TIGTA faults IRS on data security, cloud security

The Treasury Inspector General for Tax Administration, in two reports, critiqued the IRS on cybersecurity for both its data warehouse and its cloud infrastructure.

Data warehouse security

One report specifically pertained to the IRS's Compliance Data Warehouse, effectively a massive data warehouse containing multiple years of federal tax information and personally identifiable information consolidated from multiple sources, internal and external to the IRS. The CDW offers a broad range of databases that research analysts may access through a variety of data analytic tools. This includes things like Individual Master File data, Business Master File data, tax return data, taxpayer contact information, conversations between a taxpayer and an IRS agent, and actions that took place on behalf of the IRS. As one might imagine, the IRS considers it very important for this data to remain secure. This is why it is required to record audit trails in the system's security documentation for indications of inappropriate or unusual activity. However, TIGTA said the tools used to visualize audit trails associated with the Event ID data field, specifically CDW logins, failed to accurately display the login data field, with the result that the available login data were both incomplete and unreliable. For example, TIGTA found that from March 2023 to July 2023, the repository was not displaying any audit trails that contained CDW login information at all.

TIGTA said this can be attributed to two root causes. First is that, within the CDW Platform Audit Worksheets, the coding script used to identify system logins in the CDW logs was referencing an incorrect file name. Upon recognizing the error, IRS alerted the appropriate cybersecurity officials and continued to collaborate to identify and implement a resolution. Second, when the login information search period is greater than 90 days, the search does not return complete and accurate login information. As of April 3, 2024, the exact cause of this error was still unknown; however, cybersecurity officials are continuing to troubleshoot the issue. The IRS reports that restricting the search to 90 days or fewer helps manage performance and response time, given the sheer volume of CDW log data. The IRS plans to add a note to the audit trail repository to advise about the 90-day limitation and noted that multiple searches for 90 days or fewer may be run.

Further, TIGTA said that while actionable events require timely review to determine if additional escalation or notifications are needed, the Compliance and Audit Monitoring team is not reviewing any of them. A management official stated that CDW's actionable events are not being reviewed because of a miscommunication between the Compliance and Audit Monitoring team and CDW personnel, and that the team began the review of all required actionable audit events in March 2024. Further, TIGTA said the monitoring that is being done is highly inefficient, as the IRS's audit trail repository does not permit users to export or download multiple auditable or actionable events at the same time. As a result, the team is restricted to reviewing, analyzing and reporting on singular audit events. 

TIGTA did, however, concede that all 1,173 CDW users as of April 2024 completed each of the four mandatory training courses. However, mandatory training requirements for unpaid hires (academic researchers and student volunteers) were not managed via the Integrated Talent Management system. According to management officials from the IRS's Human Capital Office, this limitation was due to an integration issue within the agency's human resources system. While TIGTA found that the current manual process for tracking training requirements for unpaid hires is functional, it does not afford any type of verification that the training was actually completed. 

TIGTA recommended that: 1) the IRS's chief data and analytics officer ensure the agency's audit trail repository accurately displays and reports all CDW login information; 2) the chief information officer ensure that all required actionable audit events for the CDW are reviewed; 3) the CIO ensure that automated mechanisms are incorporated into the actionable audit event escalation process; 4) the CIO and chief data and analytics officer ensure that identified vulnerabilities are timely remediated; and 5) the chief data and analytics officer ensure that all CDW servers are included in configuration compliance scans. The IRS agreed with all five recommendations. 

Cloud infrastructure security

TIGTA, in another report, faulted the IRS for its cloud security assessment, approval and monitoring process, saying it was not maintaining appropriate separation of duties for certain roles related to cloud systems, and did not follow guidance meant to prevent conflicts of interest, increasing the risk of erroneous and inappropriate actions.

Specifically, inspectors determined that 35 (70%) of the 50 cloud systems reviewed had the same individuals assigned as either the authorizing official or the AO's designated representative and system owner. The remaining 15 (30%) of the 50 cloud systems reviewed demonstrated appropriate separation of duty with different individuals assigned as the AO or the AO-designated representative and system owner. 

While the National Institute of Standards and Technology guidelines recommend that organizations ensure there are no conflicts of interest when assigning the same individual to multiple risk management roles, there was no IRS policy statement that specifically prevented the roles from being occupied by the same person. After this issue was brought to management's attention, IRS officials stated they will review the NIST guidance and work to ensure that updates are made as appropriate to have different individuals occupy these roles. 

TIGTA also noted that the IRS was not preparing summary reports for 11 (22%) of 50 cloud systems every month as required. The Cloud Continuous Monitoring Strategic Operating Plan requires cloud  information system security officers to prepare a monthly summary report for each of their assigned systems and provide it to the system's AO. Further, summary reports for 45 of the 50 cloud systems identified that the reports were missing required information. Also, 31 of the 45 cloud systems reviewed were missing the trackable Plan of Action and Milestones weakness identification number on the summary report. And security documents were missing approvals or were not properly approved within the Department of the Treasury data repository. Specifically, the repository was missing five (10%) of the 50 cloud systems' Authorization-to-Operate memorandums. Finally, 15 of 50 cloud systems were missing required  Federal Risk and Authorization Management Program Security Threat Analysis Reports. 

TIGTA recommended that the IRS's chief information officer ensure that: 1) separation of duty controls reflect guidance and require that all cloud systems have a unique System Owner and Authorizing Official; 2) an Authorization-to-Operate memorandum is approved for the system to remain in production; 3) summary reports are timely created; 4) procedures are updated; 5) management approvals are consistent and documented; and 6) the Cloud Security Assessment and Authorization process is completed annually. The IRS agreed with four recommendations and plans to ensure separation of duty controls reflect guidance; the system obtains authorization; that summary reports are timely created; and that management approvals are documented. The IRS disagreed with two recommendations, stating its weakness summary reporting is sufficient without unique identifiers and that cloud security assessments are completed in accordance with existing procedures.