Executive Summary

Objective and Scope

Background

Results

Conclusion

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Outcome Measures

Appendix V – Management’s Response to the Draft Report

Executive Summary

Office of Management and Budget and Treasury Department directives require that all information systems that process sensitive but unclassified information, including taxpayer data, be certified and accredited prior to being placed into operation. In addition, these information systems are required to be re-certified and re-accredited at least every three years or when significant modifications occur. Certifying that adequate security controls have been developed and accrediting that the risks of security breaches have been adequately reduced are the two primary controls for ensuring that security controls are built into new information systems and remain up-to-date afterwards. At stake is the privacy of information for over 123 million taxpayers.

The Certification Program Office, under the direction of the Office of Security and Privacy Oversight, is responsible for certifying that Internal Revenue Service (IRS) information systems have sufficient security controls. The IRS executive in charge of the function using each information system is responsible for accrediting the system. When accrediting, executives state that they are aware of and accept the risks associated with operating the system.

In 1995, the IRS began monitoring sensitive systems certification as a potential management control weakness and in 1997 officially reported it as a material weakness. This issue continues to be an open item on its Fiscal Year 1999 assessment of management controls.

The overall objective of this audit was to assess the effectiveness of the IRS’ security certification and accreditation processes for information systems and networks.

The majority of IRS information systems are still not certified and accredited. Although the IRS is taking steps through contractor support to alleviate this situation, more emphasis is needed to resolve this material control weakness in a timely manner.

Of the 258 systems listed on the inventory of sensitive systems in January 2000, 232 (89.9 percent) were not certified. Responsible executives had granted temporary authorities to operate 143 of the uncertified systems but had accepted no accountability for the security risks of operating the other 89 systems.

We attribute these conditions in part to the lack of emphasis the IRS has placed on building security controls into new information systems. It has become a standard practice in the IRS to implement a system without the necessary certification and accreditation of security controls. We are aware of only one information system currently in use that had been certified and accredited before it was initially implemented.

Documenting security controls for the uncertified systems after they have been implemented will cost the IRS about $26 million. This cost could have been greatly reduced if security controls had been built in and certification and accreditation had been accomplished during systems development.

IRS guidelines require that the Certification Program Office provide timely status and technical information regarding certification and accreditation of IRS information systems to responsible executives. However, there is no control in place within the certification program to ensure that accreditations are granted and granted timely for certified systems.

The IRS should place more emphasis on building security controls into new information systems. To ensure this happens, IRS management should not authorize the implementation of any new system until controls are sufficient and the system has the required security certification and accreditation.

For systems that are already implemented, the IRS needs to place additional emphasis on timely certification and accreditation. The IRS should ensure that funds continue to be allocated for contractor support during the certification process and consideration should be given to increasing this allocation in order to get systems certified as soon as possible. Consideration should also be given to increasing the human resources within the IRS devoted to certifying and accrediting the security features of systems.

Also, the process for identifying all information systems requiring certification and accreditation, and the tracking of their certification and accreditation status, should be centralized.

Management’s Response: Management generally agreed with our findings and recommendations. They are developing a new process for certifying new systems within the systems development life cycle. Management anticipates that systems will be implemented without full certification only in special circumstances. Contractor support will continue to be used to reduce the backlog of uncertified systems. Management’s complete response to the draft report is included as Appendix V.

Office of Audit Comment: We believe that management’s response is adequate with one important exception. Considering the sensitivity of the data processed by the IRS and the risks inherent in today’s interconnected computer systems, we do not believe that any new system should be implemented without appropriate security controls.

Objective and Scope

The overall objective of this audit was to determine whether the Internal Revenue Service’s (IRS) security certification process for information systems and networks is effective. Specifically, we:

• Determined whether information systems in use were certified and re-certified when appropriate.
• Determined whether information systems in use were accredited and re-accredited when appropriate.

