Tax watchdog says IRS hasn’t completed key IPv6 modernization requirements

The IRS has fallen short in meeting a critical governmentwide modernization priority, a new watchdog report found, potentially undercutting the agency’s ability to “meet evolving business needs” and bolster “the taxpayer experience.”

According to the Treasury Inspector General for Tax Administration, the IRS has yet to complete a number of actions tied to the deployment of Internet Protocol version 6. 

Office of Management and Budget guidance released in 2020 called on federal agencies to migrate to IPv6 across all information systems and services. Compared to its predecessor, IPv6 expands the range of network and system IP address possibilities as more internet-connected devices come online and adds enhanced security and operational efficiency. Per the 2020 OMB memo, “full transition to IPv6 is the only viable option to ensure future growth and innovation in Internet technology and services.”

The IRS, however, has run into various IPv6 issues, starting with its inability to develop a timely implementation policy and the creation of an agencywide project team that was missing key representatives from acquisition and policy divisions, the IG’s investigation discovered. 

TIGTA additionally dinged the agency for an incomplete transition plan that was updated in March 2023 but “did not include a key action to identify and provide a schedule for replacing and retiring systems that cannot be converted to use IPv6.” The next month, the IRS added a document to track asset transitions to IPv6, though that plan “was not approved by the Chief Technology Officer as required.”

The IRS also failed to develop an information resource management strategic plan, per OMB guidance, which TIGTA said could result in an inability “to ensure that information resource management decisions are integrated with organizational planning, procurement, and program decisions.”

The watchdog also discovered that the IRS has been using some external-facing servers for communications that are not IPv6-only, identifying one that’s on IPv4-only protocol and 13 that are dual-stacked.

“Dual stacked networks may lead to increased complexity as both IPv6 and IPv4 infrastructure must be maintained to continue communication throughout the network,” TIGTA wrote. “Increased complexity can lead to misconfigured devices, which could introduce vulnerabilities, making the network more prone to compromise.”

Additionally, the tax agency hadn’t transitioned 20% of its assets that required an internet protocol address to an IPv6-only environment within the OMB-provided time window. The IRS pushed back on a TIGTA recommendation to get at least 50% of those assets operating in IPv6-only environments by the end of this fiscal year.

Other findings in the report covered shortcomings in the IRS’s oversight of asset acquisitions and waivers. The agency disagreed with a recommendation on how contracting officers should document acquisitions that use internet protocol.

Separately, TIGTA released an IRS-focused report this week on the agency’s rollout of Direct File, the free electronic filing service it piloted in 12 states this year. The watchdog determined that the deployment of the program was successful, but improvements to security and testing of the system are needed going forward. 

“If the Direct File Pilot is not properly developed, tested, and secured, the IRS risks delays to taxpayers and submission errors,” TIGTA stated. “In addition, taxpayer data could be vulnerable to loss or theft.”

The IRS agreed with all six of TIGTA’s Direct File recommendations.