The IRS needs to improve oversight of its IT architecture, according to a new watchdog report that found the agency’s servers housing criminal investigation information lack sufficient physical and digital security.
The Treasury Inspector General for Tax Administration reviewed the agency’s criminal investigation data centers beginning in May 2017 as part of an ongoing review of its Active Directory Technical Advisory Board — the governing body tasked with overseeing the IRS’s IT architecture.
Since the IRS uses Microsoft Windows’ Active Directory (AD) domain service to manage several IT tasks like “authentication, authorization and directory technologies to create enterprise security boundaries,” any office seeking to make IT architecture changes is required to seek the ADTAB’s approval before applying them.
But TIGTA investigators found that ADTAB members were unaware of how many active AD implementations, or forests, exist within the IRS and could supply no agencywide documentation of them.
One of those active forests was the criminal investigations domain. TIGTA said that criminal investigation staff updated the forest software from Microsoft Windows Server 2008 to the 2012 version in April 2017 but could find no evidence that ADTAB was notified of the change. Another domain forest was upgraded twice over the course of three years with no input from ADTAB.
The report blasted ADTAB’s lack of oversight, saying that it runs the risk of IRS systems not being compliant with federal and agency IT policies.
“Based on the results of our review, the ADTAB did not meet the basic requirements of its charter. The ADTAB does not provide adequate governance or oversight of the IRS AD architecture,” the report said. “As a result, the IRS cannot ensure that sensitive taxpayer information and taxpayer dollars are preserved and protected. When IRS operations run securely and efficiency, it helps maintain taxpayer confidence, which is critical for the IRS to perform its mission.”
TIGTA officials also found the physical security controls around criminal investigation servers in eight IRS field offices lacking in multiple areas, including properly designating the server rooms as “Limited Areas” or assigning Personal Identity Verification cards with an “R” indicator required for personnel with server room access.
At six of the criminal investigation server sites, no approved access lists existed. At one of the sites that did have an approved list, TIGTA investigators said it was outdated. The server rooms also didn’t have the required two-factor authentication controls implemented in any of the eight field offices.
Finally, investigators found that the domain controller servers used to test the security authentications within the criminal investigation domain had failed in two separate tests run by TIGTA officials. IRS officials were aware of the failing authentication grades, but the report said that cybersecurity staff offered no guidance on how to remediate them.
TIGTA offered 10 recommendations addressing ADTAB’s role as well as the security surrounding the CI servers. IRS officials agreed with all recommendations and detailed its efforts to apply them.