TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

Progress Has Been Slow in Meeting Homeland Security Presidential Directive–12 Requirements

 

 

 

June 20, 2007

 

Reference Number:  2007-20-110

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

Phone Number   |  202-927-7037

Email Address   |  Bonnie.Heald@tigta.treas.gov

Web Site           |  http://www.tigta.gov

 

June 20, 2007

 

 

MEMORANDUM FOR CHIEF, MISSION ASSURANCE AND SECURITY SERVICES

 

FROM:                (for)    Michael R. Phillips /s/ Margaret E. Begg

                                         Deputy Inspector General for Audit

 

SUBJECT:                    Final Audit Report – Progress Has Been Slow in Meeting Homeland Security Presidential Directive–12 Requirements (Audit # 200620027)

 

This report presents the results of our review to determine whether the Internal Revenue Service (IRS) took the necessary actions to comply with Homeland Security Presidential Directive-12 requirements.  This audit was part of the statutory audit coverage under the Information Systems Programs area and is included in the Treasury Inspector General for Tax Administration Fiscal Year 2006 Annual Audit Plan.

Impact on the Taxpayer

The IRS has been experiencing delays in issuing new identification cards to employees and contractors that enhance security, reduce identity fraud, and protect the personal privacy of employees and contractors.  Initially, the IRS was developing its own system for issuing the cards rather than joining with other Federal Government agencies that had already incurred much of the upfront costs associated with this effort.  Consequently, the IRS was at risk of wasting taxpayer funds and delaying the implementation of this Presidential mandate.

Synopsis

On August 27, 2004, President Bush signed Homeland Security Presidential Directive-12, Policy for a Common Identification Standard for Federal Employees and Contractors.  The Directive, which is to be implemented in several phases, established a new standard for issuing and processing Federal Government identification cards for entering Federal Government facilities and for accessing computer systems.  In the first phase, Personal Identity Verification (PIV) I, the Office of Management and Budget required agencies to develop procedures no later than October 2005 for registering employees, issuing cards, and maintaining the card system.  In the second phase, PIV II, the Office of Management and Budget required agencies to demonstrate their ability to issue the identification cards and be capable of issuing new cards to all new employees and contractors no later than October 2006.

To satisfy the requirements of PIV I, the IRS completed its PIV I Procedures Manual on October 27, 2005.  This manual contains step-by-step instructions that address PIV I requirements.

However, the IRS has been experiencing delays in meeting the requirements of PIV II.  Initially, the IRS was attempting to produce its own identification cards but had not demonstrated the ability to issue them.  Despite assigning 68 employees and contractors to this effort, the IRS had not yet purchased the hardware and software necessary to produce the identification cards and did not expect to complete the program until September 2010, 2 years after the Office of Management and Budget mandated deadline.

The IRS stated, however, that it met the PIV II milestone because it contracted with the General Services Administration (GSA) for 100 identification cards to meet the Office of Management and Budget deadline, even though it did not plan to use the GSA to issue additional identification cards after the PIV II milestone.  The GSA is making its solution available to all Federal Government agencies and, due to economies of scale, we believe the GSA should be able to issue the cards less expensively than agencies that produce their own cards.

The IRS was continuing to develop its own system for issuing identification cards because it believed it could issue cards that would meet all required technical specifications at less expense.  However, the IRS had not provided cost projections for this Department of the Treasury initiative.  The IRS also stated it believed it was in a better position than the GSA to produce and distribute identification cards at all Department of the Treasury office locations, provide compatible technology to identify and authenticate employees, and produce and distribute identification cards for the large number of temporary employees the IRS hires during the tax return filing season.

We believe the IRS was taking unnecessary risks, not only because its costs are likely to exceed the GSA solution, but because it was taking resources away from tax administration duties, increasing the likelihood of its cards being incompatible with other agencies, and likely will be delivering its system later than other agencies.  During the course of this audit, we made the following recommendation to the IRS to consider the benefits of using a shared solution. 

Recommendation

To reduce costs and to improve the likelihood of meeting the Office of Management and Budget’s subsequent milestones for developing identification cards compliant with Homeland Security Presidential Directive-12 requirements, we recommended during the course of the audit that the Chief, Mission Assurance and Security Services, consider the benefits of using shared solutions such as the one offered by the GSA for issuing identification cards to IRS employees and contractors.  Rather than spending resources on developing its own system, we recommended the IRS coordinate with the GSA to resolve concerns and customize the GSA solution to meet IRS needs.

