IRS faces challenges with security, modernization and people

A new audit says that the IRS should focus on modernizing IT, improve security control, eliminate critical vulnerabilities in servers used for personal devices and address its "serious" human capital crisis.

NOTE: This article first appeared on

The IRS should focus the next year modernizing IT, improving security controls for its primary e-filing tool, eliminating critical vulnerabilities in servers used for personal devices and addressing its "serious" human capital crisis, according to Department of Treasury auditors.

The findings were included in the Treasury Inspector General for Tax Administration's annual report on the most pressing management challenges facing the IRS.

For years, security over taxpayer data has been the top concern, and the 2020 version continues that trend. While the agency has suffered a series of attacks and compromises to its web applications in recent years, it is more than year behind fulfilling an Office of Management and Budget requirement to make its public facing systems compliant with authentication security guidelines issued in 2017 by the National Institute of Standards and Technology.

Applications like GetTranscript, the student aid Data Retrieval Tool have already been breached, but auditors this year honed in on two other areas: the Filing Information Returns Electronically (FIRE) system and the agency's Bring Your Own Device policy.

The FIRE system, which allows taxpayers to file their returns electronically, does not follow federal security standards and lacks any kind of identity proofing that could prevent or discourage fraud. Tackling fraud and identity theft more generally was also listed as a top priority, and new information sharing capabilities have been put in place through the Identity Theft Tax Refund Fraud Information Sharing and Analysis Center.

"Of particular concern is how the IRS ensures that only authorized taxpayers can access their information on these public-facing applications," auditors wrote. "Strong electronic authentication controls are needed to prevent identity thieves from succeeding at impersonating taxpayers and gaining improper access to tax records."

The agency's BYOD policy allows employees to bring in and use a range of personal computing devices for work that are connected to a separate server. However, those servers are plagued by at least 68 critical and high-risk vulnerabilities, including 18 that were listed as easily exploitable. The introduction of the screen capture function on personal iPhones has also made it easier for employees to take snapshots and release unauthorized agency data.

For the first time, modernizing IT systems is listed as a challenge. The IRS spends about $3 billion every year on information technology, but the agency rolled out a six-year $2.7 billion plan to bring its infrastructure into the 21st century. The 2017 Tax Cuts and Jobs Act also brought with it a bundle of extra work, with the agency reporting it has led to reprogramming of 128 IT systems, the creation of 48 new tax products and revision of 494 others to comply with the new law.

At an Oct. 11 FCW event, Acting CIO Nancy Sieger said the agency's mainframe computers and most of its infrastructure is still hosted in on-premise data centers. As electronic web-services have become more common, her office is working to shrink that footprint from 10 facilities down to three, migrate systems to the cloud and further automate many of initial points of contact between the agency and taxpayers.

Sieger's office must also figure out how best to protect about 16 petabytes worth of taxpayer and agency data.

"For those of who need a sense of how much 16 petabytes is, think of about 1.5 million CDs in a stack," Sieger said.

Bubbling beneath the surface of nearly every issue listed in the report is a years-long brain drain of personnel who have left the IRS as leaner budgets and increased scrutiny from a Republican Congress have sapped agency resources and capabilities. Commissioner Charles Rettig has said that despite the pivot to automation and more advanced technologies, the IRS is still ultimately run by people.

That workforce is disgruntled and shrinking. According to an annual survey of government agencies by the Partnership for Public Service, the IRS has lost nearly a third of its workforce over the past two decades, going from more than 93,000 employees in 2001 to just over 64,000 in 2017. The most recent data places the agency in the lowest quartile of federal agencies for leadership, pay, strategic management, innovation, training and development and performance-based rewards and advancement. Ratings for its work-life balance also come in below the median agency.

"At our busiest points in the year, it's not uncommon for employees across the [IRS] to work through holidays, birthdays, anniversaries and this year, even a 35-day government shutdown," said Sieger.

While IRS was able to successfully lobby for the restoration of critical pay authorities earlier this year, the losses have impacted its ability to modernize IT systems and forced auditing and financial crime enforcement offices to refocus their work on easier targets and criminal groups with larger financial fraud footprints.

As agency personnel have left or aged out of the workforce, officials have relied more on technology and automation to carry the workloads they leave behind.

"Cost increases over this time period have resulted in a significant reduction in the number of full-time employees, with a corresponding impact on institutional knowledge and technical expertise," the report warned.