Security of Taxpayer Information: IRS Needs to Address Critical Safeguard Weaknesses
Fast Facts
Your tax returns are filled with sensitive personal and financial data—which you expect the IRS to protect. However, recent disclosures of sensitive taxpayer data have made headlines.
We, and the Treasury Inspector General for Tax Administration, have also raised concerns about IRS's ability to safeguard taxpayer information.
In this review, we found weaknesses in training, information systems, contractor oversight, information-sharing, and more. Of the related recommendations we've made since 2010, 77 haven't been implemented as of March 2023. We're also making 16 new recommendations, including one for Congress to consider.
Highlights
What GAO Found
The Internal Revenue Service (IRS) has implemented access controls and other safeguards to help mitigate risks to taxpayer information. However, continuing weaknesses pose a risk. Among its safeguards, in July 2022, IRS began requiring certain employees to seek senior executive approvals to gain access to taxpayer information. IRS employees also met the agency-wide 97 percent completion goal for training on protecting taxpayer information. However, IRS did not have a training goal for contractors, who had training completion rates well below employee completion rates—less than 75 percent. For example, 66 percent of the approximately 14,000 contractors assigned the Insider Threat Awareness training completed the course. As a result, IRS contractors are at increased risk of being unprepared to handle taxpayer information.
IRS Contractor and Employee Training Completion Rate, Fiscal Year 2021
In certain circumstances, IRS faces challenges ensuring taxpayer information it shares—as authorized by law—is properly protected. Federal tax law gives IRS the authority to inspect safeguards for agencies that receive taxpayer information from IRS in certain circumstances. However, in other cases where IRS shares taxpayer information pursuant to different statutory authority, it does not have direct authority to inspect agency safeguards. For these cases, Congress could provide IRS with direct authority to inspect agencies' safeguards, which would give IRS additional assurance that information will be protected sufficiently.
IRS policy requires the agency to maintain an inventory of its systems that store taxpayer information and to mitigate weaknesses in systems that lead to a higher risk of unauthorized disclosure of federal tax information or UNAX—the willful unauthorized access, attempted access, or inspection of federal tax information. However, as of December 2022, IRS omitted seven tax processing systems from its inventory. This limits its monitoring of UNAX prevention efforts.
GAO found that multiple IRS offices oversee contractors but IRS does not have overall oversight efforts related to IRS contractor UNAX. As a result, IRS has limited insight into contractor UNAX trends and assumes greater risk of missing opportunities to improve the agency's prevention efforts.
Weaknesses in IRS's information security controls present risks to taxpayer information. For example, IRS did not assess the risks of its method for transferring taxpayer information to contractors. Until IRS remediates these weaknesses, it will have limited assurance that taxpayer information is protected appropriately.
GAO and the Treasury Inspector General for Tax Administration (TIGTA) have previously reported on deficiencies in IRS's safeguards over taxpayer information. They have both made recommendations aimed at improving these safeguards. Since fiscal year 2010, GAO has made 451 recommendations to strengthen IRS safeguards for taxpayer information in areas such as governance for protecting taxpayer information; authentication and access to tax processing systems; and IRS monitoring of programs that process taxpayer information.
GAO's recommendations cover the five National Institute of Standards and Technology (NIST) cybersecurity core functions that provide a strategic view of life cycle management of cybersecurity risk. A majority of the recommendations cover the protect core function (74 percent)—actions related to developing and implementing appropriate safeguards. The remaining recommendations are in the other core functions— identify, detect, recover, and respond.
IRS had implemented 83 percent of GAO recommendations as of March 2023.
Status of GAO Recommendations Related to Protecting Taxpayer Information and NIST Cybersecurity Core Function, Fiscal Years 2010–March 2023
Since fiscal year 2019, TIGTA has made 246 recommendations to IRS related to protecting taxpayer information. As of April 2023, according to IRS, it has taken steps to address 202 of them—including implementing controls to manage IT supply chain risks—reducing the risk for disruptions to IRS's operations.