Response

IRS management stated the Department of the Treasury Homeland Security Presidential Directive-12 Program Management Office, with concurrence from the Department of the Treasury Homeland Security Presidential Directive-12 Executive Steering Committee and the Bureau Advisory Board, agreed with our recommendation.  The Program Management Office has discontinued development efforts for a Department of the Treasury-wide enterprise Homeland Security Presidential Directive-12 solution.  On May 18, 2007, a letter was issued to the GSA stating the IRS’ intention to use the GSA services to the extent possible.  Management’s complete response to the draft report is included as Appendix IV.

Copies of this report are also being sent to the IRS managers affected by the report recommendations.  Please contact me at (202) 622-6510 if you have questions or Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs) at (202) 622-8510.

 

 

Table of Contents

 

Background

Results of Review

The Internal Revenue Service Met the First Homeland Security Presidential Directive-12 Milestone

All Necessary Actions Were Not Taken to Fully Comply With Homeland Security Presidential Directive-12

Recommendation 1:

Appendices

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Management’s Response to the Draft Report

 

 

Abbreviations

 

GSA	General Services Administration
HSPD–12	Homeland Security Presidential Directive–12
IRS	Internal Revenue Service
PIV	Personal Identity Verification

 

 

Background

 

On August 27, 2004, President Bush signed Homeland Security Presidential Directive-12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors.  The Directive established a new standard for issuing and processing Federal Government identification cards for entering Federal Government facilities and for accessing computer systems.  The Directive was designed to enhance security, reduce identity fraud, and protect the personal privacy of employees and contractors issued Federal Government identification.  The National Institute for Standards and Technology[1] developed Federal Information Processing Standards Publication Personal Identity Verification (PIV) of Federal Employees and Contractors (Publication 201), which contains the minimum standards, recommendations, guidelines, and conformance tests for components for the Federal PIV project.  Essentially, the PIV project was initiated to standardize identification cards, perform background checks of employees and contractors, and issue identification cards for accessing computer systems.

Three other Federal Government agencies have specific responsibilities for implementing HSPD-12 Governmentwide.  The General Services Administration (GSA)[2] is responsible for assisting agencies in procuring and operating PIV subsystems such as employee identification cards and biometric[3] card readers.  The Office of Management and Budget[4] is responsible for overseeing implementation of the Directive and is developing implementation guidance for Federal agencies.  Additionally, the Office of Personnel Management[5] is responsible for assisting agencies in authenticating and vetting applicants before they are provided identification cards.

Implementation of HSPD-12 will first be achieved in two phases.  In the first phase, PIV I, agencies must develop procedures for registering employees, issuing identification cards, and maintaining the identification card system.  In the second phase, PIV II, agencies must demonstrate their ability to issue the identification cards and be capable of issuing new cards to all new employees and contractors.

The first phase of HSPD-12 required procedural guidelines to be in place; the second phase required identification card issuance.

The Office of Management and Budget established deadline dates[6] for all Federal agencies to become compliant, in stages, with HSPD-12:

• October 27, 2005 – Agencies must have been PIV I compliant.
• October 27, 2006 – Agencies must have been PIV II compliant for Governmentwide uniformity and interoperability.
• October 27, 2007 – Agencies must verify and/or complete background investigations and issue identification cards for all employees with less than 15 years of service.
• October 27, 2008 – Agencies must verify and/or complete background investigations and issue identification cards for all employees with more than 15 years of service.

In addition to issuing identification cards, the Internal Revenue Service (IRS) will have to integrate any new systems necessary to operate with the new identification cards into existing security, personnel, and other systems.  Agencies must consider numerous factors when integrating multiple systems, including physical and logical access issues, privacy matters, and software and hardware compatibility.  For example, many card readers currently used for physical access are using technology that is up to 20 years old and may not be compatible with the technology necessary to use the new HSPD-12 cards.  The Treasury Inspector General for Tax Administration will continue to monitor these milestones as the IRS starts implementing the program in more detail.

