The Clinton Administration’s Policy on Critical Infrastructure Protection: Presidential Decision Directive (PDD) 63, dated May 1998, calls for a national effort to assure the security of the nation’s critical infrastructure. The infrastructure includes systems essential to the minimum operations of the economy and government, such as telecommunications, banking and finance, energy, and transportation.

PDD 63 requires that each government department and agency prepare a plan for protecting its own critical infrastructure. The objective of this review was to evaluate the adequacy of the Internal Revenue Service’s (IRS) planning and assessment activities for protecting its critical computer-based infrastructure. We conducted this review in conjunction with other similar audits being conducted by members of the President’s Council on Integrity and Efficiency and the Executive Council on Integrity and Efficiency. At least 21 Inspectors General are participating in the project.

During the last three years, the IRS has taken significant actions to identify and correct security weaknesses. These actions have included conducting extensive on-site security reviews of IRS facilities and some systems. While it is likely that these reviews have covered many mission essential systems, the IRS has taken only limited actions to formally address the required deliverables asked for in PDD 63.

The IRS appointed a Chief Infrastructure Assurance Officer (CIAO) in December 1999, and has assigned a limited staff for support. However, little has been done to meet the first milestones prescribed by PDD 63: to identify all mission essential assets, ensure that complete vulnerability assessments for these specific assets have been performed, and develop a multi-year funding plan for managing the critical infrastructure program by December 2000. As a result, these milestones are in jeopardy of not being met. Until mission essential assets are defined and steps are taken to ensure that each of these assets has been adequately evaluated, IRS management will not have a complete accounting of the vulnerabilities of its critical infrastructure or a clear picture of the actions necessary to comply with PDD 63.

If the IRS’ critical infrastructure is not adequately evaluated, the government’s primary revenue collector, and other agencies and states that use its data, could be at risk of disrupted operations and processing delays.

To expedite efforts to meet the PDD 63 milestones, the IRS should use the results of its ongoing security evaluation efforts, which are identifying and correcting security weaknesses, in actions to comply with PDD 63. Additionally, the IRS CIAO should coordinate with senior Department of the Treasury and IRS officials to expedite the definition and identification of mission essential assets for critical infrastructure protection.

Management’s Response: We issued a draft of this report to IRS management on April 28, 2000, with a May 30, 2000, response period. However, management’s response was not available as of the date this report was released.