Taxpayer information is potentially threatened by weaknesses in the IRS’s current information security controls, according to a new report by the Government Accountability Office.
In the report published Monday, the GAO announced that, along with the Treasury Inspector General for Tax Administration, it has concerns about the security of taxpayer data. The found weaknesses include a lack of maintenance for systems designed to protect taxpayer information, underperformed training from contractors and safeguards for transferring taxpayer information.
“IRS relies on several outdated information systems, and hasn’t yet completed an inventory of all the systems that contain sensitive taxpayer data,” Jennifer Franks, GAO director of information technology and cybersecurity, said in a released video. “In addition to the cybersecurity concerns we found, there may be some taxpayer data in IT systems that the IRS hasn’t even accounted for.”
The IRS was found to have set an agencywide goal for employees to complete training on protecting taxpayer information, which was reported to be met at 97%. The contractors who contribute to the service’s goals, however, were not given a goal to reach and were “well below employee completion rates” at less than 75%.
“IRS employees and contractors are supposed to complete several related training courses on cybersecurity information safeguards and more,” Jessica Lucas-Judy, GAO director of strategic issues, said in the video.
The review found other weaknesses, specifically those involving information systems, contractor oversight, information sharing, etc. The report also said that the IRS does not employ overall oversight efforts related to unauthorized access of contractors, even though multiple IRS offices oversee said contractors.
Specifically, the IRS does not currently have any guidance that requires a risk assessment to be performed before taxpayer information is transferred to contractors.
“Until IRS remediates these weaknesses, it will have limited assurance that taxpayer information is protected appropriately,” the report states.
GAO found that the IRS was limited in monitoring unauthorized access because the service omitted seven tax processing systems from its inventory as of Dec. 2022. The agency requires an inventory of these systems to be maintained since they “store taxpayer information and mitigate weaknesses that lead to a higher risk of unauthorized disclosure of federal tax information.”
Due to these findings, the office issued 16 new recommendations, with one for Congress to consider. Of the new recommendations, the IRS disagreed with one.
The report notes that “IRS disagreed with the recommendation to implement processes to determine when to delete taxpayer information in (Compliance Data Warehouse).” Instead, the IRS requested that the recommendation be revised to say “delete or archive” to match the other report wording. The GAO determined that the wording will remain how it was drafted.
The GAO’s recommendations are comprehensive to cover the five National Institute of Standards and Technology cybersecurity core functions related to the “life cycle management of cybersecurity risk.” The reported recommendations are mostly related to the “protect” function.