The Internal Revenue Service needs to provide better security when transmitting taxpayers’ personal information to outside government agencies, banks and contractors, according to a new report.
The report, from the Treasury Inspector General for Tax Administration, noted that the IRS shares information with various government entities, including federal, state, and local agencies, in addition to financial institutions and contractors for tax administration purposes. The data can include some sensitive information, such as personally identifiable information along with taxpayer information.
IRS and federal guidelines require the sensitive data to be properly protected while it’s being transmitted to safeguard against unauthorized access or disclosure. The IRS has three ways to transfer data to outside partner organizations. They include commercial off-the-shelf products for Internet transfers, commercial software for direct mainframe-to-mainframe data transfers, and drop boxes that enable the IRS and its outside partners to send and receive data transfers.
TIGTA found, however, that the IRS did not make sure it was enforcing the encryption requirements for the three transfer methods, nor did it prevent insecure communication protocols from being used during the data transmissions. These protocols include File Transfer Protocol and Telnet, which have been found to be insecure.
The IRS also didn’t fix high-risk vulnerabilities or install security patches on its file transfer servers in a timely way. For instance, TIGTA found 61 servers that had high-risk vulnerabilities, 10 servers with outdated versions of Windows and UNIX operating systems still in operation, and 32 servers that were missing 18 different security patches, four of which were deemed to be critical.
On top of that, the IRS didn’t make sure the plans it drew up for correcting the various security control weaknesses actually met the agency’s own standards, reducing the likelihood they would be fixed in a timely way.
TIGTA recommended the IRS’s chief information officer enforce the agency’s policy of encrypting all data transmissions from end-to-end using federally compliant encryption. If the IRS’s outside partners can’t use such encryption, the agency should ensure that risk-based decisions have been properly approved and data transmissions have been properly authorized, the report suggested. The IRS should also ensure the file transfer components are properly configured, the security patches are timely, and outdated operating systems are replaced, according to TIGTA. The report also recommended the IRS centralize and consolidate its external transfer environment as much as possible, using a managed file transfer solution that supports federally compliant encryption end-to-end for better security and efficiency. In addition, the IRS should make sure its remediation plans are effective for correcting weaknesses in a timely way, according to the report.
The IRS agreed with TIGTA’s recommendation that it ensure its data transmissions are properly authorized and the agency’s remediation plans for correcting weaknesses are effective. The agency partially agreed with the suggestion for end-to-end encryption enforcement, proper configurations, patching, and operating systems, pointing out that it already has those kinds of processes in place.
“The IRS is fully committed to ensuring that sensitive data is protected during transmission and to preventing unauthorized access or disclosure,” said IRS chief information officer S. Gina Garza in response to the report.
The IRS disagreed, however, with TIGTA’s recommendation that it could further consolidate its external file transfer environment but said it would reconsider the recommendation as its partner agreements are revalidated. For its part, TIGTA maintained it believes the IRS should proactively work with its outside partners to upgrade to end-to-end encryption systems rather than waiting for the agreements because the data transmitted is highly sensitive.