On November 3, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security issued Binding Operational Directive 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities. This directive requires federal agencies to remediate known exploited vulnerabilities (KEV) as their “top priority.” Further, agencies must isolate or remove compromised assets from their network if they fail to “timely remediate a KEV.” The Treasury Inspector General for Tax Administration (TIGTA) reviewed IRS compliance.
The CISA maintains an expanding list of KEVs in its KEV Catalog. There are currently 989 types of KEVs, and assets may have more than one KEV. Each is described in detail with a deadline for remediation, often taking three weeks. As of December 15, 2022, 91,559 assets were identified as having at least one KEV. TIGA analyzed assets for four months, from September through December 2022, and a total of 820,343 KEVs were detected with 1.54% of these not being timely remediated. KEV detection and remediation activity varied wildly from month to month. November 2022 saw 530,945 KEVs, whereas the prior month witnessed 5,065. Oddly, November 2022 had the best timely remediation rate, with the rate remarkably being over 99%, while over 57% of the October 2022 KEVs were not timely remediated. TIGTA discovered 12,634 KEVs during the tested period that needed to be isolated or removed from the IRS network because they were not timely remediated. TIGTA did not disclose the extent of IRS compliance in this regard. However, the Treasury Department ordered 1,001 affected assets to be removed.
The IRS responded and refused to remove 27 flagged assets, claiming that isolation or removal would interfere with speedy mitigation. TIGTA concluded that IRS KEV “repository data are not reliable.” It discovered 14 KEVs that the IRS failed to track, and “there is no data representing accurate remediation due dates of each KEV, time allowed for remediation, or number of days remediation is overdue.” Part of this inadequacy is due to the frequency of “attack signature changes.” IRS officials met with the Treasury Department’s Chief Information Officer in November 2022 to offer a solution and inquired into the proposal’s status in December 2022. “[A]s of April 2023, the Treasury Department has not responded.” Binding Operational Directive 22-01 required all agencies to update their standard operating procedures detailing how to comply with the directive by January 2, 2022, and the IRS has yet to do so even still. Existing written procedures “were non-official and draft in nature, i.e., no letterhead, official title, version number, IRS function personnel who prepared it, date, table of contents, and executive approval.” Furthermore, the relevant update to the Internal Revenue Manual “only provides general information.” The Acting Chief Information Officer, Kaschit Pandya, promised to complete all corrective actions by December 2024.