The Internal Revenue Service should improve the way it scans for cybersecurity vulnerabilities and remediates the ones it finds, according to a new report.
The
That means personal taxpayer information could be exposed by hackers. “Security weaknesses within the IRS’s management and operations security practices increase the risk to its assets and ability to protect taxpayer information,” said the report. “Failure to resolve or track existing vulnerabilities compromises the security posture of the enterprise, potentially exposing taxpayer data and information to unnecessary risk.”
TIGTA made six recommendations in the report, suggesting the IRS should create an entity to oversee enterprisewide vulnerability remediation and ensure that required actions are taken. The report also recommended the IRS should prioritize the remediation of vulnerabilities that exceed remediation timeframes as well as document any vulnerabilities that go past the required remediation time frames. The IRS should also develop a process to make sure network updates that affect vulnerability scanning are communicated, as well as enforce its current guidance to periodically review the scanning exception list; and ensure that privileged access scans are completed on required devices, the report recommended.
The IRS agreed with all six of TIGTA’s recommendations. The IRS plans to set up an entity to oversee enterprisewide vulnerability remediation, as well as prioritize remediating vulnerabilities exceeding remediation time frames. The agency also intends to document vulnerabilities past remediation timeframes as required, and put in place a process to ensure that network updates are communicated properly. The IRS also plans to enforce its current guidance to do periodic reviews of the scanning exception list, and make certain that privileged access scans are completed on required devices.
The IRS has significantly enhanced its Enterprise Vulnerability Scanning program, according to IRS CIO Nancy Sieger Smith. “Our analysis from June 2021 found that we successfully identified and addressed 97% of the critical and high findings from the filing season applications, and we have centralized enterprisewide oversight for the most critical systems that maintain filing season and taxpayer data,” she wrote in response to the report. “For the remaining systems and applications, we have continuous vulnerability monitoring in place that provides a comprehensive and real-time view of the IRS security posture.”
She pointed out that the IRS also relies on automated patching to manage vulnerability remediation for more than 80,000 workstations, which can be a challenge in a remote environment, but in fiscal year 2021, the IRS addressed more than 1,200 critical vulnerabilities.