More Management Attention Is Needed to Protect Critical Assets
Reference Number: 2005-20-108
This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.
July 15, 2005
MEMORANDUM FOR CHIEF, MISSION ASSURANCE AND SECURITY SERVICES
FROM: Pamela J. Gardiner /s/ Pamela J. Gardiner
Deputy Inspector General for Audit
SUBJECT: Final Audit Report - More Management Attention Is Needed to Protect Critical Assets (Audit # 200520001)
This report presents the results of our review to determine whether the Internal Revenue Service (IRS) was making adequate progress in protecting its critical infrastructure and complying with Federal Government requirements. The audit focused on the processes and methodologies the IRS used to document and report on the status of its critical infrastructure protection.
In summary, Homeland
Security Presidential Directive/HSPD-7, Critical
Infrastructure Identification, Prioritization, and Protection dated
December 17, 2003, established a national policy for Federal agencies to
HSPD-7 required all Federal agencies to develop plans to protect their critical infrastructure by July 31, 2004. The IRS timely provided the Department of the Treasury a list of 19 critical assets that had been identified in the latter part of 1998 in response to The Policy on Critical Infrastructure Protection: Presidential Decision Directive (PDD-63), dated May 1998. The Department of the Treasury also required all bureaus to update their list of critical infrastructure by September 2005. The IRS is still in the process of performing the analysis necessary to identify its critical assets and expects to have it completed by the Department of the Treasury’s deadline.
Although the IRS expects to meet the goals established by the Department of the Treasury, sufficient attention has not been given to keeping the list of critical assets current. The IRS does not have a process to regularly review its inventory of critical assets to ensure it remains current and complete. To respond to the Department of the Treasury mandate, the IRS had to begin the current identification process by analyzing its complete inventory of assets rather than just adjusting it for recent year changes. The lack of a current listing increases the risks that critical assets may not be protected.
We also believe the IRS could have reacted more promptly to HSPD-7. The Directive allowed 7 months for agencies to develop and submit plans to the Office of Management and Budget that addressed the identification, prioritization, and protection of their critical assets. Based on the current schedule, the IRS will require 21 months just to finish the analysis necessary to complete an updated list of critical assets. Sufficient Mission Assurance and Security Services (MA&SS) organization resources have not been devoted to ensuring a proactive response in implementing HSPD-7. In addition, business unit owners who are most familiar with the criticality of their systems have not been involved yet in this process.
After its critical assets are identified, the IRS will need to adequately assess those assets for vulnerabilities, and then develop and implement plans to protect them. Since a new list of critical assets had not been completed yet, we reviewed the IRS’ progress in securing 17 potential critical assets identified by its ongoing analysis. These assets are vital to the IRS’ returns processing, law enforcement, and customer service responsibilities. Operational and technical controls for these systems have not been adequately tested and prioritized. In addition, plans for correcting the weaknesses that had been identified are not adequate. We believe business unit owners have been slow to accept responsibility for the security of their systems, and they have not devoted sufficient attention to testing and correcting security weaknesses, even for critical assets.
To ensure the IRS maintains a current and complete list of critical infrastructure assets, we recommended the Chief, MA&SS, coordinate with all business units at least annually to confirm the IRS’ list of critical assets is accurate and complete. More emphasis should also be placed on completing the IRS’ current efforts to identify its critical assets. Since we have previously reported deficiencies in how the IRS tested systems for vulnerabilities and how it developed corrective action plans to reduce known vulnerabilities, we are making no additional recommendations in these areas.
Management’s Response: The Chief, MA&SS, concurred with our recommendations and will ensure a written survey is developed and distributed to all IRS business units possessing one or more critical assets. The results of the survey will be compiled and approved by IRS executives and will represent an updated list of critical assets. Also, the Chief, MA&SS, will coordinate with all business units, at least annually, to confirm the IRS’ list of critical assets is accurate and complete. A specific timetable for this coordination is included in the response. Management’s complete response to the draft report is included as Appendix IV.
Copies of this report are also being sent to the IRS managers affected by the report recommendations. Please contact me at (202) 622-6510 if you have questions or Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at (202) 622-8510.
On December 17, 2003, the President signed Homeland Security
Presidential Directive/HSPD-7, Critical
Infrastructure Identification, Prioritization, and Protection. HSPD-7 established a national policy for Federal
Government agencies to protect the
While an estimated 85 percent of the
Under HSPD-7, all Federal agency heads are responsible for:
We conducted this review to evaluate the IRS’ progress in
addressing these responsibilities. The
review was performed at the Mission Assurance and Security Services (MA&SS)
offices in New Carrollton, Maryland, and the Enterprise Resilience and Critical
Infrastructure Protection Program Office in
The Policy on Critical Infrastructure Protection: Presidential Decision Directive (PDD-63), dated May 1998, directed Federal agencies to implement plans for protecting Federally owned critical infrastructure by May 2000. In response to PDD-63, the IRS identified 19 critical assets in November 1998.
