Audit: IRS won’t hit HSPD-12 ID card benchmark until 2018

2014_06_IRS_Building_Constitution_Avenue The IRS may not be 100 percent compliant with HSPD-12 until 2018. (Credit: Wikimedia)

New Treasury Department Chief Information Officer Sonny Bhagowalia has only been on the job for a few hours, but he already has a major department headache to deal with.

The Treasury Inspector General for Tax Administration released the results of an audit Monday stating the IRS will not meet the Treasury Department’s goal of becoming fully compliant with Homeland Security Presidential Directive 12 (HSPD-12) by fiscal year 2015, with some authentication standards not being reached until fiscal 2018, as long as funding is made available.


HSPD-12 requires agencies to issue personal identity verification (PIV) cards that meet a governmentwide standard for secure and reliable forms of identification. Created in 2004 under then-President George W. Bush, the directive was meant to reduce variations in identification used to access secure facilities where there is potential for terrorist attacks. The Obama administration has made it a goal to achieve HSPD-12 compliance at 75 percent of federal agencies by the end of fiscal 2014, and the Treasury Department planned to have all of its components meet the requirements by fiscal 2015.

The report states that while 85 percent of IRS’ workforce has been issued PIV cards, only 130 of 625 IRS locations (21 percent) have been upgraded with authentication for physical access. Also, logical access authentication has only been granted to 5 percent of the necessary workforce.

TIGTA identified several factors for the IRS’ lag in meeting the Treasury Department’s goals. The report states that IRS is having trouble distributing PIV cards due to the need to manually verify contractor data before issuing them, the distance between remote IRS offices and credentialing stations, and a high turnover rate among IRS employees. The Treasury Department has said it plans on implementing a solution, PIV Data Synchronization, that will allow for PIV cards to be issued to new employees on their first day of work.

With the lack in access authentication, the IRS said there has been a number of barriers it has had to overcome, including a lack of funding, last year’s government shutdown and several software systems that are not HSPD-12 compliant.

TIGTA issued a number of recommendations to the IRS’ chief technology officer and chief of agencywide shared services, including that officials ensure that all IRS facilities are equipped to meet HSPD-12-compliance and that all HSPD-12 requirements are integrated into the IRS’s existing computer systems.


IRS CIO Terry Millholland agreed with all of TIGTA’s recommendations and has planned corrective actions but noted the service’s financials present a challenge.

“The IRS is continuously improving its security posture, but we are limited by a shortage of financial resources,” Millholland wrote in his response. According the audit, the IRS said it would need $123 million and six new, full-time employees to make 361 IRS offices HSPD-12 compliant. The IRS has already spent more than $110 million to implement HSPD-12 and has budgeted an additional $19 million for fiscal year 2014.

Greg Otto

Written by Greg Otto

Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University.

Latest Podcasts