IRS faces challenges with security, modernization and people

By Derek B. Johnson

By Derek B. Johnson

|

A new audit says that the IRS should focus on modernizing IT, improve security control, eliminate critical vulnerabilities in servers used for personal devices and address its "serious" human capital crisis.

NOTE: This article first appeared on FCW.com.

The IRS should focus the next year modernizing IT, improving security controls for its primary e-filing tool, eliminating critical vulnerabilities in servers used for personal devices and addressing its "serious" human capital crisis, according to Department of Treasury auditors.

The findings were included in the Treasury Inspector General for Tax Administration's annual report on the most pressing management challenges facing the IRS.

For years, security over taxpayer data has been the top concern, and the 2020 version continues that trend. While the agency has suffered a series of attacks and compromises to its web applications in recent years, it is more than year behind fulfilling an Office of Management and Budget requirement to make its public facing systems compliant with authentication security guidelines issued in 2017 by the National Institute of Standards and Technology.

Applications like GetTranscript, the student aid Data Retrieval Tool have already been breached, but auditors this year honed in on two other areas: the Filing Information Returns Electronically (FIRE) system and the agency's Bring Your Own Device policy.

The FIRE system, which allows taxpayers to file their returns electronically, does not follow federal security standards and lacks any kind of identity proofing that could prevent or discourage fraud. Tackling fraud and identity theft more generally was also listed as a top priority, and new information sharing capabilities have been put in place through the Identity Theft Tax Refund Fraud Information Sharing and Analysis Center.

"Of particular concern is how the IRS ensures that only authorized taxpayers can access their information on these public-facing applications," auditors wrote. "Strong electronic authentication controls are needed to prevent identity thieves from succeeding at impersonating taxpayers and gaining improper access to tax records."

The agency's BYOD policy allows employees to bring in and use a range of personal computing devices for work that are connected to a separate server. However, those servers are plagued by at least 68 critical and high-risk vulnerabilities, including 18 that were listed as easily exploitable. The introduction of the screen capture function on personal iPhones has also made it easier for employees to take snapshots and release unauthorized agency data.

For the first time, modernizing IT systems is listed as a challenge. The IRS spends about $3 billion every year on information technology, but the agency rolled out a six-year $2.7 billion plan to bring its infrastructure into the 21st century. The 2017 Tax Cuts and Jobs Act also brought with it a bundle of extra work, with the agency reporting it has led to reprogramming of 128 IT systems, the creation of 48 new tax products and revision of 494 others to comply with the new law.

At an Oct. 11 FCW event, Acting CIO Nancy Sieger said the agency's mainframe computers and most of its infrastructure is still hosted in on-premise data centers. As electronic web-services have become more common, her office is working to shrink that footprint from 10 facilities down to three, migrate systems to the cloud and further automate many of initial points of contact between the agency and taxpayers.

Sieger's office must also figure out how best to protect about 16 petabytes worth of taxpayer and agency data.

"For those of who need a sense of how much 16 petabytes is, think of about 1.5 million CDs in a stack," Sieger said.

Bubbling beneath the surface of nearly every issue listed in the report is a years-long brain drain of personnel who have left the IRS as leaner budgets and increased scrutiny from a Republican Congress have sapped agency resources and capabilities. Commissioner Charles Rettig has said that despite the pivot to automation and more advanced technologies, the IRS is still ultimately run by people.

That workforce is disgruntled and shrinking. According to an annual survey of government agencies by the Partnership for Public Service, the IRS has lost nearly a third of its workforce over the past two decades, going from more than 93,000 employees in 2001 to just over 64,000 in 2017. The most recent data places the agency in the lowest quartile of federal agencies for leadership, pay, strategic management, innovation, training and development and performance-based rewards and advancement. Ratings for its work-life balance also come in below the median agency.

"At our busiest points in the year, it's not uncommon for employees across the [IRS] to work through holidays, birthdays, anniversaries and this year, even a 35-day government shutdown," said Sieger.

While IRS was able to successfully lobby for the restoration of critical pay authorities earlier this year, the losses have impacted its ability to modernize IT systems and forced auditing and financial crime enforcement offices to refocus their work on easier targets and criminal groups with larger financial fraud footprints.

As agency personnel have left or aged out of the workforce, officials have relied more on technology and automation to carry the workloads they leave behind.

"Cost increases over this time period have resulted in a significant reduction in the number of full-time employees, with a corresponding impact on institutional knowledge and technical expertise," the report warned.

NEXT STORY: How Vectrus helps military bases scout for new tech

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.