IRS changes public password policies to match NIST guidance
The IRS will no longer require password changes every 60 days for public-facing portals and is now enforcing a minimum length of 14 characters, moves that align the tax agency with National Institute of Standards and Technology guidelines and are intended to improve efficiencies.
In guidance shared with Scoop News Group that was issued Monday, the IRS’s Office of Safeguards noted that these changes would match agency protocols with the best practices detailed in NIST SP 800-63B, a document titled “Digital Identity Guidelines: Authentication and Lifecycle Management.”
The Office of Safeguards noted that these password changes were “different from traditional guidance.”
“Most notably: complexity requirements do not apply, and passwords should not be changed periodically,” the IRS guidance stated. “Additionally, the guidelines for maintaining a list that contains values such as passwords commonly-used, expected, or compromised has changed.”
According to the office of Sen. Ron Wyden, the Oregon Democrat prodded the agency to implement these changes following a tip from his state’s Department of Human Services. Oregon DHS told Wyden staffers on Jan. 8 that the federal cybersecurity rules that the IRS had been following were hindering the agency’s updates to its Supplemental Nutrition Assistance Program website, making it tougher for state residents to apply for the benefits.
Wyden’s office said that it reached out to the IRS later that day and urged the agency to update its password protocols.
“Every American deserves government services that are accessible, simple, and secure,” Wyden said in a statement to Scoop News Group. “I’m glad that the IRS fixed its outdated password policies to align with federal cybersecurity standards, following discussions with my office. I remain committed to pushing all agencies to adopt modern cybersecurity best practices to make Americans’ data more secure, improve their experience with government websites, and uphold their dignity.”
The Office of Safeguards noted in its guidance that these “mitigating requirements do not eliminate risk associated with non-compliance, [and] findings may still be issued if these mitigations are in place.” The agency also signaled to staff that additional changes can be expected in the future.
“Ultimately, agencies should move towards a Zero Trust Architecture (ZTA),” the guidance stated. “As such, agencies should plan and begin to implement multifactor authentication (MFA), ideally, phishing resistant, for all system components at the application layer, not just at the network layer or for initial network access. This may be facilitated through the implementation of single sign on (SSO) technology.”
