This is the accessible text file for GAO report number GAO-14-405 
entitled 'Information Security: IRS Needs to Address Control 
Weaknesses That Place Financial and Taxpayer Data at Risk' which was 
released on April 8, 2014. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

United States Government Accountability Office: 
GAO: 

Report to the Commissioner of Internal Revenue: 

April 2014: 

Information Security: 

IRS Needs to Address Control Weaknesses That Place Financial and 
Taxpayer Data at Risk: 

GAO-14-405: 

GAO Highlights: 

Highlights of GAO-14-405, a report to the Commissioner of Internal 
Revenue. 

Why GAO Did This Study: 

The IRS has a demanding responsibility in collecting taxes, processing 
tax returns, and enforcing the nation's tax laws. It relies 
extensively on computerized systems to support its financial and 
mission-related operations and on information security controls to 
protect the financial and sensitive taxpayer information that resides 
on those systems. 

As part of its audit of IRS's fiscal years 2013 and 2012 financial 
statements, GAO assessed whether controls over key financial and tax 
processing systems are effective in ensuring the confidentiality, 
integrity, and availability of financial and sensitive taxpayer 
information. To do this, GAO examined IRS information security 
policies, plans, and procedures; tested controls over key financial 
applications; and interviewed key agency officials at six sites. 

What GAO Found: 

The Internal Revenue Service (IRS) continued to make progress in 
addressing information security control weaknesses and improving its 
internal control over financial reporting; however, weaknesses remain 
that could affect the confidentiality, integrity, and availability of 
financial and sensitive taxpayer data. During fiscal year 2013, IRS 
management devoted attention and resources to addressing information 
security controls, and resolved a number of the information security 
control deficiencies that were previously reported by GAO. However, 
significant risks remained. Specifically, the agency had not always 
(1) installed appropriate patches on all databases and servers to 
protect against known vulnerabilities, (2) sufficiently monitored 
database and mainframe controls, or (3) appropriately restricted 
access to its mainframe environment. In addition, IRS had allowed 
individuals to make changes to mainframe data processing without 
requiring them to follow established change control procedures to 
ensure changes were authorized, and did not configure all applications 
to use strong encryption for authentication, increasing the potential 
for unauthorized access. 

An underlying reason for these weaknesses is that IRS has not 
effectively implemented portions of its information security program. 
The agency has established a comprehensive framework for the program, 
and continued to improve its controls; however, components of the 
program did not always function as intended. For example, IRS's 
testing procedures over financial reporting systems were not always 
thorough in that its testing methodology did not always determine 
whether required controls were operating effectively. In addition, IRS 
had not updated key mainframe policies and procedures to address 
issues such as users accessing files used by one processing 
environment from a different environment. Further, IRS did not include 
sufficient detail in its authorization procedures to ensure that 
access to systems was appropriate. 

Until IRS takes additional steps to (1) more effectively implement its 
testing and monitoring capabilities, (2) ensure that policies and 
procedures are updated, and (3) address unresolved and newly 
identified control deficiencies, its financial and taxpayer data will 
remain vulnerable to inappropriate and undetected use, modification, 
or disclosure. These deficiencies, including shortcomings in the 
information security program, were the basis of our determination that 
IRS had a significant deficiency in its internal control over its 
financial reporting systems for fiscal year 2013. 

What GAO Recommends: 

GAO is recommending that IRS take 3 actions to more effectively 
implement portions of its information security program. In a separate 
report with limited distribution, GAO recommends that IRS take 23 
specific actions to address identified control weaknesses. In 
commenting on a draft of this report, IRS agreed to develop a detailed 
corrective action plan to address each recommendation. 

View [hyperlink, http://www.gao.gov/products/GAO-14-405]. For more 
information, contact Nancy R. Kingsbury at (202) 512-2700 or 
kingsburyn@gao.gov or Gregory C. Wilshusen at (202) 512-6244 or 
wilshuseng@gao.gov. 

