The IRS has about 900 contracts with private
contractors. Many of these contractors
must be given access to IRS computer systems and taxpayer data to complete
their tasks, particularly those tasks that involve developing sensitive computer
systems and providing computer hardware and software. In accordance with the Federal Information
Security Management Act (FISMA),[2]
contractors are subject to the same security standards, guidelines, and
oversight that are required for Federal Government agencies. Without adequate oversight by the IRS, there
is a significant risk of misuse or disclosure of confidential data as well as
possible sabotage to these critical systems.
In March 2004, we reported[3]
that contractors were not complying with certain IRS security procedures and
IRS procurement officials were not aware of the security regulations pertaining
to the contractors they were assigned to oversee. In this audit, we followed up on prior
recommendations and focused on work performed by the PRIME contractor.
Synopsis
During Calendar Year
2004, PRIME contractor personnel claimed they were not being granted timely
access to systems, which affected their ability to efficiently perform their
duties. As a result, the IRS gave the
PRIME contractor the authority to add, delete, and modify its own employees’
user accounts on IRS systems. Our review
showed that the PRIME contractor added 199 user accounts without any oversight
by the IRS during this 1-year period. The
IRS, by allowing the PRIME contractor to approve access for its own employees
with no oversight, did not comply with the FISMA.
In January 2005, to
regain control of the PRIME contractor’s access to IRS systems and data, the
IRS assigned an employee to review all requests for PRIME contractor personnel
to be added to or deleted from IRS systems.
However, access was granted solely on the request of the PRIME
contractor with no justification required.
We do not believe it is feasible to place this responsibility with one
person who could not possibly be aware of the PRIME contractor’s access needs
for each contract.
IRS procurement
officials, specifically Contracting Officer’s Technical Representatives (COTR),
should be responsible for granting contractor employees access to IRS
systems. Our findings in this audit
indicate these Procurement function officials are still not fulfilling their
responsibilities. More actions are
needed to ensure contractors’ access to IRS systems is limited to those who
need it to accomplish their responsibilities and is monitored to detect any
unauthorized activity.
The IRS worked with
the PRIME contractor during January 2005 to identify over 1,000 separated
contractor employees who no longer needed access but who could still sign on to
IRS systems. As of May 2005, most of
these accounts had been deactivated, but 160 of these contractor employees still
had access to IRS systems.
We also found no
documentation to indicate the IRS was monitoring the activities of PRIME contractor
employees when they were accessing IRS systems.
As a result, the risk of undetected security violations is
increased. A security specialist stated
that audit trails are reviewed; however, the reviews are not documented.
The PRIME contractor
has remote access to the IRS network so it can perform much of its systems
development and test procedures from its offices in the
Recommendations
We recommended the
Chief Information Officer, in coordination with the Director, Procurement,
ensure procurement officials obtain sufficient justification from the PRIME
contractor before network access is granted. Also, a quarterly review of the active access
account list should be performed to ensure accounts no longer needed are
promptly disabled. In addition, the Chief,
Mission Assurance and Security Services, should ensure audit trail reviews of contractor
activity are conducted as prescribed by IRS procedures.
Response
The IRS agreed with our recommendations. Management stated a Memorandum of Understanding
has been drafted outlining the roles and responsibilities of each office
involved in ensuring contractor personnel gain access to only those systems
needed to perform their work. A list of
applications needed by contractors will be provided for each PRIME contractor project
and will be used by the IRS to determine whether contractors’ access requests
should be granted. The Director, Procurement, will require the
PRIME contractor to submit a list of terminated employees and an active account
list quarterly. The IRS COTR will
identify any accounts that are no longer needed, and the PRIME System Access
Manager will deactivate those accounts.
The Chief, Mission Assurance and Security Services, stated
that all contractor activities in the PRIME contractor test and development environment
will be subject to the same monitoring tools used on any IRS processing
environment. In addition, specific
instructions will be sent to administrators of production environment systems
directing them to include a review of user access from the PRIME contractor test
and development environment as a key component of their standard system
auditing activities. Management’s
complete response to the draft report is included as Appendix IV.