To accomplish our objective, we reviewed guidelines and procedures relevant to the certification of security controls in IRS information systems, interviewed IRS personnel responsible for certifying that IRS information systems have sufficient security controls, and reviewed supporting documentation relating to the certification of IRS information systems. In addition, we contacted representatives for 235 of the 258 systems on the Certification Program Office’s inventory of sensitive systems as of January 13, 2000, to obtain information relevant to the certification and accreditation of their systems.

The scope of this audit did not include determining the adequacy or completeness of individual security certifications and accreditations or supporting documentation. The scope was limited to determining if the process in place for certifying and accrediting IRS information systems was effective in ensuring that all systems in use are timely certified and accredited.

This audit was conducted in the National Office between December 1999 and February 2000, in accordance with Government Auditing Standards. Details of our audit objective, scope, and methodology are presented in Appendix I. Major contributors to this report are listed in Appendix II.

Background

The Office of Management and Budget (OMB) Circular A-130 and the Department of the Treasury Security Manual require that all information systems that process sensitive but unclassified information, including taxpayer data, be certified and accredited prior to being placed into operation. In addition, these information systems are required to be re-certified and re-accredited at least every three years or when significant modifications occur.

Certification and accreditation are the two primary controls for ensuring that security controls are built into new information systems before they are implemented and that security controls remain up-to-date afterwards.

• Certification requires a comprehensive evaluation of technical and non-technical security features to determine the extent to which system design and implementation meet a specified set of security requirements.
• Accreditation is the issuance of an official declaration by the responsible official that an information system or network is approved to operate with prescribed security safeguards.

The Certification Program Office, under the direction of the Office of Security and Privacy Oversight, is responsible for the security certification process for IRS information systems. IRS functional executives are responsible for the accreditation of IRS information systems.

The Federal Managers’ Financial Integrity Act (FMFIA) requires each federal agency to conduct an annual self-assessment of its management controls and to report any weaknesses in these controls along with plans for corrective action. In 1995, the IRS began monitoring sensitive systems certification as a potential management control weakness and in 1997 officially reported it as a material weakness in its management controls. This issue continues to be an open item on the IRS’ Fiscal Year 1999 assessment of management controls.

Results

Almost 90 percent of IRS information systems have not been granted current security certifications and accreditations. We are aware of only one system currently in use that had been certified and accredited before it was initially implemented.

Furthermore, there is no process or control in place to ensure that certified systems are accredited. In addition, information and related documentation for those systems that are actually accredited is not readily available.

Although the IRS is taking steps through contractor support during the certification process to get its information systems certified, more emphasis is needed to resolve this material control weakness in a more timely manner. At stake is the privacy of data for over 123 million taxpayers.

The Majority of the Internal Revenue Service’s Information Systems Were Not Certified and Accredited as Required

Of the 258 sensitive systems identified on the Certification Program Office’s inventory as of January 2000, 232 (89.9 percent) were not certified. Of the 232 systems not certified, 29 had prior certifications and accreditations that had expired or had been revoked due to significant modifications. The other 203 systems had never been certified.

Responsible executives had granted temporary authority to operate 143 of the 232 non-certified systems while awaiting final certification and accreditation. Essentially, they had assumed responsibility for the risk associated with operating these systems. However, they had assumed no responsibility for operating the other 89 systems.

Additional sensitive systems were not identified on the Certification Program Office’s inventory and, accordingly, were not certified or accredited. One executive recently advised the Certification Program Office that 95 existing systems should be added to the inventory and scheduled for certification. Some of these systems had been in operation for over 13 years.

The privacy of taxpayer information is at greater risk of being breached when IRS information systems have not been certified and accredited. The IRS does not have adequate assurance that personal data for millions of taxpayers is secure.

We attribute these conditions to the following:

• Lack of emphasis on building security into new systems.
• Lack of resources devoted to the certification program.
• Lack of coordination between functional executives and the Certification Program Office.

One of the contributing factors to information systems not being certified was the lack of emphasis the IRS has placed on building security controls into new information systems. We are aware of only one information system currently in use that had received a security certification and accreditation before being initially implemented.

