TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

Planning Is Underway for the Enterprise-Wide Transition to Internet Protocol Version 6, but Further Actions Are Needed

 

 

 

February 27, 2014

 

Reference Number:  2014-20-016

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

 

Phone Number  /  202-622-6500

E-mail Address /  TIGTACommunications@tigta.treas.gov

Website           /  http://www.treasury.gov/tigta

 

 

HIGHLIGHTS

PLANNING IS UNDERWAY FOR THE ENTERPRISE-WIDE TRANSITION TO INTERNET PROTOCOL VERSION 6, BUT FURTHER ACTIONS ARE NEEDED

Highlights

Final Report issued on February 27, 2014

Highlights of Reference Number:  2014-20-016 to the Internal Revenue Service Chief Technology Officer.

IMPACT ON TAXPAYERS

Like any new technology standard, network conversion to Internet Protocol version 6 (IPv6) introduces security risks if not implemented and managed properly.  When the IRS’s data and network are not secured, taxpayer information becomes vulnerable to unauthorized disclosure, which can lead to identity theft.  Furthermore, security breaches can cause network disruptions and prevent the IRS from performing vital taxpayer services, such as processing tax returns, issuing refunds, and answering taxpayer inquiries. 

WHY TIGTA DID THE AUDIT

The overall objective of this review was to assess the IRS’s progress in converting its network to IPv6 according to Office of Management and Budget requirements.  This audit was included in TIGTA’s Fiscal Year 2013 Annual Audit Plan and addresses the major management challenge of Security for Taxpayer Data and Employees.

WHAT TIGTA FOUND

The IRS established an IPv6 project team to manage the network conversion.  The project team has adequately planned for security risks during the conversion but has not completed some elements of the transition plan.  For example, the IRS has not established an IPv6 Advisory Board or prepared a resource plan to ensure proper guidance and coordination within and outside of the agency on its IPv6 efforts.  Also, the Procurement function did not establish controls to ensure that all new information technology purchases were IPv6 capable in accordance with the Federal Acquisition Regulation.  Lastly, TIGTA found that the project team received inadequate oversight from the Infrastructure Executive Steering Committee and did not adhere to the IRS’s Enterprise Life Cycle policy.  Given the geographic dispersion of the IRS network and its size and complexity, the enterprise-wide network conversion will have a far-reaching impact on many IRS functions.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Chief Technology Officer direct the project team to stand up an advisory board; develop an Information Resources Management Strategic Plan; and coordinate with the IRS Enterprise Life Cycle Office to better manage project documentation and schedules.  TIGTA also recommended that the Chief Technology Officer coordinate with the IRS Procurement Office to update its policy to align with the Federal Acquisition Regulation and establish a control to prevent the purchase of IPv6 incapable products; coordinate with IRS business units to ensure that complete responses to the project team’s applications data call are received so that they can begin extensive planning for each application that will require upgrading; assess the merits of transferring project oversight to another governance board that regularly monitors and provides oversight of information technology projects; and direct the Infrastructure Executive Steering Committee to update its charter in order to properly reflect the current roles and responsibilities of the committee.

The IRS agreed with our recommendations to develop an Information Resources Management Strategic Plan, better manage IPv6 project documentation, update the Infrastructure Executive Steering Committee charter, and coordinate between offices to achieve procurement policy alignment with Federal regulations and an exchange of information necessary for a successful transition to IPv6.  The IRS updated the IPv6 Transition Plan so that existing oversight groups fulfill the purpose of an advisory board.  Management prefers to continue with its current governance board structure for this project since it provides oversight for the entire IT infrastructure portfolio.

 

February 27, 2014

 

 

MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER

 

FROM:                            Michael E. McKenney /s/ Michael E. McKenney

                                         Acting Deputy Inspector General for Audit

 

SUBJECT:                  Final Audit Report – Planning Is Underway for the Enterprise-Wide Transition to Internet Protocol Version 6, but Further Actions Are Needed (Audit # 201320009)

 

This report presents the results of our review of the Internal Revenue Service’s (IRS) progress in converting its network to Internet Protocol version 6 to comply with Office of Management and Budget requirements.  This audit was included in the Treasury Inspector General for Tax Administration’s Fiscal Year 2013 Annual Audit Plan and addresses the major management challenge of Security for Taxpayer Data and Employees.  This audit was also part of our statutory requirement to annually review the adequacy and security of IRS technology.

Management’s complete response to the draft report is included as Appendix VII.

Copies of this report are also being sent to the IRS managers affected by the report recommendations.  If you have any questions, please contact me or Alan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology Services).

 

 

 

Table of Contents

 

Background

Results of Review

The Internal Revenue Service Is Addressing the Security Risks and Technical Limitations of Internet Protocol Version 6

Key Action Items From the 2014 Internet Protocol Version 6 Transition Plan Need to Be Completed and Outreach Efforts Need to Be Improved

Recommendations 1 and 2:

Recommendations 3 and 4:

The Internet Protocol Version 6 Project Did Not Receive Adequate Executive Oversight and Did Not Adhere to the Enterprise Life Cycle in 2012

Recommendations 5 through 7:

Appendices

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Major Differences Between IPv4 and IPv6 Headers

Appendix V – Enterprise Life Cycle Overview

Appendix VI – Glossary of Terms

Appendix VII – Management’s Response to the Draft Report

 

 

Abbreviations

 

ELC

Enterprise Life Cycle

IP

Internet Protocol

IPv4

Internet Protocol version 4

IPv6

Internet Protocol version 6

IRS

Internal Revenue Service

NIST

National Institute of Standards and Technology

OMB

Office of Management and Budget

 

 

Background

 

Federal agencies are required to complete the transition to IPv6 by the end of Fiscal Year 2014.

