The Internal Revenue Service (IRS) failed to review nearly 75 percent of IT security weaknesses within a timely manner in recent years due to staffing shortfalls, among other reasons, the Treasury Inspector General for Tax Administration (TIGTA) found in a recent report.
“The timely identification and resolution of information security weaknesses are the primary cornerstones of a sound information security program,” TIGTA’s August 9 report says. “The Federal Information Security Modernization Act of 2014 (FISMA) mandates that all Federal agencies develop and implement a corrective action plan, known as a Plan of Action and Milestones (POA&M), to identify and document the resolution of information technology security weaknesses.”
Between Jan. 1, 2005, and Aug. 26, 2022, the IRS created 12,089 POA&Ms. Of these, 2,555 remain open with efforts still ongoing.
TIGTA selected a judgmental sample of 401 POA&Ms for analysis. The watchdog found that the IRS did not conduct a timely review of 73 percent of sample of 401 POA&Ms TIGTA analyzed.
Agency-wide, TIGTA found that there are more than 500 POA&Ms categorized as late – including 23 with risk severity ratings of either critical or high. Of those 23, there are four POA&Ms where the security weakness was first identified in 2017.
“The IRS is required to report identified information security weaknesses and document remediation. Failure to timely review, track, and close POA&Ms to resolve information security weaknesses puts the IRS at risk for exploitation by threat actors,” the watchdog said. “In addition, tracking associated resources required to resolve POA&Ms facilitates informed decision-making.”
The report identifies three reasons why the IRS failed to identify and respond to its security weaknesses in a timely manner: staffing shortfalls; failure to consistently report required POA&M information; and failure to accurately identify and track resources required to resolve information security weaknesses.
TIGTA recommended that the IRS’s Chief Information Officer (CIO):
- Consolidate the best business unit POA&M remediation practices and implement a consistent process agency-wide to manage security risk remediation;
- Prioritize staffing and other resource allocations to address security weaknesses;
- Consider POA&M estimated costs in budget formulation; and
- Collaborate with business unit representatives to ensure POA&M costs are updated at closure.
The IRS agreed with all four recommendations.
“The IRS is committed to fully and effectively addressing information technology security weaknesses. We concur with the recommendations and outcome measure in the draft report. We plan to complete implementation of all corrective action by May 15, 2024,” IRS Acting CIO Kaschit Pandya wrote in response to TIGTA’s report.
“We are taking a series of steps that include, but are not limited to, prioritizing staffing and other resource allocations associated with this process and enhancing communications with all agency POA&M stakeholders to clarify expectation and best practices in remediation,” Pandya continued. “We expect these efforts will help to reduce risk, ensure system integrity, and maximize system availability for taxpayers.”