The lack of emphasis on building security controls into new information systems and obtaining the required certification and accreditation prior to implementation has contributed to the significant backlog of non-certified systems. In addition, documenting security controls for systems after they have been implemented is currently costing the IRS an average of $111,000 per system. We estimate the cost of documenting the 232 non-certified systems to be approximately $26 million. This cost could have been greatly reduced if security controls had been built in and certification and accreditation had been accomplished during systems development.

To roll out the system quickly, the accrediting executive may request approval to grant an Interim Authority to Operate (IAO) to authorize the implementation pending final certification. An IAO provides up to an additional year to obtain certification, but it gives only minimal assurance that security controls are effective.

IAOs were issued for new systems and, in at least 12 instances, systems had been granted multiple IAOs. This practice has enabled executives responsible for developing new systems to roll out systems without placing sufficient emphasis on building in the necessary security controls. Once a new system is implemented with an IAO, it is unlikely the IRS would shut it down, even when the IAO expired.

Another contributing factor for systems on the inventory not being certified was that the Certification Program Office had limited resources. In October 1999, the 7 analysts in the Certification Program Office were each assigned over 25 systems for which they were responsible for providing certification support. These workloads also prevented the Certification Program Office personnel from performing appropriate follow-ups.

The primary reason that all sensitive systems were not included on the inventory is that users did not advise the Certification Program Office that the system existed. Users are required to submit a Request for Certification Support to the Certification Program Office to advise it of their system and request support. Input as to the completeness of the inventory is requested once each year as part of the FMFIA assurance process.

The IRS is taking steps to improve the certification process and to alleviate the backlog of non-certified systems. For example,

• The IRS is working with a contractor to build security, including testing and certification, into the software development process. This will help to ensure that information systems are certified and accredited during development and prior to implementation.
• In order to get existing systems certified, the IRS has begun using contractor support during the certification process to evaluate security features and to prepare required certification documentation.

Although the IRS is taking some steps to improve the certification process, more emphasis is needed to resolve this material control weakness in a timely manner.

1. Information Systems management should place more emphasis on building security controls into new information systems. To ensure this happens, IRS management should not authorize the implementation of any new system until controls are sufficient and the system has the required security certification and accreditation. IAOs should not be issued for new systems.
2. For systems that have already been implemented, Information Systems management needs to place additional emphasis on timely certification and accreditation. Information Systems management should ensure that funds continue to be allocated for contractor support during the certification process and consideration should be given to increasing this allocation in order to get systems certified as soon as possible.
3. Information Systems management should consider increasing the human resources within the IRS devoted to certifying and accrediting the security features of information systems.
4. Information Systems management should ensure that the IRS’ certification process includes follow-ups with the accrediting executives prior to the expiration of their systems security certification to ensure that they are aware that a new certification and accreditation is required.
5. Information Systems management should ensure that all functional executives for individual systems are fully aware of the overall certification and accreditation process.
6. Information Systems management should centralize the process for identifying and tracking of all information systems requiring certification and accreditation. Once the process is centralized, an effort should be made to identify all existing information systems requiring certification and accreditation. New information systems should be identified during development to ensure that certification and accreditation is accomplished prior to implementation.

Management’s Response: The Office of Security and Privacy Oversight has an initiative underway to improve the certification and accreditation process. The process will include assessing new systems early in the development life cycle to ensure that requirements are known and adequately addressed. Systems will be implemented without full certification on a very limited basis. Other components of the process include reducing the backlog of uncertified systems with contractor support, coordinating more effectively with accrediting executives, and tracking the progress of systems during development to ensure that actions are taken to certify the system before implementation.

Office of Audit Comment: We believe that management’s response is adequate with one important exception. Considering the sensitivity of the data processed by the IRS and the risks inherent in today’s interconnected computer systems, we do not believe that any new system should be implemented without appropriate security controls.