On March 24, 2006, the IRS assumed leadership of the Department of the Treasury HSPD-12 Program Management Office.  In this role, the IRS is providing leadership to all 13 Department of the Treasury bureaus in developing an integrated Department of the Treasury approach for meeting HSPD-12 requirements.

This review was performed at the IRS National Headquarters in New Carrollton, Maryland, in the office of the Chief, Mission Assurance and Security Services, during the period June through December 2006.  The audit was conducted in accordance with Government Auditing Standards.  Detailed information on our audit objective, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

 

 

Results of Review

 

The Internal Revenue Service Met the First Homeland Security Presidential Directive-12 Milestone

The first HSPD-12 milestone required agencies to comply with the PIV I requirements by October 27, 2005.  Specifically, agencies were required to develop procedures for installing and maintaining identification cards that:

·         Are issued based on sound criteria for verifying an individual’s identity.

·         Are strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation.

·         Can be rapidly authenticated electronically.

·         Are issued by providers whose reliability has been established by an official accreditation process.

To satisfy the requirements of PIV I, the IRS completed its PIV I Procedures Manual on October 27, 2005.  This manual contains step-by-step instructions organized into three main process streams:  identity proofing and registration, PIV identification card issuance, and PIV identification card maintenance.  This structure follows the organization of Publication 201 PIV I requirements.

In addition, on October 24, 2005, the IRS appointed a Designated Accreditation Authority who granted approval for its PIV identification card plan.  The Designated Accreditation Authority determined the Operations Plan and Procedures complied with Publication 201 PIV I requirements and the privacy and security policies were acceptable.  We agree with that assessment.

All Necessary Actions Were Not Taken to Fully Comply With Homeland Security Presidential Directive-12

To comply with PIV II, the Office of Management and Budget directed agencies to demonstrate by October 27, 2006, their ability to issue the new identification cards.  In addition, by that date agencies were required to issue and require the use of identification cards for all new employees and contractors.  Currently, the IRS can do neither.

The IRS claims, however, that it met the milestone for PIV II because it contracted with the GSA for 100 identification cards to meet the Office of Management and Budget deadline.  The GSA had contracted with a vendor to develop an HSPD-12 solution all agencies could use that included registering employees, ensuring their identities, and producing and issuing identification cards.

The GSA produced the identification cards timely.  While the cards contained errors such as the wrong address and misspellings, they otherwise met Publication 201 guidelines.

The IRS is not yet capable of issuing new identification cards as required by HSPD-12.

The IRS stated it met the PIV II milestone, even though it did not plan to use the GSA solution or any other solutions already available to Federal agencies.  Instead, the IRS was attempting to produce its own identification cards but had not yet demonstrated its ability to do so.  At least 68 employees and contractors were assigned to the IRS HSPD-12 Program Management Office, but it still had not purchased the hardware and software necessary to produce the identification cards and did not expect to complete the program until September 2010, 2 years after the Office of Management and Budget mandated deadline.

The IRS believed it could develop its own system to issue cards that meet all required technical specifications at less cost than the GSA and it was in a better position to:

·         Provide and distribute identification cards at all Department of the Treasury locations.  The GSA plans to have over 225 enrollee stations (25 mobile) throughout the country that will service up to 80 percent of the Federal workforce, while the Department of the Treasury plans to have 80 enrollment stations.  The IRS was concerned about the costs involved with employees having to travel to the GSA locations and the time it would take to issue the identification cards at these locations.

·         Provide compatible technology to identify and authenticate employees.  The previous GSA solution relied on technology that may not have been compatible with existing Department of the Treasury software that authenticates computer users’ identities.

·         Provide and timely distribute identification cards for the large number of temporary employees the IRS hires for the annual tax return filing season.[7]  The IRS stated its hiring practices for temporary and other employees requires identification cards to be issued almost immediately after employees are hired, something they doubted the GSA solution could accomplish.

