Taxpayers’ personal information and tax account data remain at risk of being leaked from the Internal Revenue Service’s computer networks despite progress on a data loss prevention program, according to a new report.
The IRS began a program known as the Safeguarding Personally Identifiable Information Data Extracts Project, which is responsible for implementing the data loss prevention solution, in 2010. The
So far, the project team has implemented and expanded a program component known as “Data-in-Motion,” which includes reviewing unencrypted email and attachments, file transfers and web traffic for the most common types of personally identifiable information used by the IRS. TIGTA’s testing found that the Data-in-Motion component was generally successful in identifying and blocking the most common types of personally identifiable information from being “exfiltrated” by email, and that potential incidents identified by the solution were reviewed and resolved correctly. However, there are continued delays with implementing the other components of the project. That’s preventing the IRS from realizing the full benefits of the data loss prevention solution.
“The causes of the delays include technical, project management and administrative issues,” said the report. “Because of the delays, two key components involving data in repositories and data in use are still not operational more than eight years after the project started. Without these components, personally identifiable information continues to be at risk of loss. The delays have also resulted in the inefficient use of resources of approximately $1.2 million in software costs for the components that are not operational.”
TIGTA recommended that the IRS’s chief information officer deploy the rest of the components of the solution, ensure that project documents are prepared and maintained as required, and ensure that any issues requiring negotiations with the National Treasury Employees Union are identified and negotiations started promptly.
Negotiations with the labor union representing IRS employees have also been blamed for being a hurdle. But the IRS is close to signing an agreement with the National Treasury Employees Union and plans to notify the union of any issues regarding the production implementation of the remaining components. Under certain circumstances, the IRS is required to negotiate and reach a formal agreement with the NTEU before it can take certain actions. The IRS negotiated with the NTEU about the data loss prevention solution, and a memorandum of understanding was approved in July 2014 that spelled out certain stipulations and limitations related to how the solution affected employees. IRS management cited the negotiations as the cause of delays with implementation of the data loss prevention project.
The IRS agreed with all three of TIGTA’s recommendations. It plans to deploy the remaining components of the Data Loss Prevention solution and ensure that project documents are consistently prepared and maintained during the deployment of the remaining components. The data loss prevention effort is just one part of the IRS’s cybersecurity efforts, according to the agency.
“The deployment of the full DLP product suite is just one of numerous ongoing efforts to secure our systems and protect sensitive information," wrote IRS acting CIO Nancy Sieger in response to the report. “Our dedicated focus on cybersecurity has positioned the IRS to withstand approximately 1.4 billion cyberattacks annually (including denial-of-service attacks, unsuccessful intrusion attempts, probes or scans, and other unauthorized connectivity attempts). Many of these attempts are sophisticated in nature and or represent advanced, persistent threats. To continue successfully defending our systems and combatting tomorrow’s threats, the IRS is committed to continued investments and program improvements in our cyber defenses.”