Skip to main content

Auditing

IRS to Miss Goal for Homeland Security Directive on Security

The Internal Revenue Service (IRS) will not meet the Department of the Treasury’s 2015 goal for full compliance with a directive requiring Federal agencies to issue identification cards that allow workers to gain access to Federally controlled facilities

U.S._Department_of_Homeland_Security__Plaque_or_Seal_M3_1_1_.544686c4587f3

The Internal Revenue Service (IRS) will not meet the Department of the Treasury’s 2015 goal for full compliance with a directive requiring Federal agencies to issue identification cards that allow workers to gain access to Federally controlled facilities and information systems.  IRS officials cite the lack of sufficient funding and staffing as the main obstacles to achieving full compliance.

That is the conclusion of a new report publicly released today by the Treasury Inspector General for Tax Administration (TIGTA).

This audit was initiated to determine the IRS’s progress in implementing Homeland Security Presidential Directive 12 (HSPD-12) requirements for accessing IRS facilities and information systems.  The Treasury Department has set a goal for its bureaus to achieve 100-percent HSPD-12 compliance by Fiscal Year 2015.

HSPD-12 requires agencies to issue personal identity verification (PIV) cards that meet a governmentwide standard for secure and reliable forms of identification.

“Without full implementation of HSPD-12-compliant authentication, IRS facilities, networks, and information systems are at an increased risk of unauthorized access,” said J. Russell George, Treasury Inspector General for Tax Administration.

The majority of the IRS workforce (85 percent) has been issued HSPD-12-compliant PIV cards.  However, full implementation of PIV card electronic authentication for accessing IRS facilities is not scheduled until at least Fiscal Year 2018, and only if funding is available, TIGTA found.

In addition, significant challenges remain in the area of implementing PIV card electronic authentication for accessing IRS networks and information systems, the report found.  These challenges include many legacy systems and technologies in use at the IRS that are incompatible with PIV cards, and limited HSPD-12 staffing and funding for resolving these conflicts.

TIGTA recommended that the Chief Technology Officer and Chief, Agency-Wide Shared Services, ensure that all IRS facilities are equipped with HSPD-12-compliant physical access control systems.   Also, TIGTA recommended that the Chief Technology Officer: ensure that specific requirements, staffing, and scheduling are identified and adequate funding requested to ensure full implementation of mandatory PIV card access to the IRS network and information systems; issue an IRS-wide memorandum to reiterate the requirement for full PIV card adoption; and ensure that HSPD-12-compliant requirements are integrated in the IRS’s lifecycle management process to ensure that new and existing systems implement this requirement.

The IRS agreed with all of TIGTA’s recommendations and has planned appropriate corrective actions to address them.