TREASURY INSPECTOR GENERAL
FOR TAX ADMINISTRATION
THE INTERNAL REVENUE SERVICE SHOULD IMPROVE ACTIONS TO PROTECT ITS CRITICAL INFRASTRUCTURE
Reference No. 2000-20-097
The Clinton Administrationís Policy on Critical Infrastructure Protection: Presidential Decision Directive (PDD) 63, dated May 1998, calls for a national effort to assure the security of the nationís critical infrastructure. The infrastructure includes systems essential to the minimum operations of the economy and government, such as telecommunications, banking and finance, energy, and transportation.
PDD 63 requires that each government department and agency prepare a plan for protecting its own critical infrastructure. The objective of this review was to evaluate the adequacy of the Internal Revenue Serviceís (IRS) planning and assessment activities for protecting its critical computer-based infrastructure. We conducted this review in conjunction with other similar audits being conducted by members of the Presidentís Council on Integrity and Efficiency and the Executive Council on Integrity and Efficiency. At least 21 Inspectors General are participating in the project.
During the last three years, the IRS has taken significant actions to identify and correct security weaknesses. These actions have included conducting extensive on-site security reviews of IRS facilities and some systems. While it is likely that these reviews have covered many mission essential systems, the IRS has taken only limited actions to formally address the required deliverables asked for in PDD 63.
The Internal Revenue Service Has Taken Limited Actions to Address Critical Infrastructure Planning and Assessment Requirements
The IRS appointed a Chief Infrastructure Assurance Officer (CIAO) in December 1999, and has assigned a limited staff for support. However, little has been done to meet the first milestones prescribed by PDD 63: to identify all mission essential assets, ensure that complete vulnerability assessments for these specific assets have been performed, and develop a multi-year funding plan for managing the critical infrastructure program by December 2000. As a result, these milestones are in jeopardy of not being met. Until mission essential assets are defined and steps are taken to ensure that each of these assets has been adequately evaluated, IRS management will not have a complete accounting of the vulnerabilities of its critical infrastructure or a clear picture of the actions necessary to comply with PDD 63.
If the IRSí critical infrastructure is not adequately evaluated, the governmentís primary revenue collector, and other agencies and states that use its data, could be at risk of disrupted operations and processing delays.
Summary of Recommendations
To expedite efforts to meet the PDD 63 milestones, the IRS should use the results of its ongoing security evaluation efforts, which are identifying and correcting security weaknesses, in actions to comply with PDD 63. Additionally, the IRS CIAO should coordinate with senior Department of the Treasury and IRS officials to expedite the definition and identification of mission essential assets for critical infrastructure protection.
Managementís Response: We issued a draft of this report to IRS management on April 28, 2000, with a May 30, 2000, response period. However, managementís response was not available as of the date this report was released.