The Internal Revenue Service has done a bad job plugging potential IT security leaks, according to a new report from the Treasury Inspector General for Tax Administration.
In “Security Weaknesses Are Not Timely Resolved and Effectively Managed,” TIGTA claims that between Jan. 1, 2005, and Aug. 26, 2022, the IRS created 12,089 Plans of Action and Milestones. (Federal agencies are required to develop and implement a corrective action plan, known as a POA&M, to identify and document the resolution of information technology security weaknesses.)
Of these 12,089, TIGTA found, remediation efforts for 9,534 have been finalized and 2,555 remain open. The watchdog sampled 401 POA&Ms and found that the IRS did not timely review almost three out of four (73%) of them based on agency security policies, nor did it perform the required closure reviews within the 60-day period for almost half (49%) of 282 POA&Ms marked as either Accepted, Completed or Validated.
Nor is the problem recent. “Due to staffing shortfalls, IRS employees are not facilitating the timely resolution of information security weaknesses,” TIGTA wrote. “Agency-wide, there are more than 500 POA&Ms categorized as ‘Late,’ including 23 with risk severity ratings of either critical or high. Of those 23, there are four POA&Ms where the security weakness was first identified in 2017.”
Business units are not timely creating POA&Ms or consistently entering required POA&M information, TIGTA found.
For example, almost a third (32%) of 4,370 plans created on or after Jan. 1, 2018, through August 26 of last year were not created within agency permitted timelines, and 74% of 401 POA&Ms TIGTA analyzed lacked either the required status updates, required due date comments or had insufficient documentation to justify a modified due date. There were 304 instances where POA&Ms were missing required data elements.
Finally, the IRS is not accurately identifying and tracking the resources required to resolve information security weaknesses, TIGTA said.
“For the 12,089 POA&Ms, there was a total estimated cost of $2.6 billion to resolve the information security weaknesses,” the report reads. “From Jan. 1, 2018, through Aug. 26, 2022, the IRS finalized remediation efforts for 3,139 POA&Ms with total estimated costs of $134.5 million to resolve the information security weaknesses. However, during the closure process, the IRS did not reevaluate the estimated budget and update it with actual costs at closure, as required.”
TIGTA recommended that the service:
- Consolidate the best business unit POA&M remediation practices and implement a consistent process agency-wide to manage security risk;
- Prioritize staffing and other resource allocations to address security weaknesses;
- Consider POA&M estimated costs in budget formulation; and,
- Collaborate with business unit representatives to ensure POA&M costs are updated at closure.
The IRS agreed with all four recommendations.