Copies of
this report are also being sent to the IRS managers affected by the report
recommendations. Please contact me at
(202) 622-6510 if you have questions or Margaret E. Begg, Assistant Inspector
General for Audit (Information Systems Programs), at (202) 622-8510.
Accesses to Systems
Were Not Properly Authorized
Data Transfers
Were Properly Encrypted
Physical
Security at the Maryland Technology Center Was Adequate
Appendices
Appendix
I – Detailed Objective, Scope, and Methodology
Appendix
II – Major Contributors to This Report
Appendix
III – Report Distribution List
Appendix
IV – Management’s Response to the Draft Report
The
Internal Revenue Service (IRS) has about 900 contracts with private
contractors. Many of these contractors must
be given access to IRS computer systems and taxpayer data to complete their
tests, particularly those tasks that involve developing sensitive computer
systems and providing hardware and software.
In accordance with the Federal Information Security Management Act
(FISMA),[4] contractors are subject to the
same security standards, guidelines, and oversight that are required for Federal
Government agencies. Without
adequate oversight by the IRS, there is a significant risk of misuse or
disclosure of confidential data as well as possible sabotage to these critical
systems.
In this
audit, we focused on work performed by the PRIME contractor[5] for the IRS. PRIME contractor employees have access to
critical equipment and systems to perform their duties. We evaluated the hardware and software access
privileges, authentication requirements, monitoring of PRIME contractor
activities, and security of connections between the PRIME contractor and the
IRS computer systems. We also evaluated
the physical security for one contractor-owned work facility that contained a
computer network with access to the IRS enterprise network.
This review was performed in the Modernization and
Information Technology Services (MITS) organization offices at the
To
reduce the risks of unauthorized access to Federal tax information, the IRS
requires that access to sensitive systems be limited to only those persons
needing it to carry out their responsibilities.
The IRS requires employees to be formally authorized by a manager before
accessing sensitive systems. For contractor
personnel, the need to access sensitive systems must first be acknowledged by
an IRS Contracting Officer’s Technical Representative (COTR) who is responsible
for overseeing contractor activities.
The COTR should then prepare the documentation to provide the contractor
with access to the necessary IRS systems.
Authorizations for PRIME
contractor accesses were not properly granted
During Calendar
Year 2004, the IRS granted proxy rights to the PRIME contractor that allowed it
to add, delete, and modify its own employees’ user accounts on IRS systems. The Business Systems Modernization function
of the MITS organization made this decision in response to a claim by PRIME
contractor personnel that they were not being granted timely access to systems,
which affected their ability to efficiently perform their responsibilities.
We
reviewed accesses granted for applications[8] used by the PRIME contractor
during 2004. Of the 423 PRIME contractor
personnel with user accounts for these applications, we identified:
As a
result, we could not determine who added the accounts to the systems or whether
the need for access was justified. The
access decisions were made solely by the PRIME contractor. The PRIME contractor managers given
responsibility for granting access could not provide justification for those
decisions. We are coordinating with the
COTRs responsible for overseeing contractor activities on the systems used by
the PRIME contractor during 2004 to determine whether accesses by contractor
personnel were justified.
In
January 2005, to regain control of the PRIME contractor’s access to IRS systems
and data, the IRS appointed a MITS organization employee as the PRIME System
Access Manager, to review all requests for PRIME contractor personnel to be
added to or deleted from IRS systems. In
the first 6 months after procedures were changed, 24 contractor personnel
accounts were added to various applications.
For each of the 24 accounts, access was granted by the PRIME System Access
Manager without acknowledgement from a COTR that access was needed. Accesses were granted solely on the request
of the PRIME contractor with no justification as to the need for access. As a result, the IRS Manager granting access
did not have sufficient information to determine whether the PRIME contractor
employees needed access to complete their work or whether the level of access
being granted was proper for the work to be completed. We do not believe it is feasible to place this
responsibility with one person who could not possibly be aware of the PRIME
contractor’s access needs on each contract.
