Office of Audit
THE CONTINUOUS DIAGNOSTICS AND MITIGATION PROJECT EFFECTIVENESS WOULD BE IMPROVED BY BETTER PERFORMANCE METRICS AND TOOLS DATA
Final Report issued on March 18, 2020
Highlights of Reference Number: 2020-20-013 to the Commissioner of Internal Revenue.
IMPACT ON TAXPAYERS
In Calendar Year 2013, the Department of Homeland Security established the Continuous Diagnostics and Mitigation Program as an implementation approach for continuously monitoring information systems. The Continuous Diagnostics and Mitigation Program is a multiyear program to automate security controls and deficiency management, and standardize risk reporting across Federal agencies. Incomplete data and insufficient data quality will result in IRS management using inaccurate information for decisionmaking concerning cybersecurity risks.
WHY TIGTA DID THE AUDIT
According to the Office of Management and Budget, the Continuous Diagnostics and Mitigation Program enhances the overall security posture of the Federal Government by providing agencies with capabilities to monitor vulnerabilities and threats to their networks in near real-time. This audit was initiated to determine the effectiveness and efficiency of the IRS’s Continuous Diagnostics and Mitigation project implementation.
WHAT TIGTA FOUND
The IRS developed a schedule summary that provides the status of key milestones and completion dates for its Continuous Diagnostics and Mitigation project implementation. The IRS reported that it successfully completed key milestones for the first of two implementation waves. While data quality and the overall agency risk score have improved, the IRS did not fully develop and implement performance metrics to enable effective monitoring of the Continuous Diagnostics and Mitigation project deployment status and progress.
As part of the Continuous Diagnostics and Mitigation project, the IRS is installing sensor tools to identify authorized hardware and software assets and continuously ensure that they are properly configured with vulnerabilities mitigated. Data from these tools will be aggregated and transmitted to the Department of Homeland Security via the Department of the Treasury dashboard. When fully implemented, these tools should provide full network coverage for continuous monitoring. However, the IRS Continuous Diagnostic and Mitigation project sensor tools do not currently provide complete and accurate data.
WHAT TIGTA RECOMMENDED
The Chief Information Officer should continue the development and implementation of a data consistency and quality plan and performance metrics to allow management to readily monitor Continuous Diagnostics and Mitigation project status and progress; continue collaboration with the segmented network administrators to obtain complete and accurate data; and complete the installation, configuration, and testing of sensor tools to ensure the accuracy of data transmitted to the Department of the Treasury dashboard.
The IRS agreed with all our recommendations. The IRS plans to finalize a data consistency and quality plan and establish performance metrics, and will complete the installation, configuration, and testing of the sensor tools to ensure the accuracy of data transmitted to the Department of the Treasury dashboard. The IRS also stated it has completed work to implement the endpoint management sensor tool in all segmented networks and is currently monitoring to ensure that the sensor tool obtains complete and accurate data.
READ THE FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to:
Phone Number / 202-622-6500
E-mail Address / TIGTACommunications@tigta.treas.gov
Website / https://www.treasury.gov/tigta