Taxpayer Data Used at Contractor Facilities May Be at Risk for Unauthorized Access or Disclosure
May 18, 2010
Reference Number:
2010-20-051
This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.
Phone Number |
202-622-6500
Email Address | inquiries@tigta.treas.gov
Web Site |
http://www.tigta.gov
HIGHLIGHTS
TAXPAYER DATA USED AT CONTRACTOR FACILITIES MAY BE AT RISK FOR
UNAUTHORIZED ACCESS OR DISCLOSURE
Highlights
Final
Report issued on May 18, 2010
Highlights of Reference
Number: 2010-20-051 to the Internal
Revenue Service Chief Technology Officer and Chief, Agency-Wide Shared Services.
IMPACT ON TAXPAYERS
The Internal
Revenue Service (IRS) provides its taxpayer data to contractors who store and
process the data at their own facilities in support of the IRS’ mission of tax
administration. The IRS did not have
effective processes to identify all contractors with IRS taxpayer data that
require annual security reviews by the IRS and did not ensure computer security
weaknesses identified at contractor facilities during security reviews have
been corrected. As a result, taxpayer
data may be at risk for unauthorized access or disclosure.
WHY TIGTA DID THE AUDIT
This audit
was initiated as part of our statutory requirements to annually review the
adequacy and security of IRS information technology. The overall objective of this review was to
determine whether the IRS had effective controls in place to ensure IRS
taxpayer data are protected at contractor facilities.
WHAT
TIGTA FOUND
Current processes were not
effective at identifying all contractors who receive IRS taxpayer data and are
subject to required security reviews.
The Infrastructure Security and
Reviews (ISR)
office identified contractors that require reviews
by asking IRS business organizations to identify their contractors that
process, store, or house IRS taxpayer data.
However, this process did not identify all contractors who have been
provided such data. Without an effective
process for identifying the contractors receiving IRS taxpayer data, the IRS
cannot ensure that all contractors who receive such data are being reviewed for
compliance with security requirements.
As a result, the IRS cannot ensure that taxpayer data are protected at
contractor facilities.
TIGTA also found that security weaknesses identified by the ISR office team
at contractor facilities were not timely corrected. Our review of eight contractors visited by
the ISR office during Fiscal Year 2009 found that the ISR office identified
security weaknesses at all eight contractor facilities. However, the IRS was unable to provide monitoring
documents for seven of the eight contractors.
These weaknesses included access control, configuration management
control, and system integrity control issues.
Without adequate oversight to monitor and confirm that security
weaknesses are corrected at contractor facilities, security weaknesses will
persist and taxpayer data will remain at risk of unauthorized access and
disclosure.
WHAT TIGTA RECOMMENDED
TIGTA recommended that the IRS identify the
information system that can serve as the primary source for identifying
contractors requiring reviews. The IRS
should also ensure that appropriate indicators are captured on each existing
contract with a disclosure and privacy impact, validate whether the IRS
business organization provided any IRS taxpayer data to these contractors, and
provide the appropriate notification and guidance to the responsible IRS
business organizations to execute annual security reviews of contractors when
required. In addition, the IRS should
validate correction of reported security weaknesses and recommend a process for
reporting weaknesses that remain unmitigated to increase the accountability of
the responsible parties for remediation of security weaknesses.
In
their response to the report, IRS management agreed with our recommendations
and plans to take appropriate corrective actions.
May 18, 2010
MEMORANDUM
FOR
CHIEF TECHNOLOGY OFFICER
CHIEF, AGENCY-WIDE SHARED SERVICES
FROM: Michael R. Phillips /s/ Michael R. Phillips
Deputy Inspector General for Audit
(Audit # 200920005)
This report presents the results of our review of determine
whether the Internal Revenue Service (IRS) had effective controls in place to
ensure IRS taxpayer data are protected at contractor facilities. This
audit was included in the Treasury Inspector General for Tax Administration
Fiscal Year 2010 Annual Audit Plan and addresses the major management challenge
of Security at the IRS and was part of our statutory requirement to annually
review the adequacy and security of IRS information technology.
