Office of Audit
FISCAL YEAR 2019 EVALUATION OF THE INTERNAL REVENUE SERVICE’S CYBERSECURITY PROGRAM AGAINST THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT
Final Report issued on September 24, 2019
Highlights of Reference Number: 2019-20-082 to the Department of the Treasury, Office of Inspector General, Assistant Inspector General for Audit.
IMPACT ON TAXPAYERS
The Federal Information Security Modernization Act of 2014 (FISMA) focuses on improving oversight of Federal information security programs and facilitating progress in correcting agency information security weaknesses. The IRS collects and maintains a significant amount of personal and financial information on each taxpayer. As the custodian of taxpayer information, the IRS is responsible for implementing appropriate security controls to protect the confidentiality of this sensitive information against unauthorized access or loss.
WHY TIGTA DID THE AUDIT
As part of the FISMA legislation, the Offices of Inspectors General are required to perform an annual independent evaluation of each Federal agency’s information security programs and practices. This report presents the results of TIGTA’s FISMA evaluation of the IRS for Fiscal Year 2019.
WHAT TIGTA FOUND
For Fiscal Year 2019, the Inspector General FISMA reporting was aligned with the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity and measured the maturity levels for five function areas: IDENTIFY (organizational understanding to manage cybersecurity risk to assets and capabilities), PROTECT (appropriate safeguards to ensure delivery of critical services), DETECT (appropriate activities to identify the occurrence of a cybersecurity event), RESPOND (appropriate activities to take action regarding a detected cybersecurity event), and RECOVER (appropriate activities to restore capabilities or services that are impaired due to a cybersecurity event).
The IRS’s Cybersecurity Program was generally in alignment with FISMA requirements, but it was not fully effective due to program components not being at an acceptable maturity level. The Department of Homeland Security’s scoring methodology defines “effective” as having maturity level 4, Managed and Measurable, or above.
Based on these evaluation parameters, TIGTA rated three Cybersecurity function areas (IDENTIFY, RESPOND, and RECOVER) as “effective” and two function areas (PROTECT and DETECT) as “not effective.”
The PROTECT function area rating was based on the metrics of four security program components: Configuration Management, which was at maturity level 2, Defined; Identity and Access Management, which was at maturity level 3, Consistently Implemented; Data Protection and Privacy, which was at maturity level 3, Consistently Implemented; and Security Training, which was at maturity level 4, Managed and Measureable. The end result for this function area was a maturity level 3, Consistently Implemented. The DETECT function area rating was based on the Information Security Continuous Monitoring metrics, which TIGTA deemed at maturity level 2, Defined.
Until the IRS takes steps to improve its security program deficiencies and fully implement all security program components in compliance with FISMA requirements, taxpayer data will remain vulnerable to inappropriate and undetected use, modification, or disclosure.
WHAT TIGTA RECOMMENDED
TIGTA does not make recommendations as part of its annual FISMA evaluation and reports only on the level of performance achieved by the IRS using the guidelines for the applicable FISMA evaluation period.
READ THE FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to:
Phone Number / 202-622-6500
E-mail Address / TIGTACommunications@tigta.treas.gov
Website / https://www.treasury.gov/tigta