Security of Taxpayer Information: IRS Needs to Address Critical Safeguard Weaknesses
Fast Facts
Your tax returns are filled with sensitive personal and financial data—which you expect the IRS to protect. However, recent disclosures of sensitive taxpayer data have made headlines.
We, and the Treasury Inspector General for Tax Administration, have also raised concerns about IRS's ability to safeguard taxpayer information.
In this review, we found weaknesses in training, information systems, contractor oversight, information-sharing, and more. Of the related recommendations we've made since 2010, 77 haven't been implemented as of March 2023. We're also making 16 new recommendations, including one for Congress to consider.
Highlights
What GAO Found
The Internal Revenue Service (IRS) has implemented access controls and other safeguards to help mitigate risks to taxpayer information. However, continuing weaknesses pose a risk. Among its safeguards, in July 2022, IRS began requiring certain employees to seek senior executive approvals to gain access to taxpayer information. IRS employees also met the agency-wide 97 percent completion goal for training on protecting taxpayer information. However, IRS did not have a training goal for contractors, who had training completion rates well below employee completion rates—less than 75 percent. For example, 66 percent of the approximately 14,000 contractors assigned the Insider Threat Awareness training completed the course. As a result, IRS contractors are at increased risk of being unprepared to handle taxpayer information.
IRS Contractor and Employee Training Completion Rate, Fiscal Year 2021
In certain circumstances, IRS faces challenges ensuring taxpayer information it shares—as authorized by law—is properly protected. Federal tax law gives IRS the authority to inspect safeguards for agencies that receive taxpayer information from IRS in certain circumstances. However, in other cases where IRS shares taxpayer information pursuant to different statutory authority, it does not have direct authority to inspect agency safeguards. For these cases, Congress could provide IRS with direct authority to inspect agencies' safeguards, which would give IRS additional assurance that information will be protected sufficiently.
IRS policy requires the agency to maintain an inventory of its systems that store taxpayer information and to mitigate weaknesses in systems that lead to a higher risk of unauthorized disclosure of federal tax information or UNAX—the willful unauthorized access, attempted access, or inspection of federal tax information. However, as of December 2022, IRS omitted seven tax processing systems from its inventory. This limits its monitoring of UNAX prevention efforts.
GAO found that multiple IRS offices oversee contractors but IRS does not have overall oversight efforts related to IRS contractor UNAX. As a result, IRS has limited insight into contractor UNAX trends and assumes greater risk of missing opportunities to improve the agency's prevention efforts.
Weaknesses in IRS's information security controls present risks to taxpayer information. For example, IRS did not assess the risks of its method for transferring taxpayer information to contractors. Until IRS remediates these weaknesses, it will have limited assurance that taxpayer information is protected appropriately.
GAO and the Treasury Inspector General for Tax Administration (TIGTA) have previously reported on deficiencies in IRS's safeguards over taxpayer information. They have both made recommendations aimed at improving these safeguards. Since fiscal year 2010, GAO has made 451 recommendations to strengthen IRS safeguards for taxpayer information in areas such as governance for protecting taxpayer information; authentication and access to tax processing systems; and IRS monitoring of programs that process taxpayer information.
GAO's recommendations cover the five National Institute of Standards and Technology (NIST) cybersecurity core functions that provide a strategic view of life cycle management of cybersecurity risk. A majority of the recommendations cover the protect core function (74 percent)—actions related to developing and implementing appropriate safeguards. The remaining recommendations are in the other core functions— identify, detect, recover, and respond.
IRS had implemented 83 percent of GAO recommendations as of March 2023.
Status of GAO Recommendations Related to Protecting Taxpayer Information and NIST Cybersecurity Core Function, Fiscal Years 2010–March 2023
Since fiscal year 2019, TIGTA has made 246 recommendations to IRS related to protecting taxpayer information. As of April 2023, according to IRS, it has taken steps to address 202 of them—including implementing controls to manage IT supply chain risks—reducing the risk for disruptions to IRS's operations.
While IRS has taken substantial action to implement GAO recommendations, IRS did not always do so timely. For example, five recommendations have been open for more than 7 years. Additionally, IRS has yet to implement two recommendations GAO identified as high priority—updating a system modernization plan to more fully assess risk and developing a guidance structure to better protect taxpayer information while at third-party providers. Addressing the remaining GAO recommendations could help IRS better manage system security risks, implement safeguards to ensure protected service delivery, and identify cybersecurity events and incidents.