While IRS has taken substantial action to implement GAO recommendations, IRS did not always do so timely. For example, five recommendations have been open for more than 7 years. Additionally, IRS has yet to implement two recommendations GAO identified as high priority—updating a system modernization plan to more fully assess risk and developing a guidance structure to better protect taxpayer information while at third-party providers. Addressing the remaining GAO recommendations could help IRS better manage system security risks, implement safeguards to ensure protected service delivery, and identify cybersecurity events and incidents.
Why GAO Did This Study
The U.S. tax system is based largely on voluntary compliance. One factor that may influence taxpayers' willingness to voluntarily comply is the confidence that IRS is protecting their personal and financial information.
GAO was asked to review IRS's safeguards for taxpayer information. This report evaluates the extent to which IRS is following its tax safeguards for protecting taxpayer information.
To address this objective, GAO analyzed mandatory training and UNAX data for IRS employees and contractors, reviewed IRS and TIGTA documentation, and interviewed IRS and TIGTA officials at selected offices. In addition, GAO reviewed federal law authorizing other federal agencies to receive taxpayer information.
GAO also identified and tested selected management, operational, and technical controls on selected IRS systems that store or process taxpayer information, and observed controls in operation. GAO also has ongoing work assessing IRS's efforts to protect the confidentiality of taxpayer information, including its implementation of technical controls and breach response processes. GAO will publish this work in a subsequent report with limited distribution.
Further, GAO reviewed previously issued reports and recommendations, including those issued by TIGTA. GAO categorized them according to the five core security functions described in the NIST cybersecurity framework.
Recommendations
Since fiscal year 2010, GAO has made 451 recommendations to IRS aimed at safeguarding taxpayer information. While IRS has implemented many of these recommendations, 77 of them had not been implemented as of March 2023. These include two recommendations that GAO considers high priority. Fully implementing these recommendations could significantly improve IRS's ability to safeguard taxpayer information.
In addition to the remaining recommendations above, GAO is making one matter for congressional consideration. This matter would provide IRS with additional authority to inspect agencies' data safeguards in those instances where IRS shares taxpayer information but does not have direct authority to inspect agency safeguards.
GAO is making 15 additional recommendations. These include IRS
- establishing agency-wide training completion goals for contractors;
- maintaining a comprehensive inventory of systems that store or process taxpayer information;
- monitoring contractor UNAX and unauthorized disclosure cases and trends; and
- assessing risks of its method to transfer taxpayers' data electronically to contractors.
Matter for Congressional Consideration
| Matter | Status | Comments |
|---|---|---|
| Congress should consider providing IRS with direct statutory authority to inspect receiving agencies' safeguards for taxpayer information shared under subsection 6103(c) of the Internal Revenue Code. (Matter for Consideration 1) | As of March 2024, Congress has not introduced legislation related to this matter that would partially or fully address it. |
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Internal Revenue Service | The Commissioner for Internal Revenue should officially assign the Human Capital Office responsibility for monitoring contractor training completion rates for courses related to protecting taxpayer information and ensure this role and responsibility is documented. (Recommendation 1) |
During our audit work for our August 2023 report, we found that the Internal Revenue Service (IRS) had not established centralized oversight of contractor training, which could have been contributing to IRS contractors' low training completion rates. As a result, we recommended that IRS assign the Human Capital Office responsibility for monitoring contractor training completion rates for courses related to protecting taxpayer information and ensure this role and responsibility is documented. We shared our preliminary finding with IRS in November 2022. In response to our audit work and finding. IRS provided documentation in May 2024 that showed that IRS assigned responsibility for monitoring contractor training completion rates for courses related to protecting taxpayer information to the Human Capital Office in July 2023 and documented this role on its Mandatory Briefing intranet page. IRS documentation also shows the Human Capital Office will include contractor training completion rates in data reports. This action documents a control related to oversight and monitoring training completion and can help IRS achieve contractor compliance with training requirements.
