Monday, October 20, 2014
TIGTA: IRS Is Not Complying With Homeland Security Laws on Information Security Management and Employee ID Cards
The Treasury Inspector General for Tax Administration today released:
Federal Information Security Management Act Report for Fiscal Year 2014 (2014-20-090):
The Federal Information Security Management Act of 2002 (FISMA) was enacted to strengthen the security of information and systems within Federal Government agencies. The IRS collects and maintains a significant amount of personal and financial information on each taxpayer. As custodians of taxpayer information, the IRS has an obligation to protect the confidentiality of this sensitive information against unauthorized access or loss.
As part of the FISMA legislation, the Offices of Inspectors General are required to perform an annual independent evaluation of each Federal agency’s information security programs and practices. This report presents the results of TIGTA’s FISMA evaluation of the IRS for Fiscal Year 2014.
Based on this year’s FISMA evaluation, five of the 11 security program areas met the performance metrics specified by the Department of Homeland Security’s Fiscal Year 2014 Inspector General Federal Information Security Management Act Reporting Metrics. ... Four security program areas were not fully effective due to one or more program attributes that were not met. ... Two security program areas did not meet the level of performance specified due to the majority of the attributes not being met.
Progress Has Been Made; However, Significant Work Re mains to Achieve Full Implementation of Homeland Security Presidential Directive 1 (2014-20-069):
Issued in August 2004, the Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors, requires Federal agencies to issue identity credentials that meet the HSPD-12 standard and use them for gaining physical access to Federally controlled facilities and logical access to Federally controlled information systems. Without full implementation of HSPD-12 compliant authentication, IRS facilities, networks, and information systems are at an increased risk of unauthorized access.
This audit was initiated to determine the IRS’s progress in implementing HSPD-12 requirements for accessing IRS facilities and information systems. The U.S. Department of the Treasury has set a goal for its bureaus to achieve 100-percent HSPD-12 compliance by Fiscal Year 2015. In Fiscal Year 2012, the Administration identified HSPD-12 as a Cross-Agency Priority initiative needed to improve the security of Federal data.
The majority of the IRS workforce (85%) has been issued HSPD-12 compliant Personal Identity Verification (PIV) cards. However, full implementation of PIV card electronic authentication for accessing IRS facilities is not scheduled until at least Fiscal Year 2018, and only if funding is available. In addition, significant challenges remain in the area of implementing PIV card electronic authentication for accessing IRS networks and information systems. These challenges include many legacy systems and technologies in use at the IRS that are incompatible with PIV cards, and limited HSPD-12 staffing and funding for resolving these conflicts.
Paul, thanks for sharing this very informative article. It's interesting to note that only five of the 11 security program areas met the performance metrics. That's not even half. Interesting.
Posted by: R. Darren Sanford, CPA, CGMA | Oct 21, 2014 9:21:19 AM