Why GAO Did This Study
The U.S. tax system is based largely on voluntary compliance. One factor that may influence taxpayers' willingness to voluntarily comply is the confidence that IRS is protecting their personal and financial information.
GAO was asked to review IRS's safeguards for taxpayer information. This report evaluates the extent to which IRS is following its tax safeguards for protecting taxpayer information.
To address this objective, GAO analyzed mandatory training and UNAX data for IRS employees and contractors, reviewed IRS and TIGTA documentation, and interviewed IRS and TIGTA officials at selected offices. In addition, GAO reviewed federal law authorizing other federal agencies to receive taxpayer information.
GAO also identified and tested selected management, operational, and technical controls on selected IRS systems that store or process taxpayer information, and observed controls in operation. GAO also has ongoing work assessing IRS's efforts to protect the confidentiality of taxpayer information, including its implementation of technical controls and breach response processes. GAO will publish this work in a subsequent report with limited distribution.
Further, GAO reviewed previously issued reports and recommendations, including those issued by TIGTA. GAO categorized them according to the five core security functions described in the NIST cybersecurity framework.
Recommendations
Since fiscal year 2010, GAO has made 451 recommendations to IRS aimed at safeguarding taxpayer information. While IRS has implemented many of these recommendations, 77 of them had not been implemented as of March 2023. These include two recommendations that GAO considers high priority. Fully implementing these recommendations could significantly improve IRS's ability to safeguard taxpayer information.
In addition to the remaining recommendations above, GAO is making one matter for congressional consideration. This matter would provide IRS with additional authority to inspect agencies' data safeguards in those instances where IRS shares taxpayer information but does not have direct authority to inspect agency safeguards.
GAO is making 15 additional recommendations. These include IRS
- establishing agency-wide training completion goals for contractors;
- maintaining a comprehensive inventory of systems that store or process taxpayer information;
- monitoring contractor UNAX and unauthorized disclosure cases and trends; and
- assessing risks of its method to transfer taxpayers' data electronically to contractors.
Matter for Congressional Consideration
| Matter | Status | Comments |
|---|---|---|
| Congress should consider providing IRS with direct statutory authority to inspect receiving agencies' safeguards for taxpayer information shared under subsection 6103(c) of the Internal Revenue Code. (Matter for Consideration 1) | As of March 2024, Congress has not introduced legislation related to this matter that would partially or fully address it. |
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Internal Revenue Service | 1. The Commissioner for Internal Revenue should officially assign the Human Capital Office responsibility for monitoring contractor training completion rates for courses related to protecting taxpayer information and ensure this role and responsibility is documented. (Recommendation 1) |
IRS agreed with this recommendation and as of March 2024, reported the agency had implemented it. Specifically, IRS reported it launched a mandatory training for contractors that includes three courses related to protecting taxpayer information. We are requesting documentation of this and will review it to determine the extent to which it addresses our recommendation. Implementing this recommendation would help ensure controls are identified, capable of being communicated to those responsible for their performance, and capable of being monitored and evaluated.
|
| Internal Revenue Service | 2. The Commissioner for Internal Revenue should ensure that the Human Capital Office establish and document an agency-wide training completion goal for annual mandatory contractor training related to protecting taxpayer information. (Recommendation 2) |
IRS agreed with this recommendation and as of March 2024, reported the agency had implemented it. Specifically, IRS reported it had established a goal of 90 percent completion for annual mandatory contractor training related to protecting taxpayer information. We are requesting documentation of this and will review it to determine the extent to which it addresses our recommendation. Implementing this recommendation would enable IRS to measure contractor training rates and better monitor contractors' training compliance and identify when corrective action may be needed.
|
| Internal Revenue Service | 3. The Commissioner for Internal Revenue should ensure that the Human Capital Office monitor contractor training completion rates for courses related to protecting taxpayer information and take actions to ensure contractors complete training, such as sharing completion rates with contracting officer representatives (COR) and other appropriate offices. (Recommendation 3) |
IRS agreed with this recommendation and as of March 2024, reported the agency had implemented it by monitoring contractor training completions throughout the 2023 Mandatory Briefings cycle. The agency reported this included sharing weekly training completion rate with business unit points of contact and with Contracting Officer Representatives. IRS also plans to issue quarterly reports on training completion rates. We are requesting documentation of this and will review it to determine the extent to which it addresses our recommendation. Implementing this recommendation will let IRS know when contractors are not meeting their training requirements, so it can take appropriate action to help ensure they complete the briefings. This, in turn, will help ensure contractors are equipped with the knowledge and skills to properly handle taxpayer information.