The Certification Program Office Does Not Have Sufficient Information to Monitor Accreditations

One of the Certification Program Office’s responsibilities is to provide timely status and technical information regarding certification and accreditation of IRS information systems to responsible executives. As previously mentioned, only 26 of the 258 systems listed on the inventory of sensitive systems were certified. However, the Certification Program Office had information on only 5 of the 26 certified systems indicating that they had been accredited. There is no control in place within the IRS’ certification process to ensure that accreditations are granted and granted timely for certified systems. As a result, systems were placed into production without any IRS official accepting accountability for security.

Although the Certification Program Office does request a copy of the official accreditation in the transmittal accompanying the certification statement, it seldom receives a copy. In addition, the Certification Program Office does not follow-up after certification of a system to see if an accreditation was actually issued.

The Certification Program Office had a copy of the official IAO issued by the accrediting executive for only 6 of the 143 systems shown on the inventory as having an IAO as of January 13, 2000. The Certification Program Office does not request a copy of the official IAO from the responsible executive.

The IAO issue date and expiration date maintained by the Certification Program Office were often inaccurate. We reviewed IAOs for 125 of the 143 systems which had been granted an IAO. The issue and/or expiration dates maintained by the Certification Program Office were inaccurate for 103 (82.4 percent) of the 125 documents. Since the Certification Program Office generally does not have a copy of the official IAO, it determined the expiration date by adding one year to the date it notified the functional executive that an IAO was approved. However, the accrediting executive can issue the IAO for any period of time up to, but not to exceed, one year.

Recommendation

7. Information Systems management should ensure that the IRS’ certification process includes follow-ups with the accrediting executives to ensure that necessary information relevant to the official accreditation is provided and to educate them on the importance of providing this information. Once obtained, information relevant to the official accreditation should be maintained and tracked in a centralized location for reporting purposes.

Management’s Response: The Office of Security and Privacy Oversight’s new certification process will include the capability to track the accreditation status, post-implementation review status, and any deviations from the certification process.

Conclusion

The IRS certification and accreditation processes have not been effective in ensuring that security is built into new information systems. Once a system is rolled out, it is often difficult and expensive to add those controls. The IRS is taking steps through contractor support during the certification process to alleviate this situation. However, more emphasis is needed to resolve this material control weakness in a timely manner to reduce costs and better protect the privacy of taxpayers’ information.

Detailed Objective, Scope, and Methodology

The overall objective of this audit was to determine whether the Internal Revenue Service’s (IRS) security certification process for information systems and networks is effective. Specifically, we:

• Determined whether information systems in use were certified and re-certified when appropriate.
• Determined whether information systems in use were accredited and re-accredited when appropriate.

We conducted the following tests to accomplish the objective:

1. Determined specific requirements of law, regulation, and standards for the IRS in terms of security certification and accreditation of its information systems and networks. Specifically, we:

1. Reviewed pertinent portions of Public Laws (e.g., Public Law 100-235, The Computer Security Act of 1987), the United States Code, and Federal Regulations.
2. Reviewed pertinent Office of Management and Budget (OMB) Circulars (e.g., No. A-127, No. A-130, etc.).
3. Reviewed Guidelines for Computer Security Certification and Accreditation (Federal Information Processing Standards Publication 102).
4. Reviewed National Computer Security Center, Introduction to Certification and Accreditation (NCSC-TG-029).

1. Performed a walk-through of the Certification Program Office in the National Office to determine the processes and procedures in place for certifying and re-certifying IRS information systems and networks.
2. Interviewed National Office personnel in the Certification Program Office to:

1. Determine their perspective on the average time it takes to certify and accredit an information system and a network.
2. Obtain their current inventory of systems and/or networks requiring security certification, including the status of the security certification and accreditation for each system and/or network.
3. Request access to their security certification and/or accreditation files for all IRS information systems and networks.

