Office of Audit
WHILE PROGRESS IS BEING MADE ON DIGITAL IDENTITY REQUIREMENTS, COMPLETION DATES TO ACHIEVE COMPLIANCE WITH IDENTITY PROOFING STANDARDS HAVE NOT BEEN ESTABLISHED
Final Report issued on March 23, 2020
Highlights of Reference Number: 2020-20-012 to the Commissioner of Internal Revenue.
IMPACT ON TAXPAYERS
Advances in technology have provided the IRS an opportunity to be more responsive to the taxpayer’s need for its services. However, a new set of challenges has emerged because information about individuals has become more widely available through social media and breaches of Personally Identifiable Information. As a result, the IRS needs to work toward improving its public-facing applications to ensure that taxpayers who want access to IRS online services have verified their identities and can access IRS resources in a secure manner.
WHY TIGTA DID THE AUDIT
This audit was initiated to evaluate the IRS’s identity proofing capabilities for secure electronic authentication to online applications. Identity proofing is ensuring that users who interact with an entity over open networks, i.e., the Internet, are who they claim to be.
WHAT TIGTA FOUND
In June 2017, the National Institute of Standards and Technology issued updated guidance on identity proofing in Special Publication 800‑63‑3, Digital Identity Guidelines.
The IRS is making progress to comply with those guidelines on identity proofing by developing and using a five-step process to determine the required assurance level for each application and by creating a solution to ensure that the applicant is who they claim to be within a stated level of confidence.
However, the IRS may not complete its processes on all applications as scheduled, and it is using compensating controls that include identity proofing and authentication level of assurances based on superseded guidelines for certain applications that require either remote or physical presence for identity proofing. While these compensating controls did not fully meet the requirements, the IRS stated they are the most secure methods to remotely identity proof and authenticate taxpayers until its new digital identity platform is implemented, which is expected to begin being piloted in June 2020.
The IRS has 63 public-facing applications that taxpayers can access from the Internet. As of July 2019, eight (13 percent) of these applications have completed all five steps of the digital identity risk assessment process, while 17 (27 percent) applications have completed four of the steps. The remaining 38 applications are not expected to complete all five steps until January 2020. However, TIGTA is concerned as to whether the IRS can achieve that date given that it took an average of 217 calendar days to complete the eight applications through step five.
WHAT TIGTA RECOMMENDED
TIGTA recommended that the Chief Information Officer ensure that the remaining public-facing applications complete all five steps in the digital identity risk assessment process, and that all testing for the digital identity solution is completed and all public-facing applications are migrated to the implemented solution. In addition, the Deputy Commissioner for Operations Support should coordinate with the Department of the Treasury on legislative proposals or policy changes needed to obtain additional assistance from States, Territories, and Federal agencies that issue identifications in identity proofing users.
The IRS agreed with two recommendations and plans to complete the five-step process for the remaining public-facing applications and conduct tests to validate the solution and migrate all applications to the solution as needed. The IRS partially agreed with the third recommendation and will brief the Department of the Treasury on the identity proofing issue.
READ THE FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to:
Phone Number / 202-622-6500
E-mail Address / TIGTACommunications@tigta.treas.gov
Website / https://www.treasury.gov/tigta