In August 2005, the Office of Management and Budget (OMB) mandated that Federal agencies begin planning for the transition from Internet Protocol version 4 (IPv4) to Internet Protocol version 6 (IPv6).  IPv6 is not backward compatible with IPv4.  It is a new network layer protocol[1] that provides an increased network address size of 128 bits versus 32 bits from IPv4, as illustrated in Figure 1.  In addition to extended address space, IPv6 has many new or improved features that make it significantly different from its IPv4 predecessor, including automatic configuration, header structure and extension headers, Internet protocol (IP) security, mobility, quality of service, route aggregation, and efficient transmission.[2]

Figure 1:  Comparison of IPv4 and IPv6 Addressing Scheme

Figure 1 was removed due to its size.  To see Figure 1, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.

Source:  Government Accountability Office.

On September 28, 2010, the Federal Chief Information Officer issued a memorandum entitled Transition to IPv6 to all Chief Information Officers of Executive departments and agencies that sets forth specific deadlines for the IPv6 transition within the Federal Government.  Agencies were required to designate an IPv6 Transition Manager who would lead all agency IPv6 transition activities and serve as a liaison with the wider Federal IPv6 effort.  Agencies were also required to ensure that information technology procurements are in accordance with the Federal Acquisition Regulation regarding IPv6.  The memorandum set deadlines for two separate phases of the IPv6 transition.  By the end of Fiscal Year 2012, all agencies were instructed to upgrade public and external-facing servers and services, e.g., web, e-mail, Domain Name System, Internet Service Provider services, etc., to operationally use IPv6.  By the end of Fiscal Year 2014, agencies must complete the transition by upgrading internal client applications that communicate with public Internet servers and supporting enterprise networks to operationally use IPv6.  The Chief Information Officers Council issued a planning guide[3] to help agencies prepare for IPv6 deployment, and the National Institute of Standards and Technology (NIST) also issued guidelines[4] detailing the security benefits, risks of deployment, and other IPv6 technical details.

The Internal Revenue Service (IRS) assigned an IPv6 Transition Manager from the User Network and Services function in its Information Technology organization, and the IPv6 project team met the 2012 deadline for external and customer-facing servers.  However, the Registered User Portal was not included in the IPv6 transition because it is undergoing an update and will transition later this year.  The Registered User Portal is the IRS external-facing portal that allows registered individuals or their representatives and third-party users to access selected tax processing and other sensitive IRS systems, applications, and data.  Regarding the 2014 deadline, the IRS is planning now for the transition ahead.  The enterprise-wide transition to IPv6 will constitute a significant effort for the IRS due to the agency’s size, geographic dispersion, and diversity of hardware, systems, applications, and legacy equipment that must be reconfigured or replaced.

The IPv6 project team informed us that they expect hardware and software upgrades and updates necessary to facilitate the transition to be paid for through the normal technology refresh cycle, but they have not yet made any attempt to quantify costs for these upgrades with respect to the business units.  The IPv6 project team itself does not have a dedicated budget allocated for network or server equipment upgrades.  During the time of this review, the project team was in the process of standing up two test laboratories that will be located in Memphis, Tennessee, and Martinsburg, West Virginia.  Hardware for the laboratories and IPv6 patches on existing software is expected to cost approximately $1 million.

This review was performed with information obtained from the IRS Information Technology organization’s User and Network Services and Cybersecurity functions located in New Carrolton, Maryland; Memphis, Tennessee; and Dallas, Texas, as well as the Agency-Wide Shared Services located in Oxon Hill, Maryland, during the period January through August 2013.  We conducted this performance audit in accordance with generally accepted government auditing standards.  Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective.  We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective.  Detailed information on our audit objective, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

 

 

Results of Review

 

The Internal Revenue Service Is Addressing the Security Risks and Technical Limitations of Internet Protocol Version 6

We found that the IRS IPv6 project team successfully met the 2012 external-facing services deadline and made progress in their planning efforts for the 2014 enterprise-wide effort.  Specifically, the IRS is adequately documenting security risks and requirements for the network conversion to IPv6.  To date, the IPv6 project team has documented more than 1,800 security requirements that they identified from NIST guidance and from more than 50 Internet Engineering Task Force Request for Comments technical documents.  They also identified security requirements in industry best practices white papers, i.e., Microsoft and Cisco, and from other Federal agency guidance.  The Cybersecurity team lead for the IPv6 project requested an external team of IRS security engineers to audit and validate the 1,800 security requirements and make suggested changes where appropriate.  For all 1,800 security requirements, an external team of security engineers have audited and validated the requirements and made suggested changes where necessary.

Our analysis of NIST policies found five additional technical Request for Comments documents that the IRS should consider.  In one, the document describes a mechanism to provide a secure binding between the multiple addresses with different prefixes available to a host within a multihomed site.  The IPv6 project team stated that they would incorporate the security requirements from the five documents that we identified, and that they had already incorporated changes that the external peer review team suggested.  Although it is too early to determine whether the IRS will securely deploy IPv6, we believe the IPv6 project team is aware of the multitude of security risks, allowing them to address the security risks prior to the enterprise-wide network conversion.