Management’s complete response to the draft report is included as Appendix V.
Copies of
this report are also being sent to the IRS managers affected by the report
recommendations. Please contact me at (202)
622-6510 if you have questions or Alan Duncan, Assistant Inspector General for
Audit (Security and Information Technology Services), at (202) 622-5894.
Appendices
Appendix
I – Detailed Objective, Scope, and Methodology
Appendix
II – Major Contributors to This Report
Appendix
III – Report Distribution List
Appendix
IV – Listing of Contractors Selected for Review
Appendix V
– Management’s Response to the Draft Report
Abbreviations
|
FISMA |
Federal Information Security Management Act |
|
IRS |
Internal Revenue Service |
|
ISR |
Infrastructure Security and Reviews |
|
NIST |
National |
|
POA&M |
Plan of Action and Milestones |
In its Fiscal Year 2001 summary report to Congress, the Office of Management and Budget identified the security of contractor-provided services as a Government-wide challenge to information technology security. When the Federal Information Security Management Act (FISMA)[1] was enacted a year later, provisions and guidelines were promulgated to ensure the effectiveness of information security controls supporting Federal operations and assets by contractors.
The Internal Revenue Service (IRS) uses contractors to help achieve its mission to administer the nation’s Federal tax system. Many of these contractors are provided IRS taxpayer data for use at contractor facilities outside of IRS offices. Others contractors operate information systems at contractor facilities on behalf of the IRS that provide access to the IRS network. Like IRS-managed computer systems, contractors must comply with security control requirements issued by the National Institute of Standards and Technology (NIST) for protecting IRS data. The IRS is ultimately responsible for ensuring security controls at contractor facilities are in place and operating effectively.
Specifically within the IRS, the Infrastructure Security and Reviews (ISR) office of the Modernization and Information Technology Services organization Cybersecurity function is responsible for reviewing controls of contractors who receive IRS taxpayer data for use or operate information systems on behalf of the IRS at contractor facilities to ensure security requirements have been implemented. The ISR office schedules and conducts reviews of these contractors on an annual basis, using the methodology defined in NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems and NIST Special Publication 800-53A, Guide for Assessing Controls in Federal Information Systems.
This review was performed at the
Modernization and Information Technology Services organization Headquarters in
New Carrollton, Maryland, and at one contractor facility in
During Fiscal Years 2008 and 2009, the ISR office visited 12 and 57 contractors, respectively, to evaluate the security of IRS taxpayer information at the contractor facilities. Based on our review of eight contractors[2] visited by the ISR office during Fiscal Year 2009, we found that the ISR office conducted effective contractor reviews in accordance with NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems, for specifying required security controls and NIST Special Publication 800-53A, Guide for Assessing the Security Controls for Federal Information Systems, for assessing the security controls’ effectiveness. For the 12 contractors reviewed during Fiscal Year 2008, the ISR office identified 133 security weaknesses and for the 57 contractors reviewed during Fiscal Year 2009, the ISR office identified 268 security weaknesses in the same major control areas. These 401 security weaknesses related to all 17 NIST Special Publication 800-53 control families, including contingency planning (39 weaknesses), configuration management (37 weaknesses), risk assessments (32 weaknesses), and access controls (31 weaknesses).
However, the IRS did not have effective processes to identify all contractors with IRS taxpayer data that require annual security reviews by the IRS and did not ensure computer security weaknesses identified at contractor facilities during security reviews are timely corrected. In order to ensure IRS data are secured at all contractor facilities, the IRS needs to improve its current processes and controls to identify all contractors who process, manage, or store IRS taxpayer data at contractor facilities and to ensure timely corrective actions are taken on computer security weaknesses identified at contractor facilities.
