A number of federal employees and contractors on IRS’s cyber incident response team don’t have specialized training required by law, a recent audit by Treasury Inspector General for Tax Administration found.
The audit, which examined IRS’s cyber incident reporting and cyber training between fiscal 2015 and 2016, found that a majority of the agency employees and contractors working at its Computer Security Incident Response Center had failed to take required specialized training courses.
CSIRC staff and contractors “who have a significant information technology security role” are required by the Federal Information Security Management Act to take eight hours of specialized role-based training each year and report it to the agency, or face sanctions and loss of access.
The IRS initially reported that 10 employees had completed the training in 2015 and seven in 2016, but TIGTA disagreed, saying several employees did not meet the threshold for specialized certification.
“As a result, for the FISMA 2015 yearly cycle, four of the 10 CSIRC employees met the specialized training requirement and the remaining six did not,” the report said. “For the FISMA 2016 yearly cycle, five of the seven employees did not meet the specialized security training requirements.”
TIGTA also flagged 34 courses it considered as containing general security curriculum that CSIRC had designated as specialized. The IRS agreed with the assessment for only seven of the courses.
Likewise, investigators could find no training record for 11 CSIRC contractors in fiscal 2015. And in fiscal 2016, 14 of 15 CSIRC contractors failed to meet the FISMA specialized training requirements. Though agency officials provided training documentation for the contractors, the training occurred in the 2017 FISMA cycle and did not include the number of hours attained. Contractors were also allowed to retain system access despite agency policy requiring it being revoked.
Agency personnel said that there were several obstacles to obtaining the specialized training, including a lack of funding and difficulty getting approval to attend trainings.
The report noted that funding for the IRS’s cybersecurity training is allocated to all agency cybersecurity operations rather than to individual components like the CSIRC. Therefore, investigators were unable to determine how much of the training funds was allocated to the response center.
TIGTA offered three recommendations related to the specialized training:
- That CSIRC employees and contractors are FISMA-compliant for specialized security training and that contractor training documentation include the number of hours trained
- That CSIRC contractors who aren’t FISMA-compliant have their systems access removed
The IRS agreed with the training recommendation and partially agreed with the contractor recommendation, saying that it implemented systemic de-provisioning on March 6. This approach, the agency said, would deny all access to contractors not in compliance on a weekly basis, rather than relying on individual system owners to carry out the process.
The report also detailed CSIRC incident response, finding that office properly responded, but could improve its reporting procedures.