TIGTA faults IRS on security vulnerabilities

The Treasury Inspector General for Tax Administration, in a recent report, said the Child Tax Credit Update portal the Internal Revenue Service set up last year was generally implemented well, but several security and process issues need to be addressed.

The portal was developed in 2021 in response to changes in how the Child Tax Credit was distributed. The portal enables people to do things like elect out of receiving payments related to the advance CTC, as well as provide updates to the number of qualifying children, marital status or a significant change in the taxpayer’s income.

While deployment generally was successful, TIGTA said the IRS failed to timely address a number of security vulnerabilities. For the portal itself, inspectors identified 1,334 critical vulnerabilities spread across nine production servers, 312 of which were unique. This included 412 critical and 508 high-severity security vulnerabilities. For the Secure Access Digital Identity system that undergirds the portal, inspectors identified 492 vulnerabilities spread across 14 production servers.

The IRS, when asked by inspectors, said the root cause stemmed from older versions of commercial off-the-shelf software being installed during the server build process. The IRS's Enterprise Operations function, in response, is developing a process to validate that newly built servers meet minimum compliance requirements. The Enterprise Operations function is also working with the Cybersecurity function to initiate vulnerability scanning prior to newly built servers being placed into the production environment. Finally, IRS management stated that the Enterprise Operations function’s Security Operations and Standards Division continues to work and track remediation progress as part of the vulnerability remediation management effort.

Despite these issues, though, TIGTA said that overall the IRS had implemented the necessary security procedures. It determined the IRS implemented 78% of the 37 applicable security controls and enhancements for the portal, and 88% of the 319 applicable security controls and enhancements for the Secure Access Digital Identity system.

For reprint and licensing requests for this article, click here.
Technology TIGTA IRS Cloud computing Cyber security
MORE FROM ACCOUNTING TODAY