|
| Internal Revenue Service | 4. The Commissioner for Internal Revenue should ensure that the Enterprise Contract Oversight Center and other appropriate offices develop guidance for CORs on the process of documenting and reporting UNAX and unauthorized disclosure incidents, including processes for cases that are substantiated. (Recommendation 4) |
IRS agreed with this recommendation and as of March 2024, reported the agency would implement it by April 2024. Specifically, IRS reported PGLD established a regularly meeting, cross-functional team with relevant stakeholders to address and implement recommended changes. IRS also reported that the agency is coordinating the development and dissemination of guidance for Contractor Officer Representatives on the process of documenting and reporting UNAX and unauthorized disclosure incidents, including processes for cases that are substantiated. Implementing this recommendation would give assurance that Contractor Officer Representatives will report UNAX and unauthorized disclosure incidents timely and accurately.
|
| Internal Revenue Service | 5. The Commissioner for Internal Revenue should ensure that the Enterprise Contract Oversight Center and other appropriate offices develop training for CORs on the process of documenting and reporting UNAX and unauthorized disclosure incidents, including processes for cases that are substantiated. (Recommendation 5) |
IRS agreed with this recommendation and as of March 2024, reported the agency would implement it by September 2024. Specifically, IRS reported it established a regularly meeting, cross-functional team with relevant stakeholders to address and implement recommended changes and has developed Contractor Officer Representatives training. IRS also reported that the agency is coordinating delivering training Contractor Officer Representatives. Implementing this recommendation would give assurance that Contractor Officer Representatives will report unauthorized access and unauthorized disclosure incidents timely and accurately.
|
| Internal Revenue Service | 6. The Commissioner for Internal Revenue should ensure that the IT office, in collaboration with the Privacy, Governmental Liaison and Disclosure (PGLD) office, ensure that information is complete and accurate in the authoritative databases and other data sources that identify IRS systems that process or store taxpayer information. (Recommendation 6) |
IRS agreed with this recommendation and as of March 2024, reported the agency would implement it by February 2025. Specifically, IRS reported the Chief Information Officer, in collaboration with PGLD, will ensure that information is complete and accurate in the authoritative databases and other data sources that identify IRS systems that process or store taxpayer information. Implementing this recommendation would help IRS ensure it has implemented safeguards to protect taxpayer information on all of its relevant systems.
|
| Internal Revenue Service | 7. The Commissioner for Internal Revenue should ensure that the IT Cybersecurity office, in collaboration with PGLD, maintain a comprehensive inventory of IRS systems that process or store taxpayer information. (Recommendation 7) |
IRS agreed with this recommendation and as of March 2024, reported the agency would implement it by February 2025. Specifically, IRS reported the Chief Information Officer, in collaboration with PGLD, will maintain a comprehensive inventory of IRS systems that process or store taxpayer information. Implementing this recommendation would help IRS ensure it has implemented safeguards to protect taxpayer information on all of its relevant systems.
|
| Internal Revenue Service | 8. The Commissioner for Internal Revenue should ensure that PGLD includes the number of IRS employees authorized to access taxpayer information in its UNAX case monitoring efforts. (Recommendation 8) |
IRS agreed with this recommendation and as of March 2024, reported that the agency would implement it by September 2024. IRS also reported that PGLD has identified opportunities to leverage existing IRS data sets to gain better insight into systems that house taxpayer information and users authorized to access taxpayer information. Implementing this recommendation would help IRS identify business units that could benefit from training or targeted outreach on protections for taxpayer information and how to appropriately access such information.
|
| Internal Revenue Service | 9. The Commissioner of Internal Revenue should direct the appropriate offices to ensure contractor data on UNAX and unauthorized disclosure cases are reliable and can be used to monitor case amounts and trends. (Recommendation 9) |
IRS agreed with this recommendation and as of March 2024, reported the agency would implement it by April 2024. Specifically, IRS reported PGLD established a regularly meeting, cross-functional team with relevant stakeholders to promote the reliability and use of contractor UNAX and unauthorized disclosure case data. Additionally, IRS reported the agency is engaging the Treasury Inspector General for Tax Administration (TIGTA) to assess UNAX audit information for accuracy, eliminate gaps in data necessary to analyze UNAX data from systems, and ensure that data is appropriately accessible to monitor case amounts and trends. Implementing this recommendation would help IRS to determine if contractor UNAX case amounts are changing and identify any trends across cases that could be used to target prevention efforts.