HSPD-7 superseded PDD-63 and required the heads of all Federal agencies to submit to the Director, Office of Management and Budget (OMB), by July 31, 2004, plans for protecting their physical and cyber critical infrastructure. The Department of the Treasury is also requiring all bureaus to identify a more current set of critical assets using a tool developed by the Department of Commerce called Project Matrix. The IRS expects to complete its analyses and have a new list of critical assets by September 2005.
To update the November 1998 list of 19 critical assets, the IRS began with a universe of about 350 computer systems and 730 buildings. Next, using criteria provided by the Department of the Treasury, it identified 96 assets that were considered potential critical assets and, in March 2005, refined the list to 17 (14 systems and 3 buildings). Plans call for detailed questionnaires to be completed by the business unit owners of each of the 14 systems and reviewed by the Department of the Treasury and the IRS’ MA&SS organization.
All 17 assets are vital to the IRS’ returns processing, law enforcement, and customer service responsibilities. The 17 assets were previously included in the original list of critical assets identified in the list issued in November 1998.
Although the IRS expects to meet the goals established by the Department of the Treasury, sufficient emphasis has not been given to maintaining a current list of critical assets. The MA&SS organization did not have a process to regularly review its inventory of critical assets to ensure it remained current and complete. As a result, the IRS had to begin the current identification process by analyzing its complete inventory of assets rather than just adjusting it for recent year changes. The lack of a current listing increased the risks that critical assets may not be protected.
We also believe the IRS could have reacted more promptly to HSPD-7. The Directive allowed 7 months for agencies to develop and submit plans to the OMB to address the identification, prioritization, and protection of their critical assets. Based on the current schedule, the IRS will require 21 months just to finish the analysis necessary to complete an updated list of critical assets.
MA&SS organization management was not devoting sufficient resources to ensuring a proactive response in implementing HSPD-7. Initially, only 1 person from the MA&SS organization was assigned to evaluate the 350 systems to derive the 96 potential critical systems. Two MA&SS and 1 Department of the Treasury critical infrastructure protection program staff members worked to reduce the 96 systems to 17. In addition, business unit owners who are in the best position to determine the criticality of their systems were not scheduled to be involved until the end of the identification process. As of April 2005, questionnaires had not been issued yet to the business owners of these systems.
Identifying and maintaining a list of critical assets is the first step required in critical infrastructure protection planning. Until the IRS fully identifies its critical infrastructure and undertakes regular, repeated reviews of the list to keep it current, the IRS may not be able to ensure its critical infrastructure is adequately secured.
The Chief, MA&SS, should:
1. Coordinate with all business units to complete the process of identifying a current list of critical assets to comply with HSPD-7 and ensure the protection of those assets.
Management’s Response: The Chief, MA&SS, will ensure a written survey is developed and distributed for completion by all IRS business units possessing critical assets. The survey results will be compiled, approved by IRS executives, and will represent an updated list of critical assets.
2. Coordinate with all business units at least annually to confirm the IRS’ list of critical assets is accurate and complete.
Management’s Response: The Chief, MA&SS, will coordinate with all business units, at least annually, to confirm the IRS’ list of critical assets is accurate and complete. The process will include issuing a memorandum by August 15 of each year asking the business units to complete the previously mentioned survey by September 15. The results will be presented to the Chief, MA&SS, for approval no later than October 15, and submitted to the Deputy Commissioner for Operations Support for final approval. This process will be repeated annually.
After the IRS identifies its critical assets, it will need to adequately assess those assets for vulnerabilities. Federal Government requirements for assessing both critical and noncritical computer systems for vulnerabilities existed for many years prior to HSPD-7. OMB Circular No. A-130, Security of Federal Automated Information Resources, originally issued in 1985, requires agencies to secure their computer systems. Under the Federal Information Security Management Act of 2002 (FISMA) and its predecessor, the Government Information Security Reform Act of 2000, agencies are required to identify and provide information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.
When security weaknesses are identified, the Department of the Treasury and the OMB require the vulnerabilities and related corrective actions to be documented and tracked in Plans of Action and Milestones (POA&Ms). We reviewed the POA&Ms and other information to determine the status of security controls for the IRS’ latest list of 17 potential critical assets.