The Internal Revenue Service Did Not Have an Effective Process for Identifying All Contractors Who Have Been Provided Taxpayer Data and Require Computer Security Reviews
The ISR office is required to conduct annual security reviews of contractors who possess or have direct access to IRS information or operate information systems on behalf of the IRS at contractor facilities to ensure security requirements have been implemented. The purpose of these security reviews is to ensure contractors are complying with IRS security policies and procedures, and protecting taxpayer information provided to them. To identify contractors who require these onsite security visits, the ISR office submits an enterprise-wide data call request asking all IRS business organizations to identify their contractors that possess or have access to IRS taxpayer data at contractor facilities. Based on the data call results, the ISR office prepares an inventory of contractors and schedules reviews based on a set of priorities, including filing season readiness, risk exposure, and the specific type of tax data processed by the contractor.
This process was not effective at identifying all contractors who have been provided IRS taxpayer data. During our audit fieldwork, we identified one contractor who was not on the contractor inventory list used by the ISR office for tracking their inventory of contractors requiring review but should have been included. In addition, the ISR office had identified a contractor who received IRS data but was previously identified as not receiving IRS taxpayer data by an IRS business organization. In Fiscal Year 2009, the ISR office subsequently reviewed both of these contractors.
These two examples highlight the need for improvement in identifying contractors who receive taxpayer data from the IRS. The contractors who were visited and reviewed by the ISR office in Fiscal Years 2008 and 2009 were identified by IRS business organizations responding to the data call. In Fiscal Year 2009, the ISR office also obtained a list of 1,396 procurement requests from an IRS procurement information system used to manage the IRS procurement process. All of these procurement requests contained disclosure and privacy indicators, which informed the IRS contracting office that the contractor would use IRS data at the contractor’s facility.[3] However, due to the workload involved, neither the ISR office nor the IRS Procurement organization reviewed these procurement requests to determine whether contractors were, in fact, provided IRS taxpayer data and, therefore, required an annual security review.
While not all of these 1,396 procurement requests may include contractors who process, manage, or store IRS taxpayer data at contractor facilities, we believe the contract data contained in the procurement information system may provide the most definitive, reliable, and complete source for identifying such contractors. However, improvements are needed to the procurement information system in order for the system to readily determine which contractors meet the ISR office criteria for requiring a contractor review. Without an effective process for identifying these contractors, the IRS cannot ensure that all contractors who have been provided IRS taxpayer data are being reviewed for computer security control weaknesses. As a result, the IRS cannot ensure that taxpayer data are protected at all contractor facilities.
Recommendations
Recommendation 1: The Chief, Agency-Wide Shared Services, and the Chief Technology Officer should identify the information system that can serve as the primary source for identifying contractors requiring ISR office security reviews and develop specific indicators within the information system that effectively identify any contractor receiving and using IRS taxpayer data at the contractor’s facility.
Management’s Response: IRS management agreed with this recommendation. The Chief, Agency-Wide Shared Services, will modify the Personal Identity Verification Background Investigation Process system to identify candidate contracts and contractors who have access to sensitive information. The ISR office will use reports from this system and related information to identify contractor facilities for review.
Recommendation 2: The Director, Procurement, and the Director, Office of Privacy and Information Protection, should ensure the appropriate indicator is captured on each existing contract with a disclosure and privacy impact, validate whether the business organization provided any IRS taxpayer data to these contractors, and provide the appropriate notification and guidance to the responsible IRS business organizations to execute annual security reviews of these contractors when required.
Management’s Response: IRS management agreed with this recommendation. The Director, Procurement, and the Director, Physical Security and Emergency Preparedness, will track the appropriate indicators and provide the ISR office with contract and contractor information for use in selecting contractor sites for security reviews.