In March
2004, we reported[9] that contractors were not
complying with certain IRS security procedures and IRS COTRs were not aware of
the security regulations pertaining to the contractors they were assigned to
oversee. In that report, we recommended
the Chief, Mission Assurance and Security Services, and the Chief, Agency-Wide
Shared Services, ensure the COTRs carry out their responsibilities to
periodically review contractor compliance with established security
policies. Management’s response stated
the Mission Assurance and Security Services organization would review and
update guidance for Contracting Officers and COTRs on applicable security
policies. This guidance was distributed
to the COTRs to assist them in monitoring contractor activities.
Our
findings in this audit indicate that COTRs are still not fulfilling their
responsibilities to review contractor compliance with established security
policies. More actions are needed to ensure contractors’ access to IRS systems is
limited to those who need it to accomplish their responsibilities and is
monitored to detect any unauthorized activity.
In
addition, the decision by Business Systems Modernization management to allow
the PRIME contractor to approve access for its own employees with no oversight
from the IRS is contrary to FISMA guidance.
FISMA Section 3544(b) requires each agency to provide security over
“information systems that support the operations and assets of the agency,
including those provided or managed by another agency, contractor, or other
source.” The Office of Management and
Budget (OMB) also states agencies must develop policies for information
security oversight of contractors and must review the security of other users
with privileged access to Federal Government data and systems.[10]
PRIME contractor user
accounts were not removed when access was no longer required
In
January 2005, the IRS Procurement function asked the PRIME contractor to
identify its personnel who had either separated from the PRIME contractor or no
longer worked on any of the applications reviewed but could still sign on to
IRS systems. The PRIME contractor identified
1,045 of its employees meeting these specifications. As
of May 2005, most of these accounts had been deactivated, but 160 of these
contractor employees still had access to IRS systems,
increasing the risk of unauthorized disclosures and disruptions of
operations. The IRS requires that
accounts be deactivated when there is no longer a business need to access an
IRS system. The PRIME contractor did not
comply with this requirement, and the IRS did not provide sufficient oversight
to ensure PRIME contractor user accounts were promptly disabled when no longer
needed.
Monitoring
of PRIME contractor activity was not sufficient to determine whether data were
properly secured
IRS policies require system
activity to be monitored by producing and reviewing audit trail data. We found no documentation to indicate the IRS
personnel responsible for the security of computer systems are reviewing audit
trails on computers used by the PRIME contractor. As a result, the risk of undetected security
violations is increased. The security
specialist stated that audit trail data are reviewed; however, the reviews are
not documented.
Recommendations
Recommendation 1: The Chief Information Officer, in coordination with the Director, Procurement, should
ensure COTRs obtain sufficient documentation from the PRIME contractor to justify
access to IRS systems. Before granting
access to a contractor employee, the PRIME System Access Manager should obtain
acknowledgement from the respective COTR that the access is needed.
Management’s Response: Management
agreed with this recommendation, stating that a Memorandum of Understanding has
been drafted outlining the roles and responsibilities of each office involved
in the process of ensuring contractors gain access to only those systems needed
to perform their work. A list of
applications needed by contractors will be provided for each PRIME project and will
be used by the IRS to determine whether contractors’ access requests should be
granted.
Recommendation 2: The Chief Information Officer, in coordination
with the Director, Procurement, should require the PRIME System Access Manager
to review the active account list quarterly for all applications used by the
PRIME contractor to ensure accounts no longer needed are promptly disabled.
Management’s Response: Management agreed with this
recommendation. The Director,
Procurement, will require the PRIME contractor to submit a list of terminated
employees and an active account list quarterly.
The IRS COTR will identify any accounts that are no longer needed, and
the PRIME System Access Manager will deactivate those accounts.
Recommendation 3: The Chief, Mission Assurance and Security
Services, should ensure audit
trail reviews of contractor activity are conducted as prescribed by IRS
procedures.
Management’s Response: Management
agreed with this recommendation. The
Chief, Mission Assurance and Security Services, stated that all contractor
activities in the PRIME contractor test and development environment will be
subject to the same monitoring tools used on any other IRS processing
environment. In addition, specific
instructions will be sent to administrators of production environment systems
directing them to include a review of user access from the PRIME contractor test
and development environment as part of their standard system auditing
activities.
