Treasury Inspector General for Tax Administration
November 5, 2012
TIGTA - TIGTA - 2012-63
Contact: David Barnes
WASHINGTON – Efforts by the Internal Revenue Service (IRS) to upgrade its computer systems to allow the use of SmartID cards are taking longer than expected, according to a report released publicly today by the Treasury Inspector General for Tax Administration (TIGTA).
The President’s Cyberspace Policy emphasized that agencies need to use SmartID cards to access computer systems. The IRS has delayed its scheduled September 2011 implementation of the SmartID card authentication system to July 2013.
“Upgrading the security of computer systems has never been more important to prevent disruptions in critical IRS processes and to protect taxpayers’ personal information from unauthorized access,” said J. Russell George, the Treasury Inspector General for Tax Administration. “The IRS is nearly two years behind its original planned completion date for implementing the new two-factor authentication system and enabling all employees to use SmartID cards for logical access. “
“It is imperative that the IRS move swiftly and surely, doing everything in its power to secure its computer systems,” Inspector General George added.
The IRS disagreed with some of TIGTA’s findings, arguing that the actions they have taken are sufficient.
At issue is the implementation and security of the IRS’s two-factor authentication system for accessing computer systems. Two-factor authentication is a secure approach to verifying employees’ identities on a system and requires the presentation of two identifying factors: something the user knows (a personal identification number) and something the user has (a SmartID card). Two-factor authentication provides significant improvement in computer security in terms of allowing access to systems.
The IRS developed a two-factor authentication system with the required components. However, significant delays prevented the IRS from deploying the new two-factor authentication system as originally planned. The IRS originally planned to complete the deployment by September 2011. The deployment is now planned to be completed by July 2013.
In addition, the IRS did not appoint a project manager with the requisite training and experience to lead the Internal Identity and Access Management project, which included the two-factor authentication component. This decision led to numerous issues. The project team did not make adequate progress in some crucial areas such as: 1) developing two-factor authentication for computer administrators, 2) conducting required testing, and 3) completing key documents and processes.
TIGTA reported that usage of the SmartID cards will be further delayed and recommended that the Chief Technology Officer direct IRS Labor Relations to notify the National Treasury Employees Union and begin negotiating mandatory use of the SmartID cards. TIGTA also recommended that the Assistant Chief Information Officer, Cybersecurity, appoint a certified project manager with the requisite training and experience to lead the Internal Identity and Access Management project and direct the project manager to ensure the required security control assessment is completed, select a method to implement two-factor authentication for administrators, coordinate the activities to ensure all required testing is completed, and complete the required documents and processes that are needed to fully test and evaluate the system.
The IRS agreed with seven of the recommendations and plans to bargain with the National Treasury Employees Union as appropriate on mandatory use of the SmartID Cards, appoint a certified project manager and provide adequate resources to the project, and assign project resources to determine if a viable solution for administrators’ use of SmartID cards exists. The IRS disagreed with two recommendations regarding the completion of required testing of the new system and stated that testing was completed in accordance with its procedures and additional testing is not necessary.
TIGTA remains concerned about the IRS’s disagreement on the issue of testing. The IRS did not conduct the required testing for the most significant part of the two-factor authentication system, which is the part employees will use to authenticate to the IRS network. TIGTA found no evidence that the security, integration, capacity, and performance testing were conducted for this crucial part of the system.
Read the report.
Note: The difference between the date TIGTA issues an audit report to the Internal Revenue Service and the date TIGTA publicly releases the report is due to TIGTA's internal review process to ensure that public release is in compliance with Federal confidentiality laws.
A special plugin is required to view PDF documents. To obtain the free PDF reader, please visit the Adobe web site.