The Treasury Inspector General for Tax Administration said the IRS has failed to address literally tens of thousands of security vulnerabilities in both its mainframe platform environment and its security application environment. While there had been some improvement from the beginning of this year, inspectors still found that the majority of vulnerabilities had yet to be fully addressed.
Specifically, the Mainframe Platform Environment was found to have 80 unresolved vulnerabilities across 18 assets, of which 67 (84% of them) were "overdue," or "not mitigated within required time frames." Of these vulnerabilities, 15 were considered critical risk and 30 were considered high risk. Inspectors followed up in July and found that there were now 75 unresolved vulnerabilities across 17 assets, of which 59 (79% percent of them) were overdue. During this followup, four were considered critical risk and 27 were considered high risk.
TIGTA said that Enterprise Operations personnel are aware of these overdue vulnerabilities and are working to mitigate the risk through a Plan of Action and Milestones, but noted that this seemed to all be in response to inspectors' findings, as this activity was only begin shortly after they had begun planning for this audit in October 2023. Inspectors found even more grim results when looking at the Security Application Environment. They identified a total of 56,537 unresolved vulnerabilities across 580 assets, of which 59% were overdue. Of these vulnerabilities, 6% were considered critical risks, and 41% were considered high risk. When TIGTA followed up in July, they found there were 43,290 overdue vulnerabilities affecting 570 assets. Of them, 4% were considered critical risk and 55% were considered high risk.
While one might think all these vulnerabilities are the result of lax cybersecurity, professionals with the IRS, in response to the TIGTA findings, said it's actually the opposite. The agency had recently transitioned into a new and improved scanning tool, which led to the discovery of far more vulnerabilities than before. While Enterprise Operations and Cybersecurity personnel agree that vulnerabilities persist, they likely would not have found them at all had they not moved to a better scanning tool.
Further, TIGTA found that Internet Protocol addresses were not always assigned to the correct environments. Specifically, the IRS did not properly assign 123 Internet Protocol addresses to the Mainframe Platform Environment and 62 Internet Protocol addresses to the Security Application Environment. Further, 99 Internet Protocol addresses of the Security Application Environment assets were outside of the assigned range. Lastly, a total of 743 assets used noncompliant configurations across both environments. IRS management was less concerned about this, saying that the IP address range assigned by User and Network Services is not a significant factor in the creation and management of information technology assets.
Management further noted that the IRS inventory system has limitations to the identification of assets. As a result, when an asset cannot be reconciled due to this limitation, it will be placed into the temporary or unknown repositories, sometimes leading to duplicate assets. The IRS is in process of migrating to a new system that will have more robust capabilities and resolve the issue of items being incorrectly assigned to temporary and unknown repositories.
TIGTA said that, until the new system is functional, assets found in more than one GSS or Major Application calls into question the overall accountability for asset assignment
TIGTA recommended that the Chief Information Officer should:
1) timely remediate or mitigate all vulnerabilities in accordance with IRS policies;
2) ensure that assets are assigned to an established group;
3) ensure that systems are in place to reconcile duplicate accounting of assets;
4) reconcile assets to reflect the operating environment;
5) evaluate temporary repositories to establish ownership of assets; and
6) resolve configuration compliance settings in accordance with Federal and IRS policies.
The IRS agreed with five recommendations and plans to review vulnerability remediation processes, implement zero trust best practices to remove physical assets not properly documented, collaborate with authorizing officials to reconcile assets, and ensure that configuration settings meet Federal and IRS policies. The IRS disagreed with reconciling Internet Protocol addresses to assets to reflect the operating environment. TIGTA responded to the disagreement.