Furthermore, IPv6 project team personnel have identified technical limitations and are developing solutions.  For example, the IRS’s wide area network Internet service provider is not IPv6 capable and will not be capable until the end of Calendar Year 2015.  Therefore, for the traffic between the major hubs across the country, the IPv6 project team has had to consider, research, and test alternative solutions for the wide area network.  They have weighed the theoretical benefits and limitations of each solution and will continue to test selected options during their proof of concept test this summer.  Because IPv6 will be deployed enterprise-wide, the IPv6 project team has planned for several phases of testing, and not just for the traffic between hubs.  The entire protocol must be tested, and certain features of IPv6 will be disabled due to the characteristics of the IRS network and the increased security the agency requires for its data.  The IPv6 project team stood up two test laboratories to pass traffic back and forth, and began a production proof-of-concept test during our fieldwork.  The project team drafted extensive test plans that are updated on an ongoing basis.

Since the entire network will be configured to support IPv6 in 2014, and all hardware and software must be reconfigured and readdressed, this conversion will have a far-reaching impact on many functions in the Information Technology organization including:  User and Network Services, Enterprise Operations, Applications Development, Cybersecurity, the Computer Security Incident Response Center, and many others.  The IRS IPv6 project team developed a training plan for IPv6 and is currently in the process of updating it.  To date, the project team has hosted three large technical summit sessions and at least eight smaller, team-specific training sessions that were sometimes technical and at other times more general or higher level.  We reviewed the training slides for some of the courses the project team developed and administered and found them to be informative and appropriate for the audience.

Key Action Items From the 2014 Internet Protocol Version 6 Transition Plan Need to Be Completed and Outreach Efforts Need to Be Improved

The transition to IPv6 will be complex, given the geographic dispersion of the IRS network and its size and diversity of software and hardware components.  The IRS has developed the 2014 IPv6 Transition Plan, which is a comprehensive document that includes identified stakeholders and roles and responsibilities, as well as a functional subgroup structure identified by the three major affected areas of the protocol conversion—network, security, and applications.  The plan contains sections on program scope, objectives, and strategy, as well as a large section regarding deliverables for each subgroup.  While communication and outreach efforts have achieved partial success, the IPv6 project team has yet to complete some key actions listed in the 2014 IPv6 Transition Plan.

The IRS has not established an IPv6 Advisory Board or prepared an Information Resources Management Strategic Plan

The 2014 IPv6 Transition Plan states that the IRS will establish an IPv6 Advisory Board whose members will be key individuals both internal and external to the IRS who have unique and specialized knowledge and experience regarding IPv6 within the Federal environment.  Internally, these persons would hold IRS corporate knowledge that enables them to advise on the technical and cultural course of action required to meet the strategic objectives.  External participants would include members of the Federal IPv6 Task Force and other Federal agencies who, through their experience, can provide lessons learned and risk mitigation strategies.  The IRS stated that it has not had a chance to stand up the Advisory Board yet, nor does it have a charter.  Without an Advisory Board to guide the project, the IPv6 project team lacks guidance and expertise from external industry experts and may miss an opportunity to proactively obtain executive-level support from internal IRS stakeholders.  Both of these groups could greatly contribute to the success of the IPv6 transition.

In addition, the 2014 IPv6 Transition Plan identifies the need to ensure that the IPv6 transition efforts are consistent with the future state of the agency’s enterprise architecture.  Information technology investments should be made with consideration of IPv6 capabilities, which should be clearly articulated in the IRS Information Resources Management Strategic Plan.  During the course of our fieldwork, we found that an Information Resources Management Strategic Plan does not exist at the IRS.  The 2014 IPv6 Transition Plan also says that senior IRS executives in charge of the Capital Planning and Investment Control processes must put in place the future enterprise objectives so that the IRS may invest in targeted architecture upgrades to maintain a current and secure enterprise.  An Information Resources Management Strategic Plan would help achieve this goal.  At the time of our review, the IPv6 project team had not started work on integrating IPv6 requirements into strategic planning.

Additional actions are necessary to ensure readiness with IPv6 procurement requirements

Beginning in 2005, the OMB mandated that Federal agencies stop buying equipment and software that was not capable of supporting IPv6.  This policy was later clarified in the Federal Register and made effective December 10, 2009, and is now part of the Federal Acquisition Regulation.  If the IRS purchases equipment or software that is not IPv6 capable, the products will no longer work when the enterprise-wide IPv6 network conversion occurs at the end of Fiscal Year 2014.  This would not only be a waste of valuable resources, but could also potentially cause network disruption and additional resource expenditures to either replace or upgrade the equipment or software.  To prevent this from happening, the IPv6 project team developed suggested changes to IRS procurement policies, but procurement officials in Agency-Wide Shared Services did not agree with this request.

During our fieldwork, we met with Agency-Wide Shared Services, and the procurement officials stated that they disagreed with the IPv6 project team’s requests because they were not aware of the deadline in 2014 for the IPv6 enterprise-wide network conversion, and that they did not want to limit their purchasing options to those vendors that could provide IPv6 capability.  When we asked the procurement officials why they did not want to look ahead to the upcoming conversion and only buy products that would work in the future state of the enterprise, they further stated that private sector vendors are not mandated to make these technical changes like Federal agencies are, and many vendors do not have the financial resources to make significant engineering changes.