The Internal Revenue Service Did Not Ensure Computer Security Weaknesses Identified at Contractor Facilities Are Timely Corrected
Office of Management
and Budget memorandum M-08-21, entitled “Fiscal Year 2008 Reporting
Instructions for the Federal Information Security Management Act and Agency
Privacy Management,” states that FISMA requirements follow agency information
into any system which uses it or processes it on behalf of the agency. When the ultimate responsibility and
accountability for control of the information continues to reside with the
agency, FISMA requirements apply. To the
extent that contractors process, store, or house Federal Government information
or operate information systems on behalf of the IRS at contractor
facilities, the contractor’s security
controls must be assessed against the same NIST criteria and standards as any
Government agency. Further, the agency
is responsible for ensuring the contractor corrects weaknesses discovered
through self-assessments and independent assessments. Any weaknesses are to be reflected in the
agency’s Plan of Action and Milestones (POA&M).[4]
IRS policy requires
business and system owners to ensure that all acquisitions of goods or services
provide for information security, personnel security, and physical security,
which includes the security of any IRS data at contractor facilities. Further, IRS policy requires the Contracting
Officer’s Technical Representative to ensure that contractors comply with IRS
security policies and pursue appropriate action for noncompliance. As a means to determine whether contractors
are complying with IRS security policies, the ISR office is responsible for
evaluating the security of IRS taxpayer data at contractor facilities.
After the ISR office completes a contractor
security review, the ISR office presents the results to the Contracting
Officer’s Technical Representative in a Security Assessment Report, which
includes the details of the security weaknesses identified at the contractor’s
facilities. The ISR office instructs the
Contracting Officer’s Technical Representative to coordinate with the
Designated Approving Authority or the Security Program Management Office to identify
corrective actions and planned implementation dates for resolving the
weaknesses. The ISR office further
instructs the Security Program Management Office to provide oversight, in
coordination with the Contracting Officer’s Technical Representative, to ensure
remediation of each weakness identified, including developing and maintaining a
corresponding item on the POA&M.
However, the IRS was
not consistently developing the POA&Ms for security weaknesses identified
by the ISR office. In our judgmental
sample of eight contractors visited by the ISR office during Fiscal Year 2009,
all eight contractors’ facilities had security weaknesses identified by the ISR
office. We requested copies of the
POA&Ms for tracking these security weaknesses. The IRS was unable to
provide the POA&Ms developed as a result of the ISR office reviews for
seven of the eight contractors. During
the course of our audit, the POA&Ms were developed for four of the seven
contractors in our sample that were not provided when we requested them.
When asked why the
POA&Ms were not completed for the seven contractors, the IRS stated it did
not create and monitor ISR office findings in the POA&Ms for systems that
it did not consider as FISMA reportable systems[5] or did not believe the contractors were
subject to FISMA requirements. We
disagree with this reasoning. However,
while there might be confusion over what is or is not FISMA reportable, we
believe the approach for tracking and monitoring security weaknesses should
apply regardless of whether or not FISMA applies to the contractor since the
weaknesses pertain to the protection of IRS taxpayer data. When security weaknesses are not tracked and
monitored, the IRS has no assurance that an official within the IRS is taking
responsibility for monitoring the security weaknesses reported by the ISR
office and ensuring security weaknesses are timely addressed.
To illustrate the importance of monitoring security
weaknesses at contractors’ facilities, the ISR office identified 6 repeat
security weaknesses at contractor facilities during its Fiscal Year 2008
reviews and 24 repeat security weaknesses during its Fiscal Year 2009 reviews
that were not corrected since the prior fiscal years’ ISR office reviews. These
security weaknesses included access control, configuration management control,
and system integrity control issues. For
example, the ISR office found that some contractors:
·
Had
system security settings not set to the most restrictive mode.
·
Lacked
policies on how to handle sensitive information.
·
Had
systems that were less than 90 percent compliant with IRS security policies based
on automated scans of system settings.
The eight contracts
that we reviewed generally required the contractors to adhere to IRS security
policies and procedures. Without
adequate oversight to monitor and confirm that security weaknesses are
corrected at contractor facilities, security weaknesses will persist and IRS
data will remain at risk for unauthorized access and disclosure.
Recommendations
Recommendation 3: The Associate Chief Information Officer, Cybersecurity, should validate correction of ISR office reported security weaknesses and recommend a process for reporting weaknesses that remain unmitigated to increase the accountability of the responsible parties for remediation of security weaknesses.
Management’s Response: IRS management agreed with this recommendation. The ISR office will establish a plan for requesting status updates on the POA&Ms from the responsible parties, validate corrected security weaknesses, and inform the responsible parties of uncorrected weaknesses quarterly.