Data Transfers Were Properly Encrypted
The
PRIME contractor has remote access to the IRS network so it can perform much of
its systems development and test procedures at its offices in the MTC. The National Institute of Standards and Technology
has determined that sensitive data should be encrypted if they are vulnerable
to unauthorized disclosure. IRS policy
requires that encryption shall be used for transmitting sensitive but
unclassified information among IRS facilities and between the IRS and other
facilities.
We determined
the data link between the PRIME contractor’s offices and the IRS was properly
encrypted. We confirmed the software
needed to encrypt and decrypt data transmitted between the two sites was in
place and functioning. As a result, the
risk that data being transmitted between them could be intercepted was
adequately reduced.
Physical Security at the Maryland Technology Center Was Adequate
We
reviewed the adequacy of physical security at the MTC by inspecting all closets
and work areas to determine whether they were secure and accessible only to
authorized individuals. The IRS requires
that access to secure areas be closely monitored to prevent access by
unauthorized personnel. Access to these
areas was controlled by the use of keycards and security cameras on each floor
containing IRS hardware.
Our test of the external
perimeter of the facility showed the following three security weaknesses:
We informed MTC security personnel of these conditions and
explained that a person with malicious intentions could enter through the front
gate without being documented and proceed from the docking area into the MTC
facility. The security personnel
concurred with our assessment and immediately began a logging procedure for
guests and vendors entering through the front gate area. In addition, an alarm was installed on the
door leading to the docking area that would activate when the door was
inappropriately accessed. With these
changes in place, we found that physical security at the MTC was adequate. No other corrective actions are recommended.
Appendix I
Detailed Objective,
Scope, and Methodology
The overall objective of this review was to determine
whether Internal Revenue Service (IRS) management implemented adequate controls
over the PRIME contractor’s[11]
access to IRS networks and data. We
evaluated the hardware and software access privileges, authentication
requirements, audit trail collection and review, and security of connections
between the PRIME contractor and the IRS computer systems. We also evaluated the physical security for
one contractor-owned work facility that contained a computer network with
access to the IRS enterprise network. We
also followed up on prior recommendations contained on our report dated March
2004.[12] Specifically, we:
I.
Determined
whether the PRIME contractor’s access permissions to IRS networks were limited
to those employees who needed it to execute their responsibilities.
A. For
Calendar Year 2004, determined whether user access was authorized by verifying
whether each contractor employee assigned to two specific applications had an
Information System User Registration/Change Request (Form 5081) on file for the
system on which he or she was listed as a user.
We chose the two applications because they were accessed most frequently
by contractor personnel during Calendar Year 2004.
B. Obtained
a listing from the system administrator of users on the system who have not
accessed the system within 45 days and 90 days.
We determined whether the accounts were automatically locked.
C. Determined
the IRS’ and the PRIME contractor’s role in granting network access to the
PRIME contractor.
1.
Determined
how the appropriate managers verify that the required background investigation
has been initiated or completed.
2.
Determined
whether an Online Form 5081 was used and if this was mandatory, the
contractor’s access privileges were correct, and anyone in the IRS questioned
the contractor’s need for administrative privilege.
3.
Determined
how a system administrator knows when to remove system access for a separated
or transferred contractor employee.
II. Determined
the extent of the IRS’ review of audit logs of contractor-used computers at the
two locations, the Maryland Technology Center (MTC)[13]
and the
A. Determined
who performed the review of audit logs of PRIME contractor computers and how often
the reviews were performed.
B. Attempted
to secure copies of any reports on audit logs for computers used by PRIME contractor
employees; any reports showing the corrective actions taken because of the
monitoring of the audit logs; and any incident reports that were elevated to a
higher level of management or to the IRS Computer Systems Incident Response
Center, which provides assistance and guidance in incident response and
provides a centralized approach to incident handling across the IRS enterprise. The IRS could not provide any of the audit
log reports.
