After 3 years, key IRS systems are still not properly encrypted


The federal tax collection agency has spent years researching the best way to encrypt data stored on its networks, but has yet to deploy a working solution, according to the Inspector General of the Treasury for the Tax Administration.

The IRS launched the Data at Rest Encryption, or DARE, program in 2018 to assess ways to lock down data at rest – that is, data that is not being transferred or used by an application or process. , in order to protect them from threats, malicious or accidental. The program targeted multiple IRS systems, which collectively collected “nearly $ 3.5 trillion in gross and in-process taxes.[ed] more than 240 million tax declarations and additional documents ”in fiscal year 2020, according to an audit published on Monday.

But the program failed to produce a single solution that can be deployed across the IRS enterprise, according to the IG.

Although the agency has tested various encryption and key management solutions, “it has not deployed this technology,” largely due to program management issues, auditors found.

“TIGTA has identified specific program issues that have affected the IRS’s ability to meet its objectives, delaying the encryption of sensitive data,” the report says, “including data contained on systems classified as high-value assets. “, for which agencies are supposed to provide additional layers of protection.

Finding a single solution that can work on the IRS’s vast technology stack is a tall order, auditors admit. The tax collection agency regularly rolls out new software and applications, internally and for taxpayers, but also manages some of the government’s older functional systems.

But these systems, the total number of which were removed from the IG report, contain incredibly sensitive data, including personally identifiable information about every taxpayer in the United States.

Not only is enterprise-at-rest encryption necessary, it’s doable, according to the agency.

“An internal IRS study in March 2018 determined that a data-at-rest encryption strategy is achievable and can be effective even for a large agency with critical data and varied infrastructure like the IRS,” indicates the report. He also noted that while there is no one-size-fits-all to protect data at rest from an enterprise perspective, a centralized approach to developing and adopting data encryption capabilities at rest. rest is recommended. “

Initially, the agency planned to roll out the first implementation of the DARE program by June 2020, with the goal of expanding the program by September of the same year and being at full operational capacity in the IRS. by September 2021.

The report says IRS program officials were on track to begin deploying a solution – or in the planning phase of moving to deployment – in the summer of 2020 when an additional mandate to secure high-value assets came in handy. been added to the tasks of the DARE program.

Program officials told Treasury Department leadership the plan was to have these assets under the encryption scheme by 2026 and ultimately negotiated a timeline that falls somewhere in between, though the dates exact be redacted from the report.

But the program suffered from a lack of strong program management principles, according to TIGTA, specifically the Enterprise Lifecycle Framework, or ELC.

The initial program management team started on the ELC path, even choosing a specific framework for out-of-the-box commercial deployments there. But the team combined several work phases and pushed the exits of stages (progressive debriefings to assess the progress of the project) until the end of the first four phases.

In addition to causing delays, “it also defeats the objective of the ELC approach of dividing the project into phases with natural stopping points, for which project progress can be periodically reviewed. and the necessary changes can be made, ”the auditors said.

The management team also failed to update program documents over time and began work before completing the Integrated Master Program, or IMS, which is supposed to serve as a benchmark against which to measure success. .

“Successful programs have some common elements, including the need for management support as well as the existence of clear business goals, methodologies and project management expertise,” the report says. “Effective program governance is essential to the success of a program. “

The IG cited three specific programmatic issues:

  • Failing to follow business lifecycle program management methodologies.
  • Delays in developing an integrated master plan.
  • Do not prioritize work related to previous encryption audit recommendations.

“These issues have affected HVA encryption plans as well as the progress of work related to the deployment of DARE’s full operating capability,” the IG wrote.

The report makes three recommendations to the IRS’s chief information officer to address these issues. The agency agreed with all three.

The report also cites another encryption problem with third-party collection agencies working with the IRS that had been “shut down prematurely.”

A TIGTA precedent found that private collection agencies encrypted data as required. However, the recent audit found that “the IRS does not encrypt data destined for private collection agencies on its own production systems.”

The IG made a fourth recommendation regarding this issue, with which the IRS IOC agreed.


About Author

Comments are closed.