Recommendation
4: The
Director, Procurement, and the Associate Chief
Information Officer, Cybersecurity, should work together to ensure contractor
accountability that security weaknesses are addressed in a timely manner. Using validation results from Recommendation
3, the Procurement organization, working with the Cybersecurity organization,
will take appropriate action and employ all rights and remedies available to
the Government if and when contractors do not comply with IRS security policies.
Management’s Response: IRS management agreed with this recommendation. Based on validation results from the ISR office, the Director, Procurement, and the Associate Chief Information Officer, Cybersecurity, will determine the appropriate action and employ all rights and remedies available to the Government if and when contractors do not comply with IRS security policies.
Appendix I
Detailed Objective, Scope, and Methodology
The overall objective of this review was to determine whether the IRS had effective controls in place to ensure IRS taxpayer data are protected at contractor facilities. In order to accomplish our objective, we:
I.
Determined
whether IRS contractor reviews were adequate to validate contractor compliance
with IRS security policies.
A.
Selected a judgmental sample of 8 contractors
that process, manage, or store Federal taxpayer information or operate
information systems on behalf of the IRS at non-IRS locations from an IRS list
of 57 contractors that required an annual security review during Fiscal Year
2009. This list was the result of the
data call that the IRS makes to its business organizations annually to identify
contractors to schedule for a security review.
We selected a judgmental sample because we did not plan to project the
results.
B.
Obtained
and reviewed contracts for the selected contractors and determined whether each
was adequate to hold contractors accountable for implementing IRS security
policies.
C.
Obtained and reviewed contractor review plans
and results prepared by the IRS for the selected contractors and evaluated them
for adequacy.
D.
Determined whether any weaknesses identified
were being tracked in a POA&M and whether progress was being made to
correct the deficiencies.
II.
Determined
whether key information system controls were in place
and operating effectively to limit access to only authorized users at one
contractor facility at a non-IRS location.
We reviewed the following types of controls:
A.
Access.
B.
Identification and
Authentication.
C.
Audit and Accountability.
D.
Risk Assessment.
E.
System and Information Integrity.
III.
Evaluated the process for identifying contractors provided IRS
taxpayer data for use at offsite locations.
A.
Reviewed the data call method used by the IRS
to identify contractors requiring an annual security review.
B.
Reviewed procurement request data from an IRS
procurement system and determined whether the IRS procurement system could be
used to automate identification of contractors requiring an annual security
review. To assess the reliability of the
procurement request data, we interviewed knowledgeable agency officials about
the data and reviewed relevant documentation. We determined that the data were sufficiently
reliable for the purposes of this report.
Internal controls
methodology
Internal controls relate to management’s plans, methods, and procedures used to meet their mission, goals, and objectives. Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations. They include the systems for measuring, reporting, and monitoring program performance. We determined the following internal controls were relevant to our audit objective: the IRS’ policies, procedures, and practices for ensuring IRS data are secured at offsite contractor locations. We evaluated these controls by reviewing contracts, security control testing results, and related documentation and consulting with IRS and contractor personnel.
Appendix II
Major Contributors to This Report
Alan
Duncan, Assistant Inspector General for Audit (Security and Information
Technology Services)
Kent
Sagara, Director
Jody
Kitazono, Audit Manager
Bret
Hunter, Lead Auditor
Richard
Borst, Senior Auditor
Michelle
Griffin, Senior Auditor
Appendix III
Commissioner C
Office of the
Commissioner – Attn: Chief of Staff C
Deputy Commissioner for Operations Support OS
Director, Privacy, Information Protection, and Data Security OS:P
Associate Chief Information Officer, Cybersecurity OS:CTO:C
Director, Privacy and Information Protection OS:P:PIP
Director, Procurement OS:A:P
Director, Cybersecurity Program and Policies OS:CTO:C:PP
Chief Counsel CC
National Taxpayer Advocate TA
Director, Office of Legislative Affairs CL:LA
Director, Office of
Program Evaluation and Risk Analysis
RAS:O
Office of Internal
Control OS:CFO:CPIC:IC
Audit Liaisons:
Chief Technology Officer OS:CTO
Chief, Agency-Wide Shared Services OS:A
Appendix IV
Listing of Contractors Selected for Review
From an IRS list of contractors that required contractor reviews, we selected a judgmental sample of eight contractors who process, manage, or store Federal taxpayer information or operate information systems on behalf of the IRS at non-IRS locations. We reviewed the contracts, the methods of security control testing, the Security Assessment Reports provided by the IRS Infrastructure Security and Reviews team, and the processes to resolve weaknesses.