5. For all information systems and networks that did have a current accreditation as determined in IV above, we determined if the accreditation was appropriate. Specifically, we:

1. Determined if a security certification was completed prior to the accreditation.
2. For those with a security certification prior to accreditation, we determined if the security certification packages were complete, per Internal Revenue Manual 2.1.10.2.3.5, including:

- Risk Assessment
- Computer Security Plan
- System Notice
- Configuration Management documentation
- Continuity Of Operations Plan
- Trusted Facility Manual
- Security Features User’s Guide
- Security Test and Evaluation (STE) Report
- Privacy Impact Assessment
- Any exceptions from the C2 requirements

3. Determined if the accreditation package was complete.
4. Determined if the appropriate level IRS executive was selected as the accrediting authority.

Major Contributors to This Report

Scott E. Wilson, Associate Inspector General for Audit (Information Systems Programs)

Stephen R. Mullins, Director

Joseph C. Wabnitz, Audit Manager

Cecil A. Begley, Senior Auditor

Richard J. Flynn, Senior Auditor

John W. Baxter, Auditor

Carol A. Rowland, Auditor

Una K. Smith, Auditor

Marjorie Stephenson, Auditor

Report Distribution List

Chief Information Officer IS

Director, Office of Security and Privacy Oversight IS:SPO

Director, Security, Evaluation and Oversight IS:SPO:S

Director, Office of Program Evaluation and Risk Analysis M:O

National Director for Legislative Affairs CL:LA

Office of Management Controls M:CFO:A:M

Office of Chief Counsel CC

Office of the National Taxpayer Advocate C:TA

Audit Liaison

Chief Information Officer IS

Outcome Measures

This appendix presents detailed information on the measurable impact that our recommended corrective actions will have on tax administration. These benefits will be incorporated into our Semiannual Report to the Congress.

The majority of Internal Revenue Service (IRS) information systems were not certified and accredited as required. Of the 258 systems identified on the Certification Program Office’s inventory of sensitive systems as of January 13, 2000, only 26 (10.1 percent) were certified. The remaining 232 (89.9 percent) were not certified. For the many taxpayers who have information on these 232 non-certified systems, the IRS does not have adequate assurance that the data is secure since the information systems do not have the proper security certification and accreditation.

The IRS should place more emphasis on building security controls into new information systems. To ensure this happens, IRS management should not authorize the implementation of any new system until controls are sufficient and the system has the required security certification and accreditation. Interim Authorities to Operate should not be issued on any new system.

For systems that have already been implemented, the IRS needs to place additional emphasis on timely security certification and accreditation. The IRS should ensure that funds continue to be allocated for contractor support during the certification process and consideration should be given to increasing this allocation in order to get systems certified as soon as possible. In addition, consideration should be given to increasing the human resources available to the certification program.

The security certification and accreditation process is a critical part of the IRS’ overall computer security initiative. Thus, potential outcomes can be expected for the following measures:

• Taxpayer privacy and security.
• Protection of resources/reliability of information.

Obtaining the required security certification and accreditation for each of the non-certified IRS information systems would provide greater assurance that the data for the 123 million taxpayers is secure and reliable.

The IRS Statistics of Income Division estimates over 123 million taxpayers filed tax returns in 1998, the most current year statistics are readily available. Since all taxpayer data is located on one or more of the IRS’ information systems, the security of the data for all taxpayers is relevant to this audit.

In addition, the IRS is currently paying contractors about $111,000 per system to document security controls. To pay a contractor at this rate to document the 232 uncertified systems could cost the IRS nearly $26 million. Since this amount will have to be spent regardless of our recommendations, we are not considering it an outcome measure but consider it an impact of placing systems into production without certifying security.

By building security controls into new systems in accordance with a security architecture, the IRS would only have to document and certify compliance with the architecture and ensure exceptions to the architecture were reasonably secure. No data exist to estimate this cost, but we believe the cost would be minimal and the work could possibly be done with current project personnel. To compute the cost that could have been avoided, we did not consider the cost of certifying the system. The IRS is currently paying contractors about $27,000 per system for testing and certifying. While some of this cost would be incurred regardless of when security controls were designed, we believe a significant amount could be avoided if systems were designed to meet a security architecture.

Management's Response to the Draft Report

The response has been removed due to its size. To see the complete response, please go to the Adobe PDF version of this report on the TIGTA Public Web Page.