The IPv6 project team has reached out to other stakeholders in order to be proactive about the transition.  For example, the IPv6 project team is engaged with long-term information technology projects they are aware of in order to be proactive about IPv6 capabilities and requirements so that products purchased for these projects are IPv6 capable.  The IPv6 project team also hosted ongoing biweekly meetings with stakeholders who have been identified and documented in the IPv6 Program Charter.  These discussions covered general scheduling topics such as planned testing and training as well as project updates and deliverables.  We also found that the IPv6 project team sent out data calls to the IRS business units to obtain the most current information about existing equipment and software that might need upgrading throughout the agency.  These data calls were only partially successful.  While the IPv6 project team is not as concerned about network equipment because approximately 95 percent has been identified, efforts are still ongoing to obtain and analyze existing applications and software.  The team is trying to identify all of the business applications and software in use in order to determine whether they are already IPv6 capable, are upgradeable to IPv6 with updates or reconfiguration, or are in need of hard-coded reprogramming.  For example, the IRS’s Applications Development Office provided information on 173 applications and identified 47 that require updating and only four that require an engineering effort prior to the 2014 enterprise-wide network conversion to IPv6.  This effort is still ongoing because some business units have not responded.  This lack of response limits the IPv6 project team’s ability to plan ahead for any needed engineering solutions.

Without adherence to procurement policies and business unit input, Information Technology organization management cannot ensure that future procurements will be in compliance with IPv6 requirements.

Recommendations

Recommendation 1:  The Chief Technology Officer should stand up the IPv6 Advisory Board as soon as possible with both internal agency executives and industry experts as originally described in the 2014 IPv6 Transition Plan.

Management's Response:  The IRS disagreed with this recommendation.  On December 11, 2013, the IRS updated the 2014 IPv6 Transition Plan to reflect that the IRS Infrastructure Executive Steering Committee and the Federal IPv6 Task Force fulfill all desired advisory board functions.

Office of Audit Comment:  Updating the 2014 IPv6 Transition Plan to reflect that the IRS Infrastructure Executive Steering Committee and the Federal IPv6 Tax Force fulfill advisory board functions does not provide assurance that the IPv6 project will receive sufficient oversight based on the observations cited in the report.

Recommendation 2:  The Chief Technology Officer should develop and distribute an Information Resources Management Strategic Plan as originally described in the 2014 IPv6 Transition Plan and involve the Agency-Wide Shared Services’ Information Technology Procurement function with the plan’s development.  This planning effort should also establish a process to communicate and incorporate future changes or enhancements to the Information Resources Management Strategic Plan.

Management's Response:  The IRS agreed with this recommendation.  The IRS will revise the Information Technology Integrated Release Plan, referred to as the Information Resources Management Strategic Plan in the 2014 IPv6 Transition Plan, to incorporate IPv6.  Information Technology Strategy and Planning and the Agency-Wide Shared Services Office of Procurement will annually conduct a review of the Information Technology Integrated Release Plan to update the document with future IPv6 changes.

Recommendation 3:  The Chief Technology Officer should coordinate with Agency-Wide Shared Services executives to ensure that procurement policy and procedures are updated to align with the Federal Acquisition Regulation, and establish a control that prohibits purchase of any equipment or software that is not IPv6 capable to ensure that the agency does not waste valuable resources buying products that will not work on the converted network.

Management's Response:  The IRS agreed with this recommendation.  The Agency-Wide Shared Services’ Office of Procurement will ensure that policy and procedures are updated to align with Federal Acquisition Regulations regarding IPv6 requirements.  In partnership, Agency-Wide Shared Services and the Information Technology organization will ensure that a control procedure exists to validate that information technology equipment and software acquisitions are IPv6 capable in accordance with Federal Acquisition Regulation IPv6 requirements.

Recommendation 4:  The Chief Technology Officer should coordinate with the business units to ensure that complete responses to the IPv6 applications data call are received so that the extensive planning for each application that will require upgrading can begin.

Management's Response:  The IRS agreed with this recommendation.  The IPv6 Program Management Office received complete responses to the IPv6 applications data call from all business units in October 2013, and planning for application upgrades has been initiated.

The Internet Protocol Version 6 Project Did Not Receive Adequate Executive Oversight and Did Not Adhere to the Enterprise Life Cycle in 2012

Although the IPv6 project team successfully implemented the technical changes and reconfigurations by the 2012 deadline for the external services, the project team did not adhere to the IRS’s Enterprise Life Cycle (ELC) process and did not receive adequate oversight by the Infrastructure Executive Steering Committee.  The IRS’s ELC process is a disciplined approach to manage and implement business changes through information systems initiatives and requires all information technology projects to achieve several milestones that must be approved by executive leadership in order to proceed.  Solutions should not be deployed into production until Milestone 5 is exited.[5]  The IPv6 2012 reconfigurations for external services were put into production in September 2012 despite the fact that the project has only officially exited Milestones 1 and 2 of the ELC process.  The Infrastructure Executive Steering Committee is required to oversee this process according to project documentation.

We determined that this lack of ELC adherence occurred because the IPv6 project team was not effectively coordinating with the IRS ELC Office to properly document project artifacts and follow the ELC milestone process.  In addition, the IPv6 project team stated that they had planned to develop separate ELC artifacts, such as requirements reports, design documentation, and test plans, for each of the 2012 and 2014 efforts.  Because they had already deployed the 2012 solution without fully adhering to the ELC process, we suggested that the IPv6 project team immediately request official approval from the Infrastructure Executive Steering Committee to combine IPv6 information for both efforts into one comprehensive set of artifacts to streamline their development and not duplicate efforts by creating similar documents for two different projects.  Further, because the 2012 external services IPv6 solutions were already in place and functioning properly, it is acceptable to combine any extra information from this effort into documents that are in process for the 2014 enterprise-wide effort because the project documentation for 2014 is already late.  The IPv6 project team and the project’s ELC coach agreed with our assessment and formally requested this change through the Infrastructure Executive Steering Committee.  On June 11, 2013, the Committee conducted a virtual vote and granted approval for combining both IPv6 efforts into one set of ELC artifacts and project documentation.

