The IRS awarded a more than $7 million bridge contract to Equifax for continuation of e-authentication service weeks after the credit bureau suffered a breach that compromised the information of more than 145 million Americans. But it wasn’t totally by choice.
The tax agency awarded a sole-source contract for “third party data services from Equifax to verify taxpayer identity and to assist in ongoing identity verification and validations needs of the Service” on Sept. 30 for $7.25 million.
Equifax first notified the public of its breach Sept. 8. U.S. residents had their names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers exposed, leaving them easy targets of identity theft.
To make matters worse, the contract was signed without the approval of CIO Gina Garza, violating the Federal IT Acquisition Reform Act requirement that agency CIOs have final authority over all IT related procurements.
But despite the appearance that IRS issued a no-bid contract to the beleaguered credit bureau just weeks after one of the most damaging data breaches in recent memory, agency officials explained Wednesday that their hand was forced by a procurement protest.
Initially, IRS had awarded the contract — which Equifax also held prior to this latest award — to a new vendor. However, Equifax protested that procurement in July. The protest has prevented the final processing of the award until the Government Accountability Office resolves the issue, Jeffery Tribiano, IRS deputy commissioner for operations support, explained during a House Ways and Means Committee hearing.
“So when we came down to Sept. 29 when the Equifax contract expired, we had to either stop the service, which means millions of taxpayers would not be able to get their transcripts, including those that are in need of it, like in the hurricane disaster areas they use those tools to get their transcripts, or do a bridge contract with Equifax until GAO decides on the protest and we move forward,” Tribiano said. Thus, the sole-source nature of the stopgap award.
“This is considered a critical service that cannot lapse,” the award notice highlights.
Lawmakers scoffed at the notion of a government agency giving its business to a credit bureau with the recently proven inability to protect consumers’ information. One representative penned a letter to the IRS in which he explains he initially thought the news was part of a satirical Onion article.
Garza assured them, however, that the breach has in no way compromised or impacted the systems or data of her agency.
“We not only contacted Equifax, but we sent a team over. We did an analysis of their data breach, we identified all of the elements that had been compromised, and then working with [Treasury Inspector General for Tax Administration investigators], we went through all of that information,” Garza tetified. “And then we went through on an application-by-application basis to determine if that compromise would put our systems at risk.”
She said the IRS uses a “multi-layered defense mechanism” approach to cybersecurity of its applications, and by doing so, “we determined that we had other mitigating controls in place that would protect the taxpayer information.” Additionally, the IRS deemed a subset of about 209,000 Social Security numbers at higher risk of all those impacted, and it will take extended measures to protect those people’s identities, Garza said.
The talk about the Equifax contract and breach dominated the short hearing, which was meant to focus on systems modernization at the IRS. Witnesses briefly discussed the need for modernization of the tax agency’s systems — particularly the Individual Master File, which is the core component of IRS’s ability to process tax returns and is based in code that was created in 1962. But Garza’s timeline and plan to achieve that modernization disgruntled lawmakers.
Garza thinks the IRS can replace the IMF’s core system in about five years, with about 50 to 60 full-time employees or contractors working on it, with direct hire authorities to “hire the right skills” and about $85 million each year.
The fear is that, until that modernization occurs, the IMF is at risk of failing during tax return season, which could totally devastate IRS’s operations, said David Powner, director of IT management issues with the GAO.
“Relying on these antiquated systems for out nation’s primary source of revenue is highly risky, meaning that the chance of having a failure during the filing season is continually increasing,” Powner said.