An executive decision by the Internal Revenue Service (IRS) to reduce vulnerability scanning of its databases violated its own policy and potentially put sensitive taxpayer data and personally identifiable information at risk, according to a report by the Treasury Inspector General for Tax Administration (TIGTA).

The decision by the IRS, which is not compliant with its own formal written policy or federal guidance, started in FY2018 with only partial scanning until TIGTA started its audit in Fiscal Year 2021. During that time, “the IRS is only performing privileged vulnerability scans on (some systems) and inconsistently received or was unable to review vulnerability details from cloud service providers on the others” of the 27 cloud systems covered by the Federal Information Security Modernization Act.

TIGTA noted that the IRS’s decision – a “new strategy to not perform privileged database vulnerability scanning on all the system databases, including the mainframe applications that are considered high-value asset systems" contravened the tax agency’s “written policy…(concerning) compliance with National Institute of Standards and Technology guidance and a Department of the Treasury Directive.”

In addition, the IRS was faulted for patching security vulnerabilities in some, but not all, databases when they were discovered.

The report also noted that, during the course of the audit in April 2021, the IRS began increasing database vulnerability scanning to some, but not all, systems. The number of affected systems was redacted.

TIGTA recommended that the IRS:

• Update the Internal Revenue Manual to reflect the proper security requirements;
• Have its information system security officers develop a formal process for recommending approval or disapproval of policy deviations;
• Perform privileged vulnerability scans on cloud systems when possible;
• Provide oversight to cloud service providers and obtain detailed scan results;
• Create plans of action and milestones for unresolved issues from database vulnerability scans; and,
• Patch or upgrade databases to the latest version, or at least a version within the acceptable risk tolerance.

A final recommendation was redacted.

The IRS agreed with the recommendations.