Report: IRS has no plan for cloud, skipped risk management protocol for Form 990 site

A report from the Treasury Inspector General for Tax Administration has found that the Internal Revenue Service still lacks a cohesive strategy to shift toward cloud computing and failed to implement risk management procedures when it used a consumer cloud service to disclose public information on tax-exempt nonprofits.

The Aug. 7 TIGTA report outlines the IRS’s efforts to develop a cloud strategy in line with the Obama administration’s 2011 guidance to move federal agency operations to the cloud, finding that the agency didn’t prioritize the move until July 2016.

The IRS formed an Integrated Planning Team to develop an enterprise-wide strategy to move the agency off its legacy systems last year, but investigators found the meetings to develop that strategy were often informal and had no implementation timetable.

Several IRS officials also told TIGTA that they had no inventories for existing cloud services. IRS cybersecurity officials presented a manually constructed spreadsheet of information about cloud services in the agency, based on information provided by other offices.

“The only data documented for each system are the name of the system and the associated cloud service provider. The inventory does not distinguish between deployed systems, systems in development, system ownership, or other informative details,” the report said. “We determined that reliance on change management requests to manually maintain a list of IRS cloud systems, either planned or deployed, is insufficient for an inventory of cloud systems.”

Not the usual AWS

While the agency has not finalized an enterprise-wide strategy, one of its offices did apply cloud computing to a process that made public the information from a tax document for nonprofits, also known Form 990.

Following a 2015 California federal court case that required the IRS to disclose public information about nonprofits in a machine-readable format, the Tax Exempt and Government Entities Division launched the Form 990 cloud service project. By 2016, the IRS had 1.4 million Form 990 records online.

But in setting up the program, the office never issued its own Authority to Operate letter accepting the security risk of using a cloud service. Though the cloud service provider utilized for the project, Amazon Web Services, was authorized by the Federal Risk and Authorization Management Program, investigators said the IRS still needed its own ATO letter or to appoint an authorizing official to oversee the process.

IRS essentially used a free, consumer-oriented AWS website to post the records. It paid $18 for some temporary access to interface tools at the beginning of the project, investigators said.

By not having an enterprise-wide cloud strategy in place to guide the Tax Exempt and Government Entities Division, which managed the Form 990 cloud service, the report said that the IRS allowed one of its offices to into an agreement that does not adhere to “any service level agreements or any cloud contract best practices” designated by FedRAMP, the Federal Chief Information Officer Council, the Chief Acquisition Officers Council or Federal Cloud Compliance Committee as key factors to cloud service success.

“By not adhering to Federal guidelines regarding cloud implementation, the IRS risks Form 990 data accuracy and availability issues due to the lack of clearly defined roles and responsibilities for the cloud service provider in measurable terms,” the report said. “At a minimum, the IRS should ensure that the service level agreement contains clearly defined terms, definitions and performance parameters, and also defines who is responsible for measuring service level agreement performance.”

The report offered four recommendations, including:

• That the IRS chief information officer prioritize and complete an enterprise-wide cloud strategy aligned with Federal guidance
• That the CIO formalize the process of managing the IRS’s cloud inventory with automated methods and updated periodically
• That the CIO should designate an authorizing official, complete the required FedRAMP Security Assessment Report, and issue an agency-specific ATO letter for the Form 990 cloud service.
• That the CIO ensure the Form 990 cloud service includes a service level agreement defining acceptable service levels provided by the cloud service provider in measurable terms.

The IRS agreed with the recommendations on developing an enterprise cloud strategy and was in the process of implementing them, but it also said it does not have the resources to automate the cloud inventory process and did not think it was necessary.

The agency also agreed to designate an authorizing official to the Form 990 cloud service and assess its security requirements, but disagreed with the service level agreement recommendation.

IRS officials said that because the Form 990 information disclosed is public information, a publicly accessible AWS website was appropriate. The agency said it has neither procured or acquired services from AWS, negating the need for a service level agreement.

Officials added that they negotiated acceptable disclosure, procurement and information security terms with the written advice of legal counsel.

TIGTA responded by saying that because the IRS did not enter into a service level agreement, AWS could technically withdraw its services with 30 days notice, which would leave the agency with little time to ensure that it could comply with a federal court order to disclose the information electronically.