|
| Internal Revenue Service | 10. The Commissioner for Internal Revenue should ensure that PGLD monitor contractor UNAX and unauthorized disclosure cases and trends and take action, as appropriate. (Recommendation 10) |
IRS agreed with this recommendation and as of March 2024, reported the agency would implement it by April 2024. Specifically, IRS reported that PGLD has established a regularly meeting, cross-functional team with relevant stakeholders to address and implement recommended changes. Additionally, IRS reported that PGLD has increased IRS's automation capabilities to track and monitor contractor UNAX incidents through IT systems. Implementing this recommendation would help IRS to determine if contractor UNAX case amounts are changing and identify any trends across cases that could be used to target prevention efforts.
|
| Internal Revenue Service | 11. The Commissioner for Internal Revenue should ensure that the IT Cybersecurity office ensure that the Large Business and International Division (LB&I) Pass-Through Entities office completes the inventory classification process for the system used for tracking affluent taxpayers' risk of tax noncompliance. (Recommendation 11) |
IRS agreed with this recommendation and as of March 2024, reported the agency has implemented the recommendation. Specifically, IRS reported that LB&I Passthrough Entities office submitted a FISMA Inventory Classification Checklist and obtained a tier 4 classification in June 2023. We are requesting this documentation and will review it to determine the extent to which it addresses our recommendation. Implementing this recommendation would help IRS understand the risks associated with operating its system used to track affluent taxpayers' risk of tax noncompliance and document IRS's risk assessment of their potential noncompliance.
|
| Internal Revenue Service | 12. The Commissioner for Internal Revenue should ensure that the LB&I Pass-Through Entities office develop key security assessment and authorization documentation, to include a system security plan and authorization to operate for the system used for tracking affluent taxpayers' risk of tax noncompliance, as appropriate. (Recommendation 12) |
IRS agreed with this recommendation and as of March 2024, reported the agency has implemented the recommendation. Specifically, IRS reported it classified its system used to track affluent taxpayers' risk of tax noncompliance and document IRS's risk assessment of their potential noncompliance, and the resulting classification does not require a system security plan. However, the LB&I Passthrough Entities office said it recognizes the need for one to be developed. We are requesting additional information and documentation to determine the extent to which IRS's actions address our recommendation. Implementing this recommendation would help IRS be aware of risks and how to respond to risks to the security of taxpayer information, as well as helping provide assurance that taxpayer information is protected on the system.
|
| Internal Revenue Service | 13. The Commissioner for Internal Revenue should ensure that the Office of Research, Applied Analytics, and Statistics (RAAS) Data Management Division implement processes to determine when to delete taxpayer information residing in the Compliance Data Warehouse, if required, according to the approved Records Control Schedule. (Recommendation 13) |
IRS agreed with this recommendation and as of March 2024, reported the agency would implement it by August 2024. Specifically, IRS reported it is updating the Compliance Data Warehouse's (CDW) record retention schedule to reflect when to delete records based on business needs. Implementing this recommendation would help IRS make a more informed decision on accepting risk associated with retaining large amounts of taxpayer information on systems accessed by a wide range of users.
|
| Internal Revenue Service | 14. The Commissioner for Internal Revenue should ensure that the RAAS Data Management Division implement processes to determine when to delete or archive taxpayer information residing in the Link Analysis Tool, if required, according to the approved Records Control Schedule. (Recommendation 14) |
IRS agreed with this recommendation and as of March 2024, reported the agency would implement it by August 2024. Specifically, IRS reported it plans to update the YK1 system's record retention schedule based on business need. Implementing this recommendation would help IRS make a more informed decision on accepting risk associated with retaining large amounts of taxpayer information on systems accessed by a wide range of users.
|
| Internal Revenue Service | 15. The Commissioner for Internal Revenue should ensure that the Small Business/Self-Employment Division Collection office assess the risks of its method to transfer taxpayers' data electronically to private collection agencies, and take action, as appropriate. (Recommendation 15) |
IRS agreed with this recommendation and as of March 2024, reported the agency has implemented it. Specifically, IRS reported it performed risk assessments for the secure data transfers that provide data to private collection agencies and will provide us with associated documentation. We will review it and determine the extent to which it addresses our recommendation. Implementing this recommendation would help IRS identify any risks associated with the method of sharing taxpayer information electronically with the private collection agencies, such as the likelihood and magnitude of harm from unauthorized access, use, or disclosure and could identify whether any changes are needed to better protect such information.
|