|
|
Contractor |
Description of System |
Location |
Business Organization |
|
1 |
Northrop Grumman
Information Technology |
|
|
Wage and Investment |
|
2 |
Accenture/Affina/Qwest |
Health Coverage Tax Credit
Program |
|
Wage and Investment |
|
3 |
AT&T |
|
|
Modernization and Information
Technology Services |
|
4 |
Accenture |
IRS.gov Public User Portal |
|
Modernization and Information
Technology Services |
|
5 |
IBM/Quest |
Registered User Portal |
|
Modernization and Information
Technology Services |
|
6 |
Computer Sciences
Corporation |
Development, Integration,
and Testing Environment |
|
Modernization and Information
Technology Services |
|
7 |
CRA International |
The contractor is supplied
with Sensitive But Unclassified data in order to perform appraisal or
actuarial work – valuation of minority stock interests. |
|
Small Business/ |
|
8 |
Pacific Consulting Group |
Data and market research |
|
Wage and Investment |
Appendix V
Management’s Response to the Draft Report
DEPARTMENT OF THE TREASURY
INTERNAL REVENUE SERVICE
CHIEF TECHNOLOGY OFFICER
April 12. 2010
MEMORANDUM FOR DEPUTY INSPECTOR GENERAL FOR AUDIT
FROM: Terence V. Milholland /s/ Terrence V. Milholland
Chief Technology Officer
SUBJECT: Draft Audit Report - Taxpayer Data Used at Contractor Facilities May Be at Risk for Unauthorized Access or Disclosure
(Audit #200920005) (i-trak #2010-73426)
Thank you for the opportunity to review and respond to the subject draft audit report. We appreciate your report recognizing that the Internal Revenue Service (IRS) conducted effective contractor security reviews in accordance with standards for security controls on Federal information systems. The purpose of these security reviews is to ensure contractors are complying with IRS security policies and procedures, and protecting taxpayer information provided 10 them.
The IRS is committed to continuously improving the security of our information technology systems and processes; your report recommendations will further improve our security posture. The attachment to this memo details our planned corrective actions to the recommendations.
We value your continued support and the assistance and guidance your team provides. If you have any questions, please contact me at (202) 622-6800 or Agnes Spruill at (202) 283-7018.
Attachment
Attachment
RECOMMENDATION #1: The Chief, Agency-Wide Shared Services, and the Chief Technology Officer should identify the information system that can serve as the primary source for identifying contractors requiring ISR office security reviews, and develop specific indicators within the information system that effectively identify any contractor receiving and using IRS taxpayer data at the contractor's facility.
CORRECTIVE ACTION #1: Agency-Wide Shared Services (AWSS) will modify the Personal Identity Verification (PIV) Background Investigation Process (PBIP) system to identify candidate contracts and contractors who have access to Sensitive But Unclassified (SBU) information at a contractor's facility. MITS Cybersecurity will use PBIP reports, along with information from security plans provided by COTRs, to identify contractor facilities to be reviewed based on a valid statistical sample.
IMPLEMENTATION DATE: October 1, 2010
RESPONSIBLE OFFICIAL: Director, Physical Security and Emergency Preparedness (AWSS) and Associate Chief Information Officer, Cybersecurity (MITS)
CORRECTIVE ACTION MONITORING PLAN: We enter accepted Corrective Actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.
RECOMMENDATION #2: The Director, Procurement, and the Director, Office of Privacy and Information Protection, should ensure the appropriate indicator is captured on each existing contract with a disclosure and privacy impact, validate whether the business organization provided any IRS taxpayer data to these contractors, and provide the appropriate notification and guidance to the responsible IRS business organizations to execute annual security review of these contractors when required.
