The IRS has put taxpayer data at risk by not implementing security control infrastructure for its cloud service, the Treasury Inspector General for Tax Administration (TIGTA) has found.

In a report issued Sept. 27, TIGTA noted that “the IRS had fully implemented 56 cloud services, 12 of which contained taxpayer data. The IRS deployed these cloud services without fully implemented security controls for protecting the data.”

“Encryption is a key control for protecting the taxpayer data on IRS cloud services,” the report stated in a partially-redacted section, but the agency “continues cloud deployments despite not having a fully implemented security control infrastructure in place.”

In its review, TIGTA found:

- No integration of authorized cloud-based applications with Active Directory Federation Services;
- No implementation of short-term identity architecture and design;
- No fully implemented incident management processes;
- No fully defined and implemented plan to integrate native cloud services with on-premise tools for network monitoring;
- No defined and implemented clear key escrow and recovery processes to mitigate data loss risks;
- No defined roles and responsibilities for management of encryption key life cycle;
- No roadmaps for implementation of core cloud security solutions; and
- No training or hiring plans to fill cybersecurity function cloud workforce gaps.

“The potential harm includes breach and unauthorized access to and disclosure of taxpayer data,” the report stated. “To illustrate the risk, one recent study concluded that cloud breaches in Calendar Years 2018 and 2019 exposed nearly 33.4 billion records and cost companies nearly $5 trillion.”

TIGTA recommended that the Chief Information Officer should “expedite full implementation of the cloud security control infrastructure…and develop an implementation plan for selected cloud capability gaps relating to identity and access management, data and infrastructure protection, continuous security monitoring, and program management.”

The IRS partially agreed with the first recommendation, saying that it has “a robust and comprehensive security control infrastructure documented within Internal Revenue Manuals for cloud implementations,” referring to its updated Cloud Strategy and Cloud Security Internal Revenue Manual, “and will continue to ensure compliance with the documented cloud security control infrastructure.” The agency agreed with the second recommendation, saying that it plans to develop an implementation plan for selected cloud capability gaps.