We also interviewed the chairpersons of the Infrastructure Executive Steering Committee to obtain information about why the IPv6 ELC project documentation did not reflect completed project milestones and why the project was allowed to stray from the IRS’s ELC policy and process.  The chairpersons stated that they were not aware that they were supposed to be monitoring the project from the perspective of the ELC policy.  We informed them that the Committee’s charter document stated that they are primarily supposed to oversee information technology projects with respect to cost, schedule, and the ELC process.  They stated that they were not aware of the Infrastructure Executive Steering Committee Charter, which was written in 2008, and that it was probably out of date and not reflective of the Committee’s current responsibilities.  With the increasing complexity of the current enterprise-wide transition beyond the 2012 mandate which is already in place, delayed completion of the required ELC artifacts may seriously jeopardize the success of the 2014 effort.  The IPv6 project team needs to focus on documenting critical artifacts, including design and testing plans, in order to properly exit ELC milestones with appropriate approval of IRS executives.

Recommendations

Recommendation 5:  The Chief Technology Officer should ensure that the IPv6 project team coordinates with the ELC Office and takes a more proactive role of adhering to the ELC process and meeting project milestone deadlines to ensure the timely completion of key ELC deliverables, artifacts, and processes for the critical 2014 enterprise-wide transition to IPv6.

Management's Response:  The IRS agreed with this recommendation.  Due to budget and schedule constraints, a risk-based decision was made to complete ELC Milestones 1 and 2 artifacts for the Fiscal Year 2012 mandate.  The ELC Project Office approved an IPv6 ELC Tailoring Plan in July 2013 that combined the Fiscal Year 2012 and Fiscal Year 2014 mandates.  The IPv6 Program Management Office will complete future ELC deliverables in accordance with the approved ELC Tailoring Plan.

Recommendation 6:  The Chief Technology Officer should assess the merits of transferring IPV6 project oversight to another entity such as the Systems Security and Privacy Executive Steering Committee or a management-level governance board that regularly monitors and provides oversight of information technology projects.  Their responsibilities should include oversight of the critical elements of the IPv6 project’s cost, schedule, and adherence to the ELC processes to include the adequate and timely completion of requirements, design, and testing of artifacts.

Management's Response:  The IRS disagreed with this recommendation.  IPv6 has enterprise impact beyond security and requires oversight from a governance board that takes a holistic view of the entire IRS Information Techology infrastructure portfolio, to include hardware, software, and applications.  The Infrastructure Executive Steering Committee provides the necessary level of oversight for the IRS IPv6 implementation.

Office of Audit Comment:  IRS management indicated that the Infrastructure Executive Steering Committee provides the necessary level of oversight for the IPv6 project.  However, IRS management did not provide any documentation or formalized procedures demonstrating how the Infrastructure Executive Steering Committee regularly monitors and provides oversight of information technology projects.  As a result, we cannot comment on whether the Infrastructure Executive Steering Committee will provide the necessary level of oversight for future successes on the IRS IPv6 implementation.

Recommendation 7:  The Chief Technology Officer should ensure that the Infrastructure Executive Steering Committee updates its charter to properly reflect the current roles and responsibilities of the committee.

Management's Response:  The IRS agreed with this recommendation.  The IRS will update the Infrastructure Executive Steering Committee charter to reflect the current roles and responsibilities of the committee.

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

Our overall objective was to assess the IRS’s progress toward converting its network to IPv6 to comply with OMB requirements.  To accomplish our objective, we:

I.                 Evaluated whether the IRS converted all external and customer-facing servers and services to IPv6 per the 2012 deadline set forth by the Federal Chief Information Officer. 

A.    Determined whether IRS external and customer-facing websites are accessible to IPv6-enabled end systems on the public Internet.  We confirmed functionality of these services through NIST’s online IPv6 monitoring tool that showed IRS websites to be IPv6 capable.

B.    Determined whether there are any external services that are not IPv6 capable.  We interviewed agency officials responsible for the Registered User Portal refresh scheduled for fall 2013.  We also obtained and reviewed schedule, design, and testing documentation from the Registered User Portal project team to ensure IPv6 capability is included.

II.               Determined whether the IRS is adequately preparing for the enterprise-wide transition to IPv6 that must be completed by the end of Fiscal Year 2014.

A.    Determined whether the IRS plans adequately address IPv6 transition concerns by reviewing NIST guidance and comparing this guidance to the IRS IPv6 project planning documentation.  We specifically determined whether the IRS documented security risks for the conversion to IPv6.

B.    Evaluated the impact of Internet service provider limitations on the ability of the IRS to transition to IPv6 enterprise-wide.

C.    Determined whether the IPv6 project team properly and timely completed key ELC deliverables, artifacts, and processes.  We reviewed the project’s ELC Tailoring Plan to determine the critical deliverables and artifacts that should have been completed for each development phase, and obtained and reviewed these documents for completion, timeliness, and sufficiency.

D.    Determined whether IRS project documentation includes adequate planning for IPv6 testing by interviewing testing officials and reviewing test plans and accomplishments to date.

E.     Determined whether stakeholders are identified and whether outreach and training are adequately conducted.  We reviewed project documentation, including its charter and the IPv6 project team’s communication and training plans.  We also determined the training conducted to date and reviewed training materials developed by the IPv6 project team.

