IRS cyber vulnerability scanning needs fixing

The Internal Revenue Service should improve the way it scans for cybersecurity vulnerabilities and remediates the ones it finds, according to a new report.

The report, released last week by the Treasury Inspector General for Tax Administration, noted that in August 2020, the IRS’s cybersecurity function started using a new vulnerability scanning tool that was supposed to be able to scan more network devices more often than the previous tool. However, the report still found several shortcomings in how the IRS oversees vulnerability remediation across the agency. For example, the IRS’s Patch and Vulnerability Group didn’t verify or monitor the remediation efforts for all the vulnerabilities, or consistently track and report vulnerability remediation metrics. Out of a sample of 29 of the top 100 vulnerabilities, TIGTA found the IRS didn’t track remediation with a documented action plan and milestones or risk-based decisions for 20 of the 29 vulnerabilities reviewed, or about 69% of them. There’s also no formal notification process in place to make sure the Enterprise Vulnerability Scanning group is made aware of network changes requiring updates to the vulnerability scanning tool.

That means personal taxpayer information could be exposed by hackers. “Security weaknesses within the IRS’s management and operations security practices increase the risk to its assets and ability to protect taxpayer information,” said the report. “Failure to resolve or track existing vulnerabilities compromises the security posture of the enterprise, potentially exposing taxpayer data and information to unnecessary risk.”

Andrew Harrer/Bloomberg

TIGTA made six recommendations in the report, suggesting the IRS should create an entity to oversee enterprisewide vulnerability remediation and ensure that required actions are taken. The report also recommended the IRS should prioritize the remediation of vulnerabilities that exceed remediation timeframes as well as document any vulnerabilities that go past the required remediation time frames. The IRS should also develop a process to make sure network updates that affect vulnerability scanning are communicated, as well as enforce its current guidance to periodically review the scanning exception list; and ensure that privileged access scans are completed on required devices, the report recommended.

The IRS agreed with all six of TIGTA’s recommendations. The IRS plans to set up an entity to oversee enterprisewide vulnerability remediation, as well as prioritize remediating vulnerabilities exceeding remediation time frames. The agency also intends to document vulnerabilities past remediation timeframes as required, and put in place a process to ensure that network updates are communicated properly. The IRS also plans to enforce its current guidance to do periodic reviews of the scanning exception list, and make certain that privileged access scans are completed on required devices.

The IRS has significantly enhanced its Enterprise Vulnerability Scanning program, according to IRS CIO Nancy Sieger Smith. “Our analysis from June 2021 found that we successfully identified and addressed 97% of the critical and high findings from the filing season applications, and we have centralized enterprisewide oversight for the most critical systems that maintain filing season and taxpayer data,” she wrote in response to the report. “For the remaining systems and applications, we have continuous vulnerability monitoring in place that provides a comprehensive and real-time view of the IRS security posture.”

She pointed out that the IRS also relies on automated patching to manage vulnerability remediation for more than 80,000 workstations, which can be a challenge in a remote environment, but in fiscal year 2021, the IRS addressed more than 1,200 critical vulnerabilities.