Two key systems that the Internal Revenue Service is deploying contain serious security vulnerabilities that pose a direct risk to taxpayer data, according to a report by the Treasury Inspector General for Tax Administration.
The 29-page report (download PDF) is dated Sept. 24 but was just publicly released on Thursday. It identifies weaknesses in several areas — including access control, monitoring of system access and disaster recovery — in a new Customer Account Data Engine (CADE) system that the IRS is rolling out, plus a related Account Management Services (AMS) system.
The CADE system, which has been under development since 1999, will eventually manage all taxpayer accounts and replace the agency's existing Master File tax processing systems. CADE is expected to cost more than $1 billion to develop, operate and maintain through the federal government's 2012 fiscal year, according to the inspector general's report. The IG noted that from January to April this year, the new system handled 28.1 million tax returns, or about 20% of the overall total.
Work started in 2006 on the $700 million AMS system, which is designed to provide faster access to the taxpayer information stored in CADE's databases. The first phase of the AMS technology became operational last October 2007, when it was used to make address changes in the CADE system.
According to the IG's report, systems administrators and other privileged users are able to access, modify and delete taxpayer data with impunity because of a lack of monitoring capabilities in the two systems. In addition, contractors working for the IRS can make configuration changes without prior notice or approval, the report said. Similarly, there are no processes in place for verifying whether data that's archived on backup tapes is being stored properly and can easily be recovered if needed, according to the report.
In addition, a vulnerability scan of the mainframe environment that hosts the CADE system uncovered at least one critical vulnerability that posed a risk to taxpayer data, plus several configuration errors, the report said. It added that sensitive personal information about taxpayers was being transmitted without being encrypted or otherwise disguised within IRS computing centers, and also wasn't encrypted when it was stored. And, the report said, the IRS used live taxpayer data in at least 18 test environments for application development purposes.
Chris Wysopal, chief technology officer at security vendor Veracode Inc., said his review of the report indicates that the security controls put on the two systems by the IRS wouldn't even comply with the Payment Card Industry Data Security Standard. The PCI requirements are mandated by the major credit card companies for all businesses that accept payment card transactions. The IRS stores much more sensitive data than even retailers do, Wysopal said via e-mail.
He added that the agency's apparent failure to do any application scans is especially noteworthy, because they can help find bugs that may have been overlooked in the design and development stage.
The report said that the IRS has accepted all four of the recommendations made by the IG in the wake of the audit. For instance, the agency's Business Modernization Office and Customer Service Executive Steering Committee will review all of the security issues and ensure that they have been addressed before each new phase of the projects are approved. The IRS also agreed to have its associate CIO for cybersecurity list all of the needed controls that have yet to be implemented and make sure they're corrected within agreed-upon time frames.
This is just the latest example of the IRS being criticized for IT security shortcomings. Just last week, a separate report by the IG detailed weaknesses in several other IRS systems.