When the IRS audits a tax return, the case file for the audit is stored in the Enterprise Case Management (ECM) system. The ECM system is used by the IRS “to modernize and consolidate legacy case management systems [there are at least 60], across the Internal Revenue Service (IRS), into an end-to-end enterprise solution in the cloud.” The U.S. Treasury Inspector General for Tax Administration (TIGTA) recently reviewed the security of the ECM system and issued a report containing their findings.
The details that when notified of a security risk by the office of Security Risk Management, the responsible official must write a report within 60 days to identify the system weakness when the system has “a moderate security classification.” In compiling the report the TIGTA looked at one official and their response to receiving reports. The ECM Authorizing Official was notified of 9 “system security risks” on February 10, 2021. Three of the nine reports were timely created, four were 20 days late, and only two of the nine reports were complete. The initial resolution dates were projected to range from April 30, 2022, to May 2, 2022. Three risks remain unresolved, with varying completion schedules as late as October 31, 2023.
One of the issues TIGTA found on February 10, 2021, was the lack of malicious code protection for Linux. This has not been resolved and they still lack protection. In August 2022, the TIGTA convinced the IRS that malicious code protection is necessary even for Linux servers. Nevertheless, “the planned corrective action does not fully address the recommendation. After the IRS completes the development and testing of an automated malicious code protection solution for Linux servers, it should implement the solution on all applicable Linux servers.” There are two Linux servers in the cloud and two “residing on IRS premises.” Instead of protecting all Linux servers, only “on-premises Linux servers” are planned to be protected and then only beginning on February 15, 2024.
A July 2022 scan of the ECM system revealed 44 high-risk vulnerabilities and 50 medium-risk vulnerabilities. A “vulnerability” is defined as: “A weakness in an information system, system security procedure, internal control, or implementation that could be exploited or triggered by a threat source.” The required remediation time for high-risk vulnerabilities is 30 days. For medium-risk vulnerabilities, the allotted time is 90 days. Of the high-risk vulnerabilities, 24 were unresolved for 166 to 201 days, and two of the 50 medium-risk vulnerabilities were unresolved for 132 days.
As of July 8, 2022, there were 917 user accounts for the ECM system. Of these, 401 had not signed in for at least 90 days, requiring deactivation. The IRS failed to disable 315 of the 401 user accounts. In October 2022, 4 “privileged user accounts” were not used since November or December 2021. The IRS did not monitor privileged user accounts until the Inspector General intervened in October 2022.
The IRS Chief Information Officer, Nancy A. Sieger, does not seem to believe the deficiencies this report discovered are severe. Instead, she claimed, “there is no evidence in this report that indicates the ECM system failed to adequately protect data from unauthorized access.”