CORRECTIVE ACTION #2: The Director, Procurement, will continue to provide the existing indicators in the web Request Tracking System (webRTS) to identify when privacy and disclosure clauses are needed in contracts, and will provide that data to MITS Cybersecurity. The Director, Physical Security and Emergency Preparedness, will track contractor employees who are to be given access to Sensitive But Unclassified (SBU) data in the Personal Identity Verification (PIV) Background Investigation Process (PBIP) system, and provide that data to Cybersecurity. Using this data, Cybersecurity, based on a valid statistical sample will identify candidates for annual security reviews and execute annual security reviews of these contractors when required.
IMPLEMENTATION DATE: October 1. 2010
RESPONSIBLE OFFICIALS: Associate Chief Information Officer, Cybersecurity (MITS) and the Director, Physical Security & Emergency Preparedness (AWSS)
CORRECTIVE ACTION MONITORING PLAN: We enter accepted Corrective Actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.
RECOMMENDATION#3: The Associate Chief Information Officer, Cybersecurity, should validate correction of ISR office reported security weaknesses and recommend a process for reporting weaknesses that remain unmitigated to increase the accountability of the responsible parties for remediation of security weaknesses.
CORRECTIVE ACTION#3: Cybersecurity's Infrastructure Security and Review (lSR) Office will establish a plan that delineates sending out a request for status updates on Plans of Action & Milestones (POA&Ms) from the responsible Business Unit. As appropriate, ISR will validate the correction of findings in the POA&M during the POA&M continuous monitoring process or during follow-up security reviews. In addition, ISR will forward a copy of uncorrected weaknesses to the appropriate business unit executive each quarter to ensure that the responsible parties are made aware of the need to remediate weaknesses.
IMPLEMENTATION DATE: December 1, 2010
RESPONSIBLE OFFICIAL: Associate Chief Information Officer, Cybersecurity (MITS)
CORRECTIVE ACTION MONITORING PLAN: We enter accepted Corrective Actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.
RECOMMENDATION #4: The Director, Procurement, and the Associate Chief Information Officer, Cybersecurity, should work together to ensure contractor accountability that security weaknesses are addressed in a timely manner. Using validation results from recommendation #3, the office of Procurement, working with the Cybersecurity organization, will take appropriate action and employ all rights and remedies available to the Government if and when contractors do not comply with IRS security policy.
CORRECTIVE ACTION #4: Based on validation results from Cybersecurity's Infrastructure Security and Review (ISR) Office, the Director, Procurement, and the Associate Chief Information Officer, Cybersecurity, will determine the appropriate action and employ all rights and remedies available to the Government if and when contractors do not comply with IRS security policy.
IMPLEMENTATION DATE: Implemented April 1 , 2010
RESPONSIBLE OFFICIALS: Director, Procurement (AWSS) and Associate Chief Information Officer, Cybersecurity (MITS)
CORRECTIVE ACTION MONITORING PLAN: We enter accepted Corrective Actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.
[1] E-Government Act of 2002, Pub. L. No. 107-347, Title III, 116 Stat. 2946.
[2] See Appendix IV for a listing of the eight contractors we reviewed.
[3] The disclosure and privacy indicator field on the procurement information system corresponds to the question, “Does your requirement involve Sensitive But Unclassified information where Information Technology services are performed at the contractor’s site or with the use of the contractor’s electronic devices (e.g., laptops, blackberries, text messaging cellular equipment, thumb drives, CDs, etc.)?” If answered yes, disclosure and privacy clauses are included in the contract.
[4] A POA&M document, also referred to as a
corrective action plan, is a tool that assists agencies in identifying,
assessing, prioritizing, and monitoring the progress of corrective efforts for
security weaknesses found in programs and systems.
[5] Systems subject to FISMA contractor reviews include contractors with privileged access to IRS data and/or contractors that manage a process or system at a contractor-owned or operated facility on behalf of the IRS.