IRS must improve oversight of third-party cybersecurity, watchdog says
The Internal Revenue Service should create a committee or new oversight structure to ensure taxpayer information is secure while it is held by third-party companies, according to the Government Accountability Office.
In a report published Monday, the watchdog said it believes the IRS could continue to implement this recommendation without the need for additional statutory authority.
The watchdog disagreed with a prior assessment by agency officials, reiterated in February, that establishing security requirements for the IT systems of paid preparers and others who file returns electronically would require additional statutory authority, and that it would be inefficient.
It said: “To fully implement this recommendation, IRS needs to develop a structure to coordinate across seven different offices working on information security-related activities, such as updating existing standards, monitoring authorized e-file provider program compliance, and tracking security incident reports. Without this structure, it is unclear how IRS can respond to changing security threats and ensure threats are mitigated.”
The audit is the latest in a line of watchdog recommendations for improving cybersecurity at the agency. In February, the GAO called on the IRS to improve its IT modernization processes, with a particular focus on measuring progress with moving systems to the cloud more closely.
This came after the Treasury Inspector General for Tax Administration in September called on the agency to improve the scope of its insider threat monitoring capabilities. In a report, that watchdog said the IRS CIO should work to ensure the agency’s insider threat team has access to all necessary information to carry out its work.