TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Office of Audit

Highlights

THE REMEDIATION OF CONFIGURATION WEAKNESSES AND VULNERABILITIES IN THE REGISTERED USER PORTAL SHOULD BE IMPROVED

Final Report issued on July 18, 2018

Highlights of Reference Number:† 2018-20-036 to the Commissioner of Internal Revenue.

IMPACT ON TAXPAYERS

The Integrated Enterprise Portal (IEP) Ė Registered User Portal (RUP) is a web-enabled, electronic commerce infrastructure to provide secure, browser-based application services for tax practitioners and taxpayers to access IRS systems.† Because sensitive tax information traverses through and resides on the IEP-RUP, the IRS and its web-based infrastructure are an attractive target for hackers.† Configuration weaknesses and vulnerabilities in the IEP-RUP environment unnecessarily expose taxpayer data to unauthorized access and disclosure.

WHY TIGTA DID THE AUDIT

This audit was initiated to determine whether the IRSís IEP-RUP offering external web services to the public is timely patched and remediated when vulnerabilities or misconfigurations are identified.

WHAT TIGTA FOUND

The IEP-RUP infrastructure is owned and operated by a contractor for the Enterprise Operations organizationís Enterprise Technology Implementation Division.† TIGTA determined that the vulnerabilities and misconfigurations on various hardware, virtual machines, and software within the IEP-RUP were generally remediated.† Specifically, our analyses of configuration and vulnerability scan reports found **2** (**2** percent) of **2** high-risk configuration weaknesses identified by **2** scans and **2** (**2** percent) of **2** critical and high-risk vulnerabilities identified by **2** scans were remediated.

However, TIGTA remains concerned that the IRS has not timely remediated configuration weaknesses and vulnerabilities.† For example, TIGTA found that **2** percent of high-risk configuration weaknesses identified by ****2**** scans were remediated after 30 calendar days.† ****************2**************** ***********************2******************************* ***********************2******************, although there was reference to the 30-calendar day requirement for configuration weaknesses that were documented and managed to ensure that they were eventually resolved.

TIGTA also found that the contractor had an inventory list of the physical and virtual hardware and operating software in the RUP.† However, the inventory list was not always accurate and complete.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Chief Information Officer establish ****2************************ ***********************2******************************* ***********************2******************************* *******2*******; ensure that the Cybersecurity organization performs follow-up validation on all corrected configuration weaknesses; comply with required processes to document, manage, and eventually resolve vulnerabilities identified by the contractor; update policies to use established processes that are consistent with required time frames; ensure that the contractor performs, at a minimum, an annual reconciliation of the IEP inventory; and ensure that the Cybersecurity organization includes the component inventory as part of its annual security assessment of the IEP-RUP.

The IRS agreed with eight of the nine recommendations, although it did not completely respond to two of the eight recommendations.† The IRS plans to validate that the vulnerabilities have been remediated, review monthly status reports, and meet with stakeholders.† The IRS also responded that it developed guidance for handling scan results and updated the patch management plan.† The IRS partially disagreed with one recommendation.† Our comments about the IRSís partial disagreement with our recommendations are discussed in the report.

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response, go to:

https://www.treasury.gov/tigta/auditreports/2018reports/201820036fr.pdf.

Redaction Legend:

2 = Law Enforcement Techniques/ Procedures and Guidelines for Law Enforcement Investigations or Prosecutions.

10 = Trade Secrets or Commercial/Financial Information

 

Phone Number ††/† 202-622-6500

E-mail Address †/TIGTACommunications@tigta.treas.gov

Website†††††† ††††††/http://www.treasury.gov/tigta