Menu
Tax Notes logo
HOMETax Notes ResearchFederalLegislative Documentscongressional tax correspondence

Grassley Questions Koskinen on IRS Computer Security

APR. 21, 2015

Grassley Questions Koskinen on IRS Computer Security

DATED APR. 21, 2015
DOCUMENT ATTRIBUTES
  • Authors
    Grassley, Sen. Chuck
  • Institutional Authors
    Senate
  • Subject Area/Tax Topics
  • Jurisdictions
  • Language
    English
  • Tax Analysts Document Number
    Doc 2015-9564
  • Tax Analysts Electronic Citation
    2015 TNT 77-20

 

Tuesday, April 21, 2015

 

 

WASHINGTON -- Sen. Chuck Grassley today asked the IRS commissioner to account for weaknesses in computer systems that create opportunities for taxpayer or employee data to be lost, corrupted or stolen.

"Protecting taxpayers' information and ensuring efficient and appropriate administration of the tax system are of paramount concern," Grassley wrote to Commissioner John Koskinen. "This is especially so in today's world with identify thefts on the rise."

Grassley cited numerous audits from the Government Accountability Office that cite computer security weaknesses at the IRS and the Treasury Inspector General for Tax Administration's (TIGTA) finding of "Security for Taxpayer Data and IRS Employees" as the number one management and performance challenge for the IRS in Fiscal Year 2015.

Grassley asked for an accounting of how the IRS plans to address problems with server or database patches, passwords, and audit and monitoring capabilities.

Grassley is a senior member and former chairman of the Finance Committee, which has jurisdiction over the IRS.

The text of Grassley's letter is available here.

 

* * * * *

 

 

April 21, 2015

 

 

The Honorable John Koskinen

 

Commissioner of Internal Revenue

 

1111 Constitution Ave NW

 

Washington, DC 20224

 

 

Dear Mr. Koskinen:

When the Internal Revenue Service (IRS) fails to adequately manage its computer systems, it creates opportunities for data to be lost, corrupted or stolen. The Government Accountability Office (GAO) has conducted audits on the security of IRS computers systems for nearly twenty years. And the Treasury Inspector General for Tax Administration (TIGTA) identified "Security for Taxpayer Data and IRS Employees" as the number one management and performance challenge for the IRS in FY 2015.1

Even after regular reviews by the GAO, IRS computer security is still significantly deficient. In its March 2015 report GAO cited 69 weaknesses in IRS information security controls that it had previously identified to the IRS.2 All of these weaknesses were outstanding for at least one year and in some cases the weaknesses had been identified four years earlier. The IRS claimed to have addressed only 24 of those problems. The GAO found that, in fact, only 14 of those 24 had actually been resolved. The GAO found another 3 weaknesses actually were addressed and a fourth was no longer an issue. This leaves 51 weaknesses (over 70 percent of the total) still awaiting action.

Protecting taxpayer's information and ensuring efficient and appropriate administration of the tax system are of paramount concern. This is especially so in today's world with identify thefts on the rise.

Some of the existing problem areas include:

 

1. Patches -- Eleven of the 51 unaddressed weaknesses involved failure to apply patches to servers or databases in a timely manner. Some of these weaknesses have been known and not remedied for three years. These seem to be particularly dangerous shortcomings.

2. Passwords -- Five of the 51 unaddressed weaknesses involved password policy. As noted in GAO Report 15-336SU, this includes not assuring that passwords expire every 90 days on some systems and not requiring the appropriate minimum number of characters for passwords. Failure to remedy this issue can result in former employees maintaining access to taxpayer information.

3. Audit and monitoring -- Six of the 51 unaddressed weaknesses involved audit and monitoring capabilities. Without these capabilities the IRS is very limited in its ability to establish individual accountability, monitor compliance with security policies and investigate security violations.

 

For each of the 22 weaknesses discussed above, please provide the date by which you expect to have the problem resolved. For any weakness where the fix is expected to be implemented after May 21, 2015, please include an explanation of what is being done to solve the problem. Please provide your written response to these questions by May 21, 2015.

Thank you for your prompt attention to these requests and for your cooperation in working with me to improve computer security at the IRS to both better serve and protect the data of American taxpayers. Should you have any questions regarding these issues, please contact Paul Junge of Chairman Grassley's staff at (202) 224-0747.

Sincerely,

 

 

Charles E. Grassley

 

Chairman

 

Committee on the Judiciary

 

FOOTNOTES

 

 

1 October 15, 2014, Memorandum for Secretary Lew, from TIGTA IG J. Russell George, Management and Performance Challenges Facing the IRS for FY 2015.

2 GAO, Information Security: IRS Needs to Continue Improving Controls over Financial and Taxpayer Data, GAO-15-336SU (Washington, D.C.: March 2015).

 

END OF FOOTNOTES
DOCUMENT ATTRIBUTES
  • Authors
    Grassley, Sen. Chuck
  • Institutional Authors
    Senate
  • Subject Area/Tax Topics
  • Jurisdictions
  • Language
    English
  • Tax Analysts Document Number
    Doc 2015-9564
  • Tax Analysts Electronic Citation
    2015 TNT 77-20
Copy RID