|
| Internal Revenue Service | The Commissioner for Internal Revenue should ensure that the Human Capital Office establish and document an agency-wide training completion goal for annual mandatory contractor training related to protecting taxpayer information. (Recommendation 2) |
In August 2023 we reported that the Internal Revenue Service (IRS) had not established an agency-wide goal for contractor training completion rates, which could have been contributing to low training completion rates for IRS contractors. As a result, we recommended that IRS establish and document an agency-wide training completion goal for annual mandatory contractor training related to protecting taxpayer information. In response to our recommendation, in September 2023, the IRS Human Capital Office established and documented a goal of 90 percent completion for annual mandatory contractor training related to protecting taxpayer information. This action will enable IRS to better monitor contractors' training compliance and identify when corrective action may be needed.
|
| Internal Revenue Service | The Commissioner for Internal Revenue should ensure that the Human Capital Office monitor contractor training completion rates for courses related to protecting taxpayer information and take actions to ensure contractors complete training, such as sharing completion rates with contracting officer representatives (COR) and other appropriate offices. (Recommendation 3) |
In response to our recommendation, IRS monitored contractor training completions throughout the 2023 Mandatory Briefings cycle. The agency shared weekly training completion rates with business unit points of contact and with Contracting Officer Representatives and, according to IRS, also provided them with quarterly reports on training completion rates. IRS also provided evidence that as of April 2024, it had documented the procedures for monitoring contractor mandatory briefing completion and uploaded it to its intranet site for responsible staff to access. However, IRS's documentation shows that while contractors' training completion rate increased during the 2023 training cycle, it was below the agency goal of 90 percent. Monitoring training completion rates will let IRS know when contractors are not meeting their training requirements, so it can take appropriate action to help ensure they complete the briefings and that IRS meets it agency goal of 90 percent training completion. This, in turn, will help ensure contractors are equipped with the knowledge and skills to properly handle taxpayer information.
|
| Internal Revenue Service | The Commissioner for Internal Revenue should ensure that the Enterprise Contract Oversight Center and other appropriate offices develop guidance for CORs on the process of documenting and reporting UNAX and unauthorized disclosure incidents, including processes for cases that are substantiated. (Recommendation 4) |
In August 2023 we reported that some Internal Revenue Service (IRS) contracting officer representatives (COR) -- officials responsible for overseeing contractors -- did not know how to report UNAX or unauthorized disclosure incidents or what to do if a case was substantiated. As a result, we recommended that IRS ensure that the Enterprise Contract Oversight Center and other appropriate offices develop guidance for CORs on the process of documenting and reporting UNAX and unauthorized disclosure incidents, including the process for cases that are substantiated. In response to this recommendation, the IRS Privacy, Governmental Liaison and Disclosure (PGLD) office developed guidance for CORs on the process for documenting and reporting UNAX and unauthorized disclosure incidents. Additionally, PGLD worked with the Enterprise Contract Oversight Center to disseminate the guidance to the IRS COR community in April 2024. This action will give assurance that CORs will report UNAX and unauthorized disclosure incidents timely and accurately.
|
| Internal Revenue Service | The Commissioner for Internal Revenue should ensure that the Enterprise Contract Oversight Center and other appropriate offices develop training for CORs on the process of documenting and reporting UNAX and unauthorized disclosure incidents, including processes for cases that are substantiated. (Recommendation 5) |
In August 2023, we reported that some Internal Revenue Service (IRS) contracting officer representatives (COR) -- officials responsible for overseeing contractors -- did not know how to report willful unauthorized access, attempted access or inspection of taxpayer returns or return information (UNAX) or unauthorized disclosure incidents or what to do if a case was substantiated. As a result, we recommended that IRS ensure that the Enterprise Contract Oversight Center and other appropriate offices develop training for CORs on the process of documenting and reporting UNAX and unauthorized disclosure incidents, including the process for cases that are substantiated. In response to this recommendation, the IRS Privacy, Governmental Liaison and Disclosure (PGLD) office developed training for CORs on the process for documenting and reporting UNAX and unauthorized disclosure incidents. In March 2024, IRS notified CORs that they needed to complete a training course that includes information on documenting and reporting UNAX and unauthorized disclosure incidents and what to do if a case was substantiated. As of July 2024, IRS documentation showed that 98 percent of CORs had completed this training. This action will give assurance that CORs will report UNAX and unauthorized disclosure incidents timely and accurately.