[End of section] 

Contents: 

Letter: 

Background: 

IRS Continued to Make Progress, but Control Weaknesses Place Taxpayer 
and Financial Data at Risk: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluations: 

Appendix I: Objective, Scope, and Methodology: 

Appendix II: Comments from the Internal Revenue Service: 

Appendix III: GAO Contacts and Staff Acknowledgments: 

Abbreviations: 

CIO: chief information officer: 

ESAT: Enterprise Security Audit Trails: 

FISMA: Federal Information Security Management Act: 

IRS: Internal Revenue Service: 

TIGTA: Treasury Inspector General for Tax Administration: 

[End of section] 

United States Government Accountability Office: 
GAO:
441 G St. N.W. 
Washington, DC 20548: 

April 8, 2014: 

The Honorable John Koskinen: 
Commissioner of Internal Revenue: 

Dear Mr. Koskinen: 

The Internal Revenue Service (IRS) has a demanding responsibility in 
collecting taxes, processing tax returns, and enforcing the nation's 
tax laws. It relies extensively on computerized systems to support its 
financial and mission-related operations and on information security 
controls[Footnote 1] to protect the confidentiality, integrity, and 
availability of the financial and sensitive taxpayer information that 
resides on those systems.

As part of our audit of IRS's fiscal years 2013 and 2012 financial 
statements,[Footnote 2] we assessed the effectiveness of the agency's 
information security controls over its key financial and tax 
processing systems, information, and interconnected networks at six 
locations. These systems support the processing, storage, and 
transmission of financial and sensitive taxpayer information. As 
highlighted in our report on IRS's fiscal years 2013 and 2012 
financial statements, during fiscal year 2013 IRS continued to devote 
significant attention and resources to securing its information 
systems and protecting sensitive taxpayer and financial information. 
During fiscal year 2013, IRS addressed a large number of system 
control deficiencies that we had previously reported and implemented a 
new procurement system and upgraded software for its administrative 
accounting system. These actions are important steps toward improving 
the overall effectiveness of its information system controls and 
therefore the reliability of its financial data.

However, the remaining deficiencies in information security, along 
with new deficiencies we identified during this year's audit and 
discuss in this report, are important enough to merit the attention of 
those charged with governance of IRS and continue to represent a 
significant deficiency in IRS's internal control over its financial 
reporting systems as of September 30, 2013.[Footnote 3]

Our objective was to determine whether IRS's controls over its key 
financial and tax processing systems are effective in ensuring the 
confidentiality, integrity, and availability of financial and 
sensitive taxpayer information. To do this, we examined the agency's 
information security policies, plans, and procedures; tested controls 
over key financial applications; interviewed key agency officials; and 
reviewed our prior reports to identify previously reported weaknesses 
and assessed the effectiveness of corrective actions taken. Our 
evaluation was limited to systems relevant to financial management and 
reporting and was concentrated on threats emanating from sources 
internal to IRS's computer networks.

We conducted this audit from April 2013 to April 2014 in accordance 
with generally accepted government auditing standards. We believe our 
audit provides a reasonable basis for our opinions and other 
conclusions. For additional information about our objective, scope, 
and methodology, refer to appendix I.

Background: 

The use of information technology has created many benefits for 
agencies such as IRS in achieving their mission and providing 
information and services to the public, but challenges continue to 
exist as computerized information and resources grow with increasing 
demand and various threats continue to plague security. Information 
security is especially important for government agencies, where 
maintaining the public's trust is essential.

Without proper safeguards, computer systems are vulnerable to 
individuals and groups with malicious intentions who can intrude and 
use their access to obtain sensitive information, commit fraud and 
identity theft, disrupt operations, or launch attacks against other 
computer systems and networks. Cyber-based threats to information 
systems and cyber-related critical infrastructure can come from 
sources internal and external to the organization. Internal threats 
include errors or mistakes, as well as fraudulent or malevolent acts 
by employees or contractors working within an organization. External 
threats include the ever-growing number of cyber-based attacks that 
can come from a variety of sources such as hackers, criminals, and 
foreign nations. Our previous reports, and those by federal inspectors 
general, describe persistent information security weaknesses that 
place federal agencies, including IRS, at risk of disruption, fraud, 
or inappropriate disclosure of sensitive information. Accordingly, we 
have designated information security as a governmentwide high-risk 
area since 1997, a designation that remains in force today.[Footnote 4]

