Washington Post: A Week Before Tax Day, IRS Misses Crucial Windows XP Deadline:
Microsoft on Tuesday stopped providing free support and security updates for Windows XP. The long-planned expiration of the popular operating systems has sent millions of users scrambling to upgrade their computer systems.
Among who still that need to make the transition is the Internal Revenue Service, which has yet to complete its migration away from Windows XP, less than a week ahead of its own important deadline: Tax Day.
The agency is "struggling" to find $30 million dollars to complete its move to Windows 7, according to Rep. Ander Crenshaw (R. - Fla.), chairman of the financial services and general government subcommittee. During a hearing on IRS budget Monday, Crenshaw questioned why the agency had not prioritized the move "even though Microsoft announced in 2008 that it would stop supporting Windows XP past 2014."
IRS Commissioner John Koskinen defended the agency's efforts, noting that it has been operating amid budget uncertainty for years. The migration to Windows 7 was just one of nearly $300 million dollars worth of information technology projects that has not been completed due to funding shortfalls, he said.
"You're exactly right," Koskinen said of the timing. "It's been some time where people knew Windows XP was going to disappear." But testifying just a day before Microsoft ended support for the operating system, he conceded the agency was still trying to finish up the transition. "So we are very concerned that if we don't complete that work, we're going to have an unstable environment in terms -- in terms of security."
The GAO yesterday released IRS Needs to Address Control Weaknesses That Place Financial and Taxpayer Data at Risk (GAO-14-405):
The IRS continued to make progress in addressing information security control weaknesses and improving its internal control over financial reporting; however, weaknesses remain that could affect the confidentiality, integrity, and availability of financial and sensitive taxpayer data. During fiscal year 2013, IRS management devoted attention and resources to addressing information security controls, and resolved a number of the information security control deficiencies that were previously reported by GAO. However, significant risks remained. Specifically, the agency had not always (1) installed appropriate patches on all databases and servers to protect against known vulnerabilities, (2) sufficiently monitored database and mainframe controls, or (3) appropriately restricted access to its mainframe environment. In addition, IRS had allowed individuals to make changes to mainframe data processing without requiring them to follow established change control procedures to ensure changes were authorized, and did not configure all applications to use strong encryption for authentication, increasing the potential for unauthorized access.
An underlying reason for these weaknesses is that IRS has not effectively implemented portions of its information security program. The agency has established a comprehensive framework for the program, and continued to improve its controls; however, components of the program did not always function as intended. For example, IRS's testing procedures over financial reporting systems were not always thorough in that its testing methodology did not always determine whether required controls were operating effectively. In addition, IRS had not updated key mainframe policies and procedures to address issues such as users accessing files used by one processing environment from a different environment. Further, IRS did not include sufficient detail in its authorization procedures to ensure that access to systems was appropriate.
Until IRS takes additional steps to (1) more effectively implement its testing and monitoring capabilities, (2) ensure that policies and procedures are updated, and (3) address unresolved and newly identified control deficiencies, its financial and taxpayer data will remain vulnerable to inappropriate and undetected use, modification, or disclosure. These deficiencies, including shortcomings in the information security program, were the basis of our determination that IRS had a significant deficiency in its internal control over its financial reporting systems for fiscal year 2013.