|
| Internal Revenue Service | The Commissioner for Internal Revenue should ensure that the IT office, in collaboration with the Privacy, Governmental Liaison and Disclosure (PGLD) office, ensure that information is complete and accurate in the authoritative databases and other data sources that identify IRS systems that process or store taxpayer information. (Recommendation 6) |
IRS agreed with this recommendation and as of March 2024, reported the agency would implement it by February 2025. Specifically, IRS reported the Chief Information Officer, in collaboration with PGLD, will ensure that information is complete and accurate in the authoritative databases and other data sources that identify IRS systems that process or store taxpayer information. Implementing this recommendation would help IRS ensure it has implemented safeguards to protect taxpayer information on all of its relevant systems.
|
| Internal Revenue Service |
Priority Rec.
The Commissioner for Internal Revenue should ensure that the IT Cybersecurity office, in collaboration with PGLD, maintain a comprehensive inventory of IRS systems that process or store taxpayer information. (Recommendation 7) |
IRS agreed with this recommendation and as of March 2024, reported the agency would implement it by February 2025. Specifically, IRS reported the Chief Information Officer, in collaboration with PGLD, will maintain a comprehensive inventory of IRS systems that process or store taxpayer information. Implementing this recommendation would help IRS ensure it has implemented safeguards to protect taxpayer information on all of its relevant systems.
|
| Internal Revenue Service | The Commissioner for Internal Revenue should ensure that PGLD includes the number of IRS employees authorized to access taxpayer information in its UNAX case monitoring efforts. (Recommendation 8) |
IRS agreed with this recommendation and as of July 2024 provided documentation that the agency had taken some steps to implement it. Specifically, IRS's IT office provided PGLD with the number of employees that have access to taxpayer information and agreed to provide this information quarterly. To fully implement this recommendation, PGLD should integrate this information into its existing UNAX case monitoring and analysis. This would help IRS identify business units that could benefit from training or targeted outreach on protections for taxpayer information and how to appropriately access such information.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should direct the appropriate offices to ensure contractor data on UNAX and unauthorized disclosure cases are reliable and can be used to monitor case amounts and trends. (Recommendation 9) |
In response to this recommendation, as of May 2024 IRS created standard definitions for contractor UNAX and unauthorized cases. In May 2024, IRS convened meetings with a cross-functional team with relevant stakeholders that meets regularly to promote the reliability and use of contractor UNAX and unauthorized disclosure case data. Additionally, IRS met with the Treasury Inspector General for Tax Administration (TIGTA) in May 2024 to discuss contractor UNAX and unauthorized access reporting metrics. We requested additional information about these actions and will review it to determine the extent to which they address our recommendation. Implementing this recommendation would help IRS to determine if contractor UNAX case amounts are changing and identify any trends across cases that could be used to target prevention efforts.
|
| Internal Revenue Service | The Commissioner for Internal Revenue should ensure that PGLD monitor contractor UNAX and unauthorized disclosure cases and trends and take action, as appropriate. (Recommendation 10) |
In response to this recommendation, as of May 2024, PGLD analyzed all UNAX and unauthorized disclosure cases information it received during fiscal year 2023. According to PGLD, it did not identify any trends among the data and as a result did not take any additional action based on its analysis. PGLD also identified key contractor UNAX and unauthorized disclosure reporting metrics that it says will serve as the basis for trend analysis moving forward. Additionally, IRS's Human Capital Office agreed to provide PGLD with information on contractor UNAX and unauthorized disclosure metrics to support data collection, analysis, and mitigation efforts. We are requesting additional information about IRS's actions and will review that information to determine if IRS has fully implemented this recommendation. Fully implementing our recommendation will help IRS to determine if contractor UNAX case amounts are changing and identify any trends across cases that could be used to target prevention efforts.