Internal controls methodology

Internal controls relate to management’s plans, methods, and procedures used to meet their mission, goals, and objectives.  Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations.  They include the systems for measuring, reporting, and monitoring program performance.  We determined the following internal controls were relevant to our audit objective:  the OMB, the NIST, the Federal Acquisition Regulation, and related IRS guidelines for information technology projects and the IRS’s efforts to implement these controls in order to protect the IRS network and data during its network conversion to IPv6.  We evaluated these controls by conducting interviews and meetings with IPv6 project management and stakeholders at the IRS functions responsible for reconfiguring, testing, and securing IPv6 throughout the agency.  We also reviewed project documentation and outreach and training efforts to date.

 

Appendix II

 

Major Contributors to This Report

 

Alan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology Services)

Kent Sagara, Director

Joseph F. Cooney, Audit Manager

Myron Gulley, Acting Audit Manager

Jena Whitley, Lead Auditor

George Franklin, Senior Auditor

Cindy Harris, Senior Auditor

Nicholas Reyes, Information Technology Specialist

 

Appendix III

 

Report Distribution List

 

Commissioner  C

Office of the Commissioner – Attn:  Chief of Staff  C

Deputy Commissioner for Operations Support  OS

Deputy Chief Information Officer for Operations  OS:CTO

Associate Chief Information Officer, Applications Development  OS:CTO:AD

Associate Chief Information Officer, Enterprise Operations  OS:CTO:EO

Associate Chief Information Officer, User and Network Services  OS:CTO:UNS

Chief, Agency-Wide Shared Services  OS:A

Chief Counsel  CC

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Internal Control  OS:CFO:CPIC:IC

Audit Liaison:  Director, Risk Management Division  OS:CTO:SP:RM

 

Appendix IV

 

Major Differences Between IPv4 and IPv6 Headers

 

IPv4 header

Version

IHL

Type of service

Total length

Identification

Flags

Fragment offset

Time to live

Protocol

Header checksum

Source address

Destination address

Options

Padding

Version:  Internet protocol version number

IHL:  IP Header length in 32-bit words

Type of service:   Contains priority information

Total length:  Total length of the datagram in bytes

Identification:  When an IP packet is segmented into multiple fragments, each fragment is given the same identification

Flags:  When a packet is fragmented, all fragments except the last one have this bit set

Fragment offset:  The fragment’s position within the original message

Time to live:  Hop count, decremented each time the packet reaches a new router

Protocol:  Identifies which transport layer protocol is being used for this packet

Header checksum:  Verifies the content of the IP header

Source address:  IP address of the originating host

Destination address:  Destination address of the receiving host

Options:  Used to extend functionality of IP

Padding:  Additional instructions not covered in the other fields; if an option does not fill up a 32-bit word, it will be filled in with padding bits

 

 

 

 

 

 

 

 

IPv6 header

Version

Traffic class

Flow label

Payload length

Next header

Hop limit

Source address

Destination address

Version:  Internet protocol version number

Traffic class:  For prioritizing types of traffic

Flow label:  Allows a host to label sequences of packets for which it requests special handing by the IPv6 header

Payload length:  The length of the packet following the IPv6 header

Next header:  Identifies the type of header immediately following the IPv6 header

Hop limit:  Decremented by one by each node that forwards the packet; the packet is discarded if Hop Limit is decremented to zero

Source address:  IP address of the originating host

Destination address: Destination address of the receiving host

 

 

 

 

 

 

Field name kept from IPv4 to IPv6

 

Field not kept in IPv6

 

Name and position changed in IPv6

 

New fie1d in IPv6

 

 

Source:  Government Accountability Office.

 

Appendix V

 

Enterprise Life Cycle Overview

 

The ELC is the IRS’s approach to manage and implement business change through information systems initiatives.  The ELC provides the direction, processes, tools, and assets necessary to accomplish business change in a consistent and repeatable manner.

Figure 1 provides an overview of the phases and milestones within the ELC.  A phase is a broad segment of work encompassing activities of similar scope, nature, and detail and providing a natural breakpoint in the life cycle.  Each phase begins with a kickoff meeting and ends with an executive management decision point (milestone) where IRS executives make “go/no-go” decisions for continuation of a project as well as considering funding requests.

Figure 1:  ELC Phases and Milestones

Phase

General Nature of Work

Milestone

Vision and Strategy/Enterprise Architecture Phase

High-level direction setting. 

0

Project Initiation Phase

Startup of development projects.

1

Domain Architecture Phase

Specification of the operating concept, requirements, and structure of the solution.

2

Preliminary Design Phase

Preliminary design of all solution components.

3

Detailed Design Phase

Detailed design of solution components.

4A

Systems Development Phase

Coding, integration, testing, and certification of solutions.

4B

Systems Deployment Phase

Expanding availability of the solution to all target users.  This is usually the last phase for development projects.

5

Operations and Maintenance Phase

Ongoing management of operational systems.

System Retirement

Source:  The ELC Internal Revenue Manual.

 

Appendix VI

 

Glossary of Terms

 

Term

Definition

Agency-Wide Shared Services

An IRS organization that supports the IRS by managing resources that enable the IRS’s business processes.

Application

An information technology component of a system that utilizes information technology resources to store, process, retrieve, or transmit data or information using information technology hardware and software.

Applications Development

A function within the IRS Information Technology organization responsible for building, testing, delivering, and maintaining integrated information applications systems or software solutions, to support modernized systems and the production environment.