III. Determined the
level of physical security at the MTC using the National Institute of Standards
and Technology (NIST) Security
Self-Assessment Guide for Information Technology Systems (Special
Publication 800-26).[15]
A. Determined
whether access to facilities was controlled through the use of guards,
identification badges, and entry devices such as key cards, biometrics, and locks;
management periodically reviewed the list of persons with physical access to
the facility; emergency exit and reentry procedures ensured only authorized
personnel were allowed to reenter after fire drills, etc.; and visitors to
sensitive areas were required to sign in and were escorted.
B. Determined
whether physical accesses were monitored through audit trails, apparent
security violations were investigated and remedial actions taken, and suspicious
access activity was investigated and appropriate actions were taken.
C. Determined
whether visitors, contractors, and maintenance personnel were authenticated with
preplanned appointments and identification checks.
IV. Determined whether
data transfers between the IRS and the PRIME contractor were encrypted and adequately
secured.
A. Verified
the methods used to transfer data files between the IRS network and PRIME contractor personnel by physically observing
file transfers.
B. Ascertained
the protocols used and obtained an explanation of the security features of those
protocols.
Appendix II
Major Contributors
to This Report
Margaret E. Begg, Assistant Inspector General
for Audit (Information Systems Programs)
Stephen R. Mullins, Director
Gerald Horn, Audit Manager
David Brown, Senior Auditor
William Lessa, Senior Auditor
Thomas Nacinovich, Senior Auditor
William Simmons, Senior Auditor
Stasha Smith, Senior Auditor
Appendix III
Commissioner C
Office of the Commissioner- Attn:
Chief of Staff C
Deputy Commissioner for
Operations Support OS
Deputy Commissioner for Service
and Enforcement SE
Chief Counsel CC
National Taxpayer Advocate TA
Director, Office of Legislative
Affairs CL:LA
Director, Office of Program
Evaluation and Risk Analysis RAS:O
Office of Management Controls OS:CFO:AR:M
Audit Liaisons:
Chief
Information Officer OS:CIO
Chief,
Director, Procurement OS:A:P
Appendix IV
Management’s Response to the Draft Report
The response was
removed due to its size. To see the
response, please go to the Adobe PDF version of the report on the TIGTA Public
Web Page.
[1] The PRIME contractor is the Computer Sciences Corporation, which heads an alliance of leading technology companies brought together to assist with the IRS’ efforts to modernize its computer systems and related information technology.
[2] Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).
[3] Insufficient Contractor Oversight Put Data and Equipment at Risk (Reference Number 2004-20-063, dated March 2004).
[4] Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).
[5] The PRIME contractor is the Computer Sciences Corporation, which heads an alliance of leading technology companies brought together to assist with the IRS’ efforts to modernize its computer systems and related information technology.
[6] IRS Computing Centers support tax processing and information management through a data processing and telecommunications infrastructure.
[7] The MTC,
located adjacent to the
[8] We reviewed accesses for the Inventory Tracking Asset Management System (ITAMS) and the Integrated Financial System (IFS) applications. The ITAMS provides tracking information on computer assets. The IFS provides detailed financial, cost accounting, property accounting, and procurement data to authorized users. The IFS Release 1 implements the core processes of general ledger, accounts payable, accounts receivable, budget execution, cost accounting, administrative tax and travel accounting, cost performance management allocations, some tax processing functionality, budget formulation, and budget execution decision support.
[9] Insufficient Contractor Oversight Put Data and Equipment at Risk (Reference Number 2004-20-063, dated March 2004).
[10] Fiscal Year 2005 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (OMB Memorandum M05-15, dated June 13, 2005).
[11] The PRIME contractor is the Computer Sciences Corporation, which heads an alliance of leading technology companies brought together to assist with the IRS’ efforts to modernize its computer systems and related information technology.
[12] Insufficient Contractor Oversight Put Data and Equipment at Risk (Reference Number 2004-20-063, dated March 2004).
[13] The MTC,
located adjacent to the
[14] IRS Computing Centers support tax processing and information management through a data processing and telecommunications infrastructure.
[15] The NIST, under the Department of Commerce, is responsible for developing standards and guidelines for providing adequate information security for all Federal Government agency operations and assets.