The Treasury Inspector General for Tax Administration,
The portal was developed in 2021 in response to changes in how the Child Tax Credit was distributed. The portal enables people to do things like elect out of receiving payments related to the advance CTC, as well as provide updates to the number of qualifying children, marital status or a significant change in the taxpayer’s income.
While deployment generally was successful, TIGTA said the IRS failed to timely address a number of security vulnerabilities. For the portal itself, inspectors identified 1,334 critical vulnerabilities spread across nine production servers, 312 of which were unique. This included 412 critical and 508 high-severity security vulnerabilities. For the Secure Access Digital Identity system that undergirds the portal, inspectors identified 492 vulnerabilities spread across 14 production servers.
The IRS, when asked by inspectors, said the root cause stemmed from older versions of commercial off-the-shelf software being installed during the server build process. The IRS's Enterprise Operations function, in response, is developing a process to validate that newly built servers meet minimum compliance requirements. The Enterprise Operations function is also working with the Cybersecurity function to initiate vulnerability scanning prior to newly built servers being placed into the production environment. Finally, IRS management stated that the Enterprise Operations function’s Security Operations and Standards Division continues to work and track remediation progress as part of the vulnerability remediation management effort.
Despite these issues, though, TIGTA said that overall the IRS had implemented the necessary security procedures. It determined the IRS implemented 78% of the 37 applicable security controls and enhancements for the portal, and 88% of the 319 applicable security controls and enhancements for the Secure Access Digital Identity system.