Treasury Inspector General for Tax Administration

Office of Audit

PROGRESS HAS BEEN SLOW IN IMPLEMENTING FEDERAL SECURITY CONFIGURATIONS ON EMPLOYEE COMPUTERS

Issued on March 27, 2009

Highlights

Highlights of Report Number:  2009-20-055 to the Internal Revenue Service Chief Technology Officer.

IMPACT ON TAXPAYERS

Internal Revenue Service (IRS) employees use desktop and laptop computers to perform their tax administration duties.  Because taxpayers expect the IRS to protect their privacy and personal information, the security of employee computers is critical.  The IRS is attempting to adopt a standard set of Federally required computer configuration settings and procedures to improve security and reduce operating costs.  Although the IRS has taken actions, implementation of the configuration settings has been slow and some of the requirements have not been implemented.  Without a complete set of security configuration settings, the IRS is at risk of business disruption or unauthorized access to taxpayers’ personal information.

WHY TIGTA DID THE AUDIT

This audit was initiated because the Office of Management and Budget required Federal Government agencies that use the Windows XP or VISTA operating systems to adopt a standard set of configuration settings by February 1, 2008.  These configuration settings are referred to as the Federal Desktop Core Configuration (FDCC).  The intent of the requirement was to improve security and reduce operating costs.

WHAT TIGTA FOUND

The IRS has made slow progress in implementing the FDCC settings.  On October 29, 2008, the IRS implemented 102 settings on IRS workstations.  However, these FDCC settings were installed on employee computers 9 months after the February 1, 2008 deadline.  As of December 11, 2008, the IRS had implemented 205 (81 percent) of the 254 FDCC settings.  The delay in implementing the FDCC was primarily due to the untimely creation of a project team responsible for the FDCC implementation.  Some IRS officials mistakenly assumed the IRS computers were already compliant with the FDCC.  Therefore, the IRS did not create a project team to implement the settings until January 2008, 10 months after the Office of Management and Budget issued the directive and 1 week before the deadline for completing the FDCC implementation.

Once a project team was created, the project leaders did not follow some basic project management practices while testing software applications for FDCC compatibility.  The master control list used by the project leaders was incomplete and did not account for many applications that needed to be tested.

The IRS also has not implemented an automated monitoring tool that was mandated by the Office of Management and Budget to detect and monitor changes to the FDCC settings after they are installed on employees’ workstations.  In addition, the IRS has not modified its software contracts to ensure software acquisitions operate properly with the FDCC settings.

WHAT TIGTA RECOMMENDED

TIGTA recommended that to ensure basic project management practices are followed and Office of Management and Budget mandates are implemented, the Chief Technology Officer should 1) provide training to the FDCC project managers to ensure their project management skills and qualifications are sufficient, 2) instruct the project leaders to develop and maintain an accurate control list of applications that require testing, 3) conduct an analysis and consider the feasibility of acquiring a monitoring tool from the General Services Administration’s SmartBuy Program, and 4) direct the Cybersecurity office to coordinate with the Procurement Division and prioritize the work necessary to include the required FDCC contract language in information technology acquisitions.

In their response to the report, IRS officials agreed with the recommendations.  The IRS plans to provide project management training for the FDCC project managers and ensure the master control list of all applications that require testing is maintained and updated.  The IRS Chief Technology Officer plans to conduct a cost-benefit analysis to determine whether the purchase of a separate monitoring tool from the General Services Administration’s SmartBuy Program is in the IRS’ best interest.  Finally, the IRS plans to issue an agency-wide policy and interim acquisition procedures to incorporate the FDCC contract language into information technology acquisitions.

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response, go to:

http://www.treas.gov/tigta/auditreports/2009reports/200920055fr.html.

Email Address:   inquiries@tigta.treas.gov

Phone Number:   202-622-6500

Web Site:   http://www.tigta.gov