Artifact

The tangible result (output) of an activity or task performed by a project during the ELC.

Calendar Year

The 12-consecutive-month period ending on December 31.

Cybersecurity

A function within the IRS Information Technology organization responsible for ensuring compliance with Federal statutory, legislative, and regulatory requirements governing confidentiality, integrity, and availability of IRS electronic systems, services, and data.

Enterprise Life Cycle

The approach used by the IRS to manage and implement business change through information systems initiatives.  The ELC provides the direction, processes, tools, and assets necessary to accomplish business change in a consistent and repeatable manner.

Federal Acquisition Regulation

The primary acquisition regulation for use by all Federal executive agencies in their acquisition of supplies and services with appropriated funds.

Federal Chief Information Officer

The Federal Chief Information Officer heads the OMB Office of E-Government and Information Technology which develops and provides direction in the use of Internet-based technologies.

Fiscal Year

A 12-consecutive-month period ending on the last day of any month.  The Federal Government’s fiscal year begins on October 1 and ends on September 30. 

Hard-Coded

A software development practice of embedding data directly into the source code of a program instead of obtaining that data from external sources or generating data in the program itself with the given input.  The degree to which a program is hard-coded determines how difficult it is to change when each new type of data is introduced.

Information Technology

Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by an executive agency.  The term information technology includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources.

Infrastructure Executive Steering Committee

Governs projects within the Infrastructure portfolio to ensure that project objectives are met, risks are managed appropriately, and the expenditure of enterprise resources is fiscally sound.

Internet Protocol Version 4

The current version of the IP which specifies a 32-bit IP address field which will run out of available address space in the near future.

Internet Protocol Version 6

The next generation IP which allows a 128-bit IP address field in the form of eight 16-bit integers represented as four hexadecimal digits separated by colons.

Multihomed Site

A site, which is an entity autonomously operating a network using IP, with more than one transit provider of connectivity to the Internet.

National Institute of Standards and Technology

The NIST, under the Department of Commerce, is responsible for developing standards and guidelines for providing adequate information security for all Federal Government agency operations and assets.

Office of Management and Budget

The OMB’s predominant mission is to assist the President in overseeing the preparation of the Federal budget and to supervise administration in Executive Branch agencies.  The OMB evaluates the effectiveness of agency programs, policies, and procedures.  The OMB oversees and coordinates the Administration’s procurement, financial management, information, and regulatory policies.

Project

A group of tasks to accomplish a specific objective, with a beginning and ending date, that is planned, monitored, and measured; follows a life cycle process; and results in deliverables or end products.

Proof of Concept

A short and/or incomplete realization of a certain method or idea to demonstrate its feasibility, or a demonstration in principle.

Registered User Portal

The IRS external portal that allows registered individuals and third-party users (collectively, “partners” – registration and login authentication required) and other individual taxpayers or their representatives (self-authentication with shared secrets required) access for interaction with selected tax processing and other sensitive systems, applications, and data.

User Networks and Services

A function within the IRS Information Technology organization that supplies and maintains all desk-side (including telephone) technology, provides workstation software standardization and security management, inventories data-processing equipment, conducts annual certification of assets, provides the Information Technology Service Desk as the single point of contact for reporting an information technology issue, and equips the Volunteer Income Tax Assistance program.

Wide Area Network

A communications network that covers a wide geographic area, such as a State or country.

Appendix VII

 

 

Management’s Response to the Draft Report

 

DEPARTMENT OF THE TREASURY

INTERNAL REVENUE SERVICE

WASHINGTON, D.C.  20224

 

CHIEF TECHNOLOGY OFFICER

 

 

January 23, 2014

 

 

MEMORANDUM FOR DEPUTY INSPECTOR GENERAL FOR AUDIT

 

FROM:                             for Terence V. Milholland /s/Stephen Manning

                                          Chief Technology Officer

 

SUBJECT:                       Draft Audit Report- Planning is Underway for the Enterprise-Wide Transition to Internet Protocol Version 6, but Further Actions Are Needed 

                                          (Audit# 201320009) (e-trak #2014-49780)

 

Thank you for the opportunity to review the draft audit report and discuss the report observations with the audit team.  We appreciate your acknowledgement of the IRS' achievement in meeting the Fiscal Year (FY) 2012 Office of Management and Budget (OMB) mandate and your recognition of the progress already made toward full Internet Protocol version 6 (IPv6) implementation.

 

In response to your recommendations, we have attached our corrective action plan.  We are committed to ensuring our documentation is updated to include the items cited in the audits' findings.  The IRS is in agreement with five of the seven recommendations provided by TIGTA.  However, we disagree with recommendations one and six.  We believe the Infrastructure Executive Steering Committee (IESC) provides the proper governance level and oversight for the IPv6 implementation.  As a result of the IESC governance, the IRS successfully met the FY 2012 OMB mandate.

 

We value your continued support and the assistance your organization provides.   If you have any questions, please contact me at (202) 317-5000, or a member of your staff may contact Lisa Starr, Senior Manager, Program Oversight at (240) 613-4336.

 

Attachment

 

RECOMMENDATION #1The Chief Technology Officer should stand up the IPv6 Advisory Board as soon as possible with both internal agency executives and industry experts as originally described in the 2014 IPv6 Transition Plan.

 

CORRECTIVE ACTION #1:  The IRS disagrees with this recommendation.  On December 11, 2013, the IRS updated the 2014 IPv6 Transition Plan to reflect that the IRS Infrastructure Executive Steering Committee and the Federal IPv6 Task Force fulfill all desired advisory board functions.

