Office of Audit
ELECTRONIC AUTHENTICATION SECURITY CONTROLS HAVE IMPROVED, BUT CONTINUED PROGRESS IS NEEDED TO ENSURE THE PROTECTION OF PUBLIC-FACING APPLICATIONS
Final Report issued on April 19, 2019
Highlights of Reference Number:† 2019-20-017 to the Commissioner of Internal Revenue.
IMPACT ON TAXPAYERS
The IRS has developed Internet-accessible, public-facing applications to interact with taxpayers for various tax administrative purposes.† Because these applications collect, process, and store large amounts of taxpayer data, the IRS has become a target of criminals and identity thieves.† Strong electronic authentication controls are needed to prevent identity thieves from succeeding at impersonating taxpayers and gaining improper access to tax records.
WHY TIGTA DID THE AUDIT
This audit was initiated to evaluate whether the IRS has properly implemented secure electronic authentication controls in accordance with Federal standards for public access to IRS online systems.
WHAT TIGTA FOUND
The IRS is making progress at improving electronic authentication controls on its public‑facing applications.† The IRS established the Electronic Authentication Risk Assessment Compliance Initiative, an ongoing effort to help secure the IRSís public-facing applications.† In addition, the IRS continues to take steps to mitigate risks related to using the Short Messaging Service as part of the authentication process.
The IRS performed an analysis of its 52 public‑facing applications.† As of April 2018, it secured 14 high-risk and eight moderate-risk applications at their assessed (or at a higher) electronic authentication levels of assurance based on the older National Institute of Standards and Technology (NIST) Special Publication 800-63-2, Electronic Authentication Guideline.† Conversely, 26 (50 percent) applications were not at the assessed electronic authentication level of assurance and not in compliance with the old Federal standards.† The remaining four applications were either offline or retired.† The IRS is accepting the risks associated with one-half of its public-facing applications not meeting the necessary level of assurance, and TIGTA found that the IRSís rationale for maintaining them at the current level was reasonable based on the IRSís transaction analysis and compensating controls to mitigate risks.
Lastly, the IRS is not yet compliant with new NIST guidelines for public-facing applications, issued in June 2017.† The OMB requires compliance with these guidelines within one year of publication.† The IRS initiated efforts to develop its Digital Identity Risk Assessment process to meet the new guidelines and started piloting its new processes with one of its high‑risk public-facing applications.
WHAT TIGTA RECOMMENDED
TIGTA recommended that the Chief Information Officer ensure that public-facing legacy applications are complying with NIST Special Publication 800-63-3, Digital Identity Guidelines, and that an implementation plan includes specific timelines for accomplishing full compliance for legacy applications.
The IRS partially agreed with this recommendation and plans to ensure that public-facing legacy applications are aligned with NIST Special Publication 800-63-3 through its Digital Identity Risk Assessment process.† TIGTA concurs in part with the IRSís approach to addressing our recommendation but is concerned that the IRS did not include an implementation plan.† Moreover, TIGTA is concerned that the completion date proposed by the IRS will leave it noncompliant with the NIST guidelines until February 2023.
READ THE FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to:
Phone Number ††/† 202-622-6500
E-mail Address †/†