Information security programs and practices performed by an agency are 
essential to creating and maintaining effective internal controls 
within an organization's critical information technology 
infrastructure. The Federal Managers' Financial Integrity Act[Footnote 
5] requires the Comptroller General to prescribe standards for 
internal control. The standards provide the overall framework for 
establishing and maintaining internal control and for identifying and 
addressing major performance and management challenges and areas at 
greatest risk of fraud, waste, abuse, and mismanagement.[Footnote 6] 
The term internal control covers all aspects of an agency's operations 
(programmatic, financial, and compliance). Information system controls 
consist of those internal controls that are dependent on information 
systems processing and include general controls (such as security 
management, access controls, configuration management, and contingency 
planning) at the entity, system, and business process application 
levels; business process application controls (input, processing, 
output, master file, interface, and data management system controls); 
and user controls (controls performed by people interacting with 
information systems).

The Federal Information Security Management Act (FISMA)[Footnote 7] is 
intended to provide a comprehensive framework for ensuring the 
effectiveness of information security controls over information 
resources that support federal operations and assets. FISMA requires 
each agency to develop, document, and implement an agencywide 
information security program for the information and information 
systems that support the operations and assets of the agency, using a 
risk-based approach to information security management. Such a program 
includes assessing risk; developing and implementing cost-effective 
security plans, policies, and procedures; plans for providing adequate 
information security for networks, facilities, and systems; providing 
security awareness and specialized training; testing and evaluating 
the effectiveness of controls; planning, implementing, evaluating, and 
documenting remedial actions to address information security 
deficiencies; procedures for detecting, reporting, and responding to 
security incidents; and ensuring continuity of operations. The act 
also assigned to the National Institute of Standards and Technology 
the responsibility for developing standards and guidelines that 
include minimum information security requirements.

IRS Is the Tax Collector for the United States: 

The mission of the IRS is to provide America's taxpayers top-quality 
service by helping them to understand and meet their tax 
responsibilities and enforce the law with integrity and fairness to 
all. In carrying out this mission and responsibilities of 
administering our nation's tax laws, the IRS relies extensively on its 
computer systems. As such, it must ensure that its computer systems 
are effectively secured to protect sensitive financial and taxpayer 
data for the collection of taxes, the processing of tax returns, and 
the enforcement of federal tax laws. In fiscal years 2013 and 2012, 
IRS collected about $2.9 trillion and $2.5 trillion, respectively, in 
federal tax payments, processed about 241 million and 239 million, 
respectively, in tax and information returns, and paid about $364 
billion and $373 billion, respectively, in refunds to taxpayers. 
Further, the size and complexity of IRS add unique operational 
challenges.

IRS employs approximately 98,000 people (which includes temporary and 
seasonal staff) in its Washington, D.C., headquarters and over 600 
offices in all 50 states and U.S. territories and in some U.S. 
embassies and consulates. IRS relies extensively on computerized 
systems to support its financial and mission-related operations. To 
manage its data and information, the agency operates three enterprise 
computing centers located in Detroit, Michigan; Martinsburg, West 
Virginia; and Memphis, Tennessee. IRS also collects and maintains a 
significant amount of personal and financial information on each U.S. 
taxpayer. Protecting this sensitive information is paramount; 
otherwise, taxpayers could be exposed to loss of privacy and to 
financial loss and damages resulting from identity theft or other 
financial crimes.

The Commissioner of Internal Revenue has overall responsibility for 
ensuring the confidentiality, integrity, and availability of the 
information and information systems that support the agency and its 
operations. FISMA requires the Chief Information Officer (CIO) or 
comparable official at a federal agency to be responsible for 
developing and maintaining an information security program. IRS has 
delegated this responsibility to the Associate CIO, who heads the IRS 
Information Technology Cybersecurity organization. This organization's 
mission is to protect taxpayer information and the IRS's systems, 
services, and data from internal and external cyber-related threats by 
implementing security practices in planning, implementation, 
management, and operations. IRS develops and publishes its information 
security policies, guidelines, standards, and procedures in its 
Internal Revenue Manual and other documents in order for IRS divisions 
and offices to carry out their respective responsibilities in 
information security. In November 2013, the Treasury Inspector General 
for Tax Administration (TIGTA) stated that security of taxpayer data, 
including securing computer systems, was the top priority in its list 
of top 10 management challenges for IRS for fiscal year 2014.[Footnote 
8]