According to those documents, the 17 potential critical assets were not adequately secured, making them unnecessarily vulnerable to attack. At the time of our review, the IRS reported the following vulnerabilities:
In addition, the 14 potentially critical computer systems were not adequately reviewed for operational and technical security controls. Operational controls are primarily implemented and executed by people (as opposed to systems) and include, for example, personnel security and security awareness, training, and education. Technical controls are executed by computer systems and include, for example, logical access controls and audit trails. Without adequate testing, the IRS cannot determine whether security policies and procedures had been implemented effectively.
The FISMA requires that, at least annually, agency program officials (business unit owners) review the security controls of the systems they use to carry out their responsibilities. OMB guidance states the evaluations should be based on the testing of management, operational, and technical controls to determine whether policies and procedures had been developed and implemented.
Testing and prioritizing critical assets for vulnerabilities was not adequate because business unit owners had not taken responsibility for the security of their systems. Critical assets, in particular, had not received adequate attention from IRS management.
Because we have reported this condition in a recent Treasury Inspector General for Tax Administration (TIGTA) memorandum to the Chief, MA&SS, regarding the IRS’ compliance with the FISMA, we are making no additional recommendations.
After vulnerabilities of critical assets have been identified, HSPD-7 requires plans be developed for correcting vulnerabilities. Even before HSPD-7, Federal laws and guidance required plans be developed and implemented to reduce security weaknesses.
In a prior review, we reported that POA&Ms for both critical and noncritical systems are of limited value because they are based on the inadequate vulnerability assessments we described earlier. Implementing the corrective actions in a POA&M may not necessarily mean a system has been secured if all vulnerabilities were not identified and entered into the POA&M.
In addition, we reported that both critical and noncritical computer systems had nearly identical milestone dates for the correction of all listed weaknesses. The corrective actions for all of the applications were identical: (1) assign accountable personnel, (2) perform gap analysis, (3) design and test process, and (4) implement solution.
Without an effective POA&M process, the IRS cannot adequately prioritize security deficiencies to ensure significant weaknesses of critical assets are timely addressed and resolved.
Since our original reporting of problems with the POA&Ms, the IRS has made a significant effort to improve them and is in the process of correcting other problems we raised with the POA&Ms. As part of our Fiscal Year 2005 FISMA evaluation, we will be assessing the adequacy of IRS management’s ongoing effort to improve the POA&M process. Because we have reported these conditions and made recommendations in prior TIGTA audit reports, we are making no additional recommendations.
The overall objective of this review was to determine whether the Internal Revenue Service (IRS) was making adequate progress in protecting critical infrastructure and complying with Federal Government requirements. To accomplish our objective, we:
I. Obtained the necessary background information on protecting critical assets.
A. Identified and reviewed critical infrastructure protection requirements set forth by the various requirement setting authorities.
B. Obtained and reviewed the Critical Infrastructure Protection Plan the IRS submitted to the Department of the Treasury for inclusion in the Departmental Critical Infrastructure Protection Plan submitted to the Office of Management and Budget (OMB).
C. Contacted appropriate personnel in the Department of the Treasury to obtain the instructions and guidelines issued to the bureaus.
II. Evaluated the IRS’ efforts to identify its critical infrastructure.
A. Determined the instructions, criteria, and due dates issued by the Department of Homeland Security, the OMB, and the Department of the Treasury for determining which infrastructures were critical.
B. Obtained and reviewed the list of IRS critical infrastructure assets.
C. Evaluated the process and criteria the IRS used to identify its critical assets.
III. Determined whether the IRS’ critical assets were assessed for vulnerabilities and whether corrective actions had been taken to reduce those vulnerabilities.
A. Determined whether testing was performed by the Modernization and Information Technology Services organization, the Mission Assurance and Security Services organization, or the business units.
B. Determined whether the IRS used certification and accreditation results and, if so, whether the certification and accreditation was conducted within the last 12 months.
C. Determined whether the IRS conducted annual reviews to identify and assess vulnerabilities.
D. Reviewed Plans of Action and Milestones to determine whether vulnerabilities had been identified and corrective actions and milestones had been developed to reduce the vulnerabilities.
Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)
Stephen Mullins, Director
Gerald Horn, Audit Manager
Richard Borst, Lead Auditor
Allen Gray, Senior Auditor
Jody Kitazono, Senior Auditor
Charles Ekholm, Auditor
Office of the Commissioner – Attn: Chief of Staff C
Deputy Commissioner for Operations Support OS
Deputy Commissioner for Service and Enforcement SE
Chief Information Officer OS:CIO
Chief Counsel CC
National Taxpayer Advocate TA
Director, Office of Legislative Affairs CL:LA
Director, Office of Program Evaluation and Risk Analysis RAS:O
Office of Management Controls OS:CFO:AR:M
Chief Information Officer OS:CIO
The response was removed due to its size. To see the response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.