In addition to the error-prone cards it produced for the IRS, the GSA solution has also experienced problems.  Most significantly, the contract with its vendor was suspended and production was consequently stopped.  We believe the barriers mentioned by the IRS could be overcome through coordination with the GSA.  In addition, we believe the GSA solution, when available, offers several advantages over the IRS approach.  Specifically:

• The GSA previously estimated the cost for a GSA-developed identification card to be approximately $110 plus annual maintenance costs of $52.  As of April 10, 2007, the IRS has not provided cost projections for this Department of the Treasury initiative but we believe the cost could be substantially greater than GSA’s estimate.  The GSA solution should be less expensive due to economies of scale.  By producing cards for multiple agencies, the fixed costs for producing the cards can be allocated over a much greater number of cards, thus reducing the cost per card.  The Department of Agriculture, Department of Commerce, and Department of Energy have already agreed to implement the GSA solution once it resumes operation.
• The IRS solution will require staffing resources to be devoted to developing, piloting, and implementing its system, taking resources away from tax administration duties, while the GSA solution will lessen the staffing resources needed to implement and develop the program.
• The GSA solution increases the likelihood that agencies have a consistent solution.  All agencies will have to modify the cards to interface with their computer systems, but the GSA solution will help ensure consistency.
• The GSA solution is more likely to be implemented faster.  Even with the GSA’s contracting delays, it still expects to award a contract by March 28, 2007, and begin issuing cards by June 2007, while, as we mentioned earlier, the IRS does not expect to complete deployment until September 2010, nearly 2 years after the Office of Management and Budget milestone.
• Once implemented, the GSA solution will offer a proven system, while the IRS may still be in the development stages.  As a result, the IRS is taking an additional risk of delaying implementation.

In summary, the IRS was at risk of wasting taxpayer funds and delaying the implementation of this Presidential mandate.  During the course of this audit, we made the following recommendation to consider the benefits of using a shared solution. 

Recommendation

Recommendation 1:  To reduce costs and improve the likelihood of meeting the Office of Management and Budget’s subsequent milestones for developing identification cards compliant with HSPD-12 requirements, we recommended during the course of this audit that the Chief, Mission Assurance and Security Services, consider the benefits of using shared solutions such as the one offered by the GSA for issuing identification cards to IRS employees and contractors.  Rather than spending resources on developing its own system, we recommended the IRS coordinate with the GSA to resolve concerns and customize the GSA solution to meet IRS needs.

Management’s Response:  The Treasury HSPD-12 Program Management Office, with concurrence from the Department of the Treasury HSPD-12 Executive Steering Committee and the Bureau Advisory Board, agreed with the recommendation.  The Program Management Office has discontinued development efforts for a Department of the Treasury-wide enterprise HSPD-12 solution.  On May 18, 2007, a letter was issued to the GSA stating the IRS’ intention to use GSA services to the extent possible.

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

The overall objective of this review was to determine whether the IRS took the necessary actions to comply with HSPD-12 requirements.  To accomplish this objective, we:

I.                   Determined whether the IRS met the HSPD-12 requirements for Federal Information Processing Standards Publication 201 PIV I compliance by October 27, 2005.

A.    Compared the IRS’ procedures to Publication 201 standards for:

1.      Control objectives.

2.      Personnel identity proofing and registration.

3.      Card issuance and maintenance.

4.      Privacy.

5.      Background investigations.

B.     Determined whether the procedures were approved in writing.

C.     Determined whether the implementation plan was timely submitted and approved by the Office of Management and Budget.

II.                Determined whether the IRS had procedures in place to be PIV II compliant by October 27, 2006.

A.    Reviewed the IRS business case for PIV II compliance.

B.     Reviewed the IRS budget for HSPD-12.

C.     Reviewed the IRS infrastructure and procedures for the issuance of PIV cards.

 

Appendix II

 

Major Contributors to This Report

 

Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)

Steve Mullins, Director

Thomas Polsfoot, Audit Manager

David Brown, Senior Auditor

George Franklin, Senior Auditor

Jimmie Johnson, Senior Auditor

 

Appendix III

 

Report Distribution List

 

Acting Commissioner  C

Office of the Commissioner – Attn:  Chief of Staff  C

Deputy Commissioner for Operations Support  OS

Chief Information Officer  OS:CIO

Chief Counsel  CC

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Internal Control  OS:CFO:CPIC:IC

Audit Liaisons:

Chief Information Officer  OS:CIO

Chief, Mission Assurance and Security Services  OS:MA

 

Appendix IV

 

Management’s Response to the Draft Report

 

The response was removed due to its size.  To see the response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.