 

IMPLEMENTATION DATEN/A

 

RESPONSIBLE OFFICIALAssociate Chief Information Officer, User and Network Services

 

RECOMMENDATION #2The Chief Technology Officer should develop and distribute an Information Resources Management Strategic Plan as originally described in the 2014 IPv6 Transition Plan and involve Agency Wide Shared Services' Information Technology Procurement function with the plan's development.  This planning effort should also establish a process to communicate and incorporate future changes or enhancements to the Information Resources Management Strategic Plan.

 

CORRECTIVE ACTION #2The IRS agrees with this recommendation.  The IRS will revise the IT Integrated Release Plan (IT IRP), referred to as the Information Resources Management Strategic Plan in the 2014 IPv6 Transition Plan, to incorporate IPv6.  Information Technology Strategy and Planning and Agency-Wide Shared Services Office of Procurement will annually conduct a review of the IT IRP to update the document with future IPv6 changes.

 

IMPLEMENTATION DATEOctober 25, 2014

 

RESPONSIBLE OFFICIALAssociate Chief Information Officer, User and Network Services

 

RECOMMENDATION #3:  The Chief Technology Officer should coordinate with Agency-Wide Shared Services executives to ensure that procurement policy and procedures are updated to align with the Federal Acquisition Regulation and establish a control that prohibits purchase of any equipment or software that is not IPv6 capable in order to ensure that the agency does not waste valuable resources buying products that will not work on the converted network.

 

CORRECTIVE ACTION #3The IRS agrees with this recommendation.   The Agency­ Wide Shared Services Office of Procurement will ensure policy and procedures are updated to align with Federal Acquisition Regulations (FAR) regarding IPv6 requirements.  In partnership, Agency-Wide Shared Services and Information Technology will ensure a control procedure exists to validate IT equipment and software acquisitions are IPv6 capable, in accordance with FAR IPv6 requirements.

 

IMPLEMENTATION DATEOctober 25, 2014

 

RESPONSIBLE OFFICIALChief, Agency-Wide Shared Services

 

RECOMMENDATION #4The Chief Technology Officer should coordinate with the business units to ensure complete responses to the IPv6 applications data call are received so that the extensive planning for each application that will require upgrading can begin.

 

CORRECTIVE ACTION #4The IRS agrees with this recommendation.  The IPv6 Program Management Office received complete responses to the IPv6 applications data call from all Business Units in October 2013, and planning for application upgrades has been initiated.

 

IMPLEMENTATION DATE:  October 31, 2013

 

RESPONSIBLE OFFICIALAssociate Chief Information Officer, User and Network Services

 

RECOMMENDATION #5The Chief Technology Officer should ensure the IPv6 project team coordinates with the ELC Office and take a more proactive role of adhering to the ELC process and meeting project milestone deadlines to ensure the timely completion of key ELC deliverables, artifacts, and processes for the critical 2014 enterprise-wide transition to IPv6.

 

CORRECTIVE ACTION #5The IRS agrees with this recommendation.  Due to budget and schedule constraints, a risk-based decision was made to complete Enterprise Life Cycle (ELC) Milestone 1 and 2 artifacts for the FY12 mandate.  The ELC Project Office approved an IPv6 ELC Tailoring Plan in July 2013 that combined the FY12 and FY14 mandates.  The IPv6 Program Management Office will complete future ELC deliverables in accordance with the approved ELC Tailoring Plan.

 

IMPLEMENTATION DATENovember 25, 2014

 

RESPONSIBLE OFFICIALAssociate Chief Information Officer, User and Network Services

 

RECOMMENDATION #6The Chief Technology Officer should assess the merits of transferring IPV6 project oversight to another entity such as the Systems Security and Privacy Executive Steering Committee or a management level governance board that regularly monitors and provides oversight of information technology projects.  Their responsibilities must include oversight of the critical elements of the IPv6 project's cost, schedule, and adherence to the ELC processes to include the adequate and timely completion of requirements, design, and testing artifacts.

 

CORRECTIVE ACTION #6The IRS disagrees with this recommendation.  IPv6 has enterprise impact beyond security and requires oversight from a governance board that takes a holistic view of the entire IRS IT infrastructure portfolio, to include hardware, software and applications.  The Infrastructure Executive Steering Committee provides the necessary level of oversight for the IRS' IPv6 implementation.

 

IMPLEMENTATION DATEN/A

 

RESPONSIBLE OFFICIALAssociate Chief Information Officer, User and Network Services

 

RECOMMENDATION #7The Chief Technology Officer should ensure the Infrastructure Executive Steering Committee updates its charter in order to properly reflect the current roles and responsibilities of the committee.

 

CORRECTIVE ACTION #7:  The IRS agrees with this recommendation.  The IRS will update the Infrastructure Executive Steering Committee charter to reflect the current roles and responsibilities of the committee.

 

IMPLEMENTATION DATEJune 25, 2014

 

RESPONSIBLE OFFICIALAssociate Chief Information Officer, User and Network Services



[1] See Appendix VI for a glossary of terms.

[2] Appendix IV shows some major differences between IPv4 and IPv6 headers.

[3] Federal Chief Information Officers Council, Planning Guide/Roadmap Toward IPv6 Adoption within the U.S. Government (Jul. 2012).

[4] National Institute of Standards and Technology, Special Publication 800-119 Guidelines for the Secure Deployment of IPv6 (Dec. 2010).

[5] See Appendix V for an overview of the ELC.