Office of Audit
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION –
FEDERAL INFORMATION SECURITY MODERNIZATION ACT REPORT FOR FISCAL YEAR 2016
Final Report issued on September 28, 2016
Highlights of Reference Number: 2016-20-092 to the Department of the Treasury, Office of the Inspector General, Assistant Inspector General for Audit.
IMPACT ON TAXPAYERS
The Federal Information Security Modernization Act of 2014 (FISMA) focuses on improving oversight of Federal information security programs and facilitating progress in correcting agency information security weaknesses. The IRS collects and maintains a significant amount of personal and financial information on each taxpayer. As a custodian of taxpayer information, the IRS has an obligation to protect this sensitive information against unauthorized access or loss in accordance with FISMA requirements.
WHY TIGTA DID THE AUDIT
As part of the FISMA legislation, the Offices of Inspector Generals are required to perform an annual independent evaluation of each Federal agency’s information security programs and practices. This report presents the results of TIGTA’s FISMA evaluation of the IRS for Fiscal Year 2016.
WHAT TIGTA FOUND
The IRS’s information security program was generally in alignment with FISMA requirements, but it was not fully effective due to program attributes not yet implemented. Based on the Department of Homeland Security’s (DHS) scoring methodology for the Fiscal Year 2016 FISMA evaluation period, four Cybersecurity Framework functions (Identify, Protect, Detect, and Respond) were rated as “not effective” and one security function (Recover) was rated as “effective.” Within the Cybersecurity Framework functions, three security program areas (Contractor Systems, Security and Privacy Training, and Contingency Planning) met all the FISMA performance attributes specified by the DHS. The security program area Risk Management met most of the performance attributes. Based on the maturity model issued in the Fiscal Year 2016 FISMA evaluation period, the security program area Incident Response was rated at level four on a scale of one to five.
However, significant improvements are needed in three program areas that were rated as “not effective” and were missing many performance attributes specified by the DHS for meeting FISMA requirements. These security program areas were Information Security Continuous Monitoring, Configuration Management, and Identity and Access Management.
Until the IRS takes steps to improve its security program deficiencies and fully implement all security program areas in compliance with FISMA requirements, taxpayer data will remain vulnerable to inappropriate and undetected use, modification, or disclosure.
WHAT TIGTA RECOMMENDED
TIGTA does not include recommendations as part of its annual FISMA evaluation and reports on only the level of performance achieved by the IRS using the guidelines issued by the DHS for the applicable FISMA evaluation period.
READ THE FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to:
Phone Number / 202-622-6500
E-mail Address / TIGTACommunications@tigta.treas.gov
Website / https://www.treasury.gov/tigta