IRS Continued to Make Progress, but Control Weaknesses Place Taxpayer 
and Financial Data at Risk: 

IRS had implemented numerous controls over its systems, including 
controls for identification and authentication, authorization, 
cryptography, audit and monitoring, physical security, configuration 
management, and contingency planning. However, it had not always 
effectively implemented access and other controls to protect the 
confidentiality, integrity, and availability of its financial systems 
and information. These weaknesses and others in IRS's security program 
increase the risk that taxpayer and other sensitive information could 
be disclosed or modified without authorization.

Access Control Weaknesses Reduced Security over Systems: 

A basic management objective for any organization is to protect the 
resources that support its critical operations from unauthorized 
access. Organizations accomplish this objective by designing and 
implementing controls that are intended to prevent, limit, and detect 
unauthorized access to computing resources, programs, information, and 
facilities.

Access controls include those related to user identification and 
authentication, authorization, cryptography, audit and monitoring, and 
physical security. However, IRS did not fully implement effective 
controls in these areas. Without adequate access controls, 
unauthorized individuals, including infiltrators and former employees, 
can surreptitiously read and copy sensitive data and make undetected 
changes or deletions for malicious purposes or personal gain. In 
addition, authorized users could intentionally or unintentionally 
read, add, delete, or modify data or execute changes that are outside 
their span of authority.

IRS had identification and authentication controls in place, but they 
were inconsistently implemented: 

Identification is the process of distinguishing one user from all 
others, usually through user IDs. These are important because they are 
the means by which specific access privileges are assigned and 
recognized by the computer. However, the confidentiality of a user ID 
is typically not protected. For this reason, other means of 
authenticating users--that is, determining whether individuals are who 
they say they are--are typically implemented (for example, passwords, 
security tokens, etc.). IRS's Internal Revenue Manual specifies 
security configurations for its database systems and network 
infrastructure systems that cover how authentications are to be 
performed and how passwords are to be configured. The manual also 
requires the use of a strong password for authentication (defined as a 
minimum of eight characters, containing at least one numeric or 
special character, a mixture of at least one uppercase and one 
lowercase letter, and no words found in a dictionary), and that 
passwords be set to expire every 90 days. Further, the manual states 
that passwords for service accounts shall expire within 366 days.

IRS improved identification and authentication controls for several 
databases and one of its major operating systems. For example: 

* authentication controls for databases supporting the agency's access 
authorization and procurement systems were set to prevent a user from 
connecting to a database without a password;

* controls over complexity of passwords for certain databases were 
adequate; and: 

* passwords were stored with adequate controls to prevent them from 
being disclosed.

However, identification and authentication control weaknesses 
continued to reduce IRS's ability to effectively control access to 
systems and data. Specifically: 

* controls over the length of passwords for certain network 
infrastructure systems were not adequate and: 

* the agency used passwords that could be easily guessed.

Further, IRS did not always ensure that all database accounts were set 
to have a maximum expiration of 90 days. In addition, the agency had 
not consistently applied proper password settings to mainframe service 
accounts. Of the 81 mainframe service accounts, 31 were configured to 
never require password changes. As a result of these weaknesses, IRS 
had reduced ability to control who was accessing its systems and data.

IRS had a framework in place to manage authorization, but some users 
had more access than necessary to perform their duties: 

Access rights and privileges are used to implement security policies 
that determine what a user can do after being allowed into a system. 
Access rights, also known as permissions, allow the user to read or 
write to a certain file or directory. Privileges are a set of access 
rights permitted by the access control system. A key component of 
authorization is the concept of "least privilege," which means that 
users should have the least amount of privileges necessary to perform 
their duties. Maintaining access rights, permissions, and privileges 
is one of the most important aspects of administering system security. 
According to the Internal Revenue Manual, the agency should implement 
access control measures that provide protection from unauthorized 
alteration, loss, unavailability, or disclosure of information. The 
manual also requires that system access be granted based on the 
principle of least privilege.

