Treasury Inspector General for Tax Administration

Office of Audit

PLANNING IS UNDERWAY FOR THE ENTERPRISE-WIDE TRANSITION TO INTERNET PROTOCOL VERSION 6, BUT FURTHER ACTIONS ARE NEEDED

Issued on February 27, 2014

Highlights

Highlights of Report Number: †2014-20-016 to the Internal Revenue Service Chief Technology Officer.

IMPACT ON TAXPAYERS

Like any new technology standard, network conversion to Internet Protocol version 6 (IPv6) introduces security risks if not implemented and managed properly.† When the IRSís data and network are not secured, taxpayer information becomes vulnerable to unauthorized disclosure, which can lead to identity theft.† Furthermore, security breaches can cause network disruptions and prevent the IRS from performing vital taxpayer services, such as processing tax returns, issuing refunds, and answering taxpayer inquiries.

WHY TIGTA DID THE AUDIT

The overall objective of this review was to assess the IRSís progress in converting its network to IPv6 according to Office of Management and Budget requirements.† This audit was included in TIGTAís Fiscal Year 2013 Annual Audit Plan and addresses the major management challenge of Security for Taxpayer Data and Employees.

WHAT TIGTA FOUND

The IRS established an IPv6 project team to manage the network conversion.† The project team has adequately planned for security risks during the conversion but has not completed some elements of the transition plan.† For example, the IRS has not established an IPv6 Advisory Board or prepared a resource plan to ensure proper guidance and coordination within and outside of the agency on its IPv6 efforts.† Also, the Procurement function did not establish controls to ensure that all new information technology purchases were IPv6 capable in accordance with the Federal Acquisition Regulation.† Lastly, TIGTA found that the project team received inadequate oversight from the Infrastructure Executive Steering Committee and did not adhere to the IRSís Enterprise Life Cycle policy.† Given the geographic dispersion of the IRS network and its size and complexity, the enterprise-wide network conversion will have a far-reaching impact on many IRS functions.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Chief Technology Officer direct the project team to stand up an advisory board; develop an Information Resources Management Strategic Plan; and coordinate with the IRS Enterprise Life Cycle Office to better manage project documentation and schedules.† TIGTA also recommended that the Chief Technology Officer coordinate with the IRS Procurement Office to update its policy to align with the Federal Acquisition Regulation and establish a control to prevent the purchase of IPv6 incapable products; coordinate with IRS business units to ensure that complete responses to the project teamís applications data call are received so that they can begin extensive planning for each application that will require upgrading; assess the merits of transferring project oversight to another governance board that regularly monitors and provides oversight of information technology projects; and direct the Infrastructure Executive Steering Committee to update its charter in order to properly reflect the current roles and responsibilities of the committee.

The IRS agreed with our recommendations and plans to develop an Information Resources Management Strategic Plan, better manage IPv6 project documentation, update the Infrastructure Executive Steering Committee charter, and coordinate between offices to achieve procurement policy alignment with Federal regulations and an exchange of information necessary for a successful transition to IPv6.† The IRS updated the IPv6 Transition Plan so that existing oversight groups fulfill the purpose of an advisory board.† IRS management did not agree to transfer project oversight.† Management prefers to continue with the current governance board structure for this project since it provides oversight for the entire IT infrastructure portfolio.

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response, go to:

http://www.treas.gov/tigta/auditreports/2014reports/201420016fr.html.

E-mail Address: ††TIGTACommunications@tigta.treas.gov

Phone Number:†† 202-622-6500

Website:†† http://www.treasury.gov/tigta