|
| Internal Revenue Service | The Commissioner for Internal Revenue should ensure that the IT Cybersecurity office ensure that the Large Business and International Division (LB&I) Pass-Through Entities office completes the inventory classification process for the system used for tracking affluent taxpayers' risk of tax noncompliance. (Recommendation 11) |
During our audit work for our August 2023 report, we found that the Internal Revenue Service's (IRS) Large Business and International Division's (LB&I) Pass-Through Entities office had not completed the inventory classification process to determine if the system used for tracking affluent taxpayers' risk of tax noncompliance is accurately classified and accounted for in the agency's Federal Information Security Modernization Act (FISMA) of 2014 system inventory. As a result, we recommended that IRS complete the inventory classification process for this system. We shared our preliminary finding with IRS in November 2022. In response to our audit work and finding, in December 2022, IRS's LB&I Passthrough Entities office submitted a FISMA Inventory Classification Checklist. IRS documentation provided in July 2024 shows that the FISMA Inventory Classification Checklist was used in June 2023 to determine the level of controls needed to adequately protect taxpayer information stored in the system . This action will help IRS to understand the risks associated with operating its system used to track affluent taxpayers' risk of tax noncompliance and be better positioned to protect taxpayer information.
|
| Internal Revenue Service | The Commissioner for Internal Revenue should ensure that the LB&I Pass-Through Entities office develop key security assessment and authorization documentation, to include a system security plan and authorization to operate for the system used for tracking affluent taxpayers' risk of tax noncompliance, as appropriate. (Recommendation 12) |
IRS reported in July 2024 that it had classified its system used to track affluent taxpayers' risk of tax noncompliance and document IRS's risk assessment of their potential noncompliance in June 2023, and the resulting classification does not require a system security plan (SSP). However, in its July 2023 response to our draft report, IRS's LB&I Passthrough Entities office had said it recognized the need to develop an SSP. Development of an SSP would help IRS to understand risks and responses to risks to the security of taxpayer information. We are requesting additional information about IRS's actions and will review that information to determine if IRS has fully implemented this recommendation. Fully implementing our recommendation will help IRS to provide assurance that taxpayer information is protected on the system.
|
| Internal Revenue Service | The Commissioner for Internal Revenue should ensure that the Office of Research, Applied Analytics, and Statistics (RAAS) Data Management Division implement processes to determine when to delete taxpayer information residing in the Compliance Data Warehouse, if required, according to the approved Records Control Schedule. (Recommendation 13) |
IRS agreed with this recommendation and as of July 2024, reported the agency would implement it by late 2024. Specifically, IRS reported it has completed a revised records retention schedule for the Compliance Data Warehouse and is finalizing the materials with the National Archives and Records Administration. Implementing this recommendation would help IRS make a more informed decision on accepting risk associated with retaining large amounts of taxpayer information on systems accessed by a wide range of users.
|
| Internal Revenue Service | The Commissioner for Internal Revenue should ensure that the RAAS Data Management Division implement processes to determine when to delete or archive taxpayer information residing in the Link Analysis Tool, if required, according to the approved Records Control Schedule. (Recommendation 14) |
IRS agreed with this recommendation and as of July 2024, reported the agency would implement it by late 2024. Specifically, IRS reported has completed a revised records retention schedule for the Link Analysis Tool and is finalizing the materials with the National Archives and Records Administration. Implementing this recommendation would help IRS make a more informed decision on accepting risk associated with retaining large amounts of taxpayer information on systems accessed by a wide range of users.
|
| Internal Revenue Service | The Commissioner for Internal Revenue should ensure that the Small Business/Self-Employment Division Collection office assess the risks of its method to transfer taxpayers' data electronically to private collection agencies, and take action, as appropriate. (Recommendation 15) |
In response to our recommendation, in October 2023, IRS performed two types of risk assessments for the secure data transfers that provide data to private collection agencies. IRS provided some documentation of these assessments and we have requested additional information to determine the extent to which IRS's actions address our recommendation. Implementing this recommendation would help IRS identify any risks associated with the method of sharing taxpayer information electronically with the private collection agencies, such as the likelihood and magnitude of harm from unauthorized access, use, or disclosure, and could identify whether any changes are needed to better protect such information.
|