IRS had strengthened several authorization controls, including: 

* implementing programming changes to an application to correct a 
vulnerability that allowed users of that application to view sensitive 
system information by using unintended capabilities in the user 
interface of the application and: 

* consistently providing access privileges on all mainframe systems to 
prevent users from having a greater level of access than needed to 
perform their duties.

However, numerous authorization control weaknesses existed in IRS's 
computing environment, including: 

* Access privileges allowed all users of IRS's internal network to 
read and write files containing sensitive system information, 
including passwords, that were used to support automated data transfer 
operations between numerous systems. Unauthorized access privileges to 
these files jeopardized the integrity of the data and the availability 
of applications.

* Administrators had more access than needed in certain instances. On 
one server, IRS had configured multiple databases supporting different 
business units to operate using the same username. As a result, any 
administrator with access to the username could have access to all 
databases, exceed his or her job duties, and affect IRS's ability to 
control the integrity of the data.

* Nine contractors were collectively assigned 14 mainframe security 
software user profiles that had password expiration dates set beyond 
the end of the contract period. Six contractors were collectively 
assigned 9 mainframe security software user profiles that had no 
expiration dates set. Maintaining contractor user IDs on the system 
after the contract date has expired could allow unauthorized use of 
their username and passwords, and would expose system information and 
render sensitive data vulnerable to unauthorized access. As a result, 
IRS had reduced ability to control who was accessing its systems and 
data.

Until IRS appropriately controls users' access to its systems and 
effectively implements its procedures for authorization, the agency 
has limited assurance that its information resources are being 
protected from unauthorized access, alteration, and disclosure.

IRS inconsistently employed cryptography controls for authentication, 
resulting in transmission of weakly encrypted or unencrypted 
authentication information across its internal network: 

Cryptography controls can be used to identify and authenticate users 
and help protect the integrity and confidentiality of data and 
computer programs by rendering data unintelligible to unauthorized 
users and by protecting the integrity of transmitted or stored data. 
Cryptography involves the use of mathematical functions called 
algorithms and strings of seemingly random bits called keys to (1) 
encrypt a message or file so that it is unintelligible to those who do 
not have the secret key needed to decrypt it, thus keeping the 
contents of the message or file confidential; (2) provide an 
electronic signature that can be used to determine if any changes have 
been made to the related file, thus ensuring the file's integrity; or 
(3) link a message or document to a specific individual's or group's 
key, thus ensuring that the "signer" of the file can be identified. 
According to the Internal Revenue Manual, the confidentiality of 
transmitted data must be protected by encrypting the data to prevent 
unauthorized disclosure. In addition, the policy states that the use 
of insecure protocols should be restricted because their widespread 
use can allow passwords, taxpayer information, and other sensitive 
data to be transmitted unencrypted across its internal network.

IRS made progress in its implementation of data encryption controls by: 

* configuring network equipment to use encrypted authentication 
protocols,

* discontinuing the use of an unencrypted protocol to transmit 
sensitive information on a server supporting the IRS's tax payment 
system, and: 

* disabling an unencrypted authentication method on e-mail servers.

However, many of IRS's servers were configured to use weak encryption 
for authentication. Further, the agency did not configure servers that 
supported the administration of automated file transfers of financial 
data to use encryption for authentication. Until these weaknesses are 
corrected, IRS's ability to reliably control access to some systems 
and data is undermined.

Although IRS had numerous audit and monitoring processes in place, it 
had not effectively implemented a monitoring process for several of 
its database and mainframe environments: 

Audit and monitoring involves the regular collection, review, and 
analysis of auditable events for indications of inappropriate or 
unusual activity, and the appropriate investigation and reporting of 
such activity. Automated mechanisms may be used to integrate audit 
monitoring, analysis, and reporting into an overall process for 
investigation and response to suspicious activities. Audit and 
monitoring controls can help information systems security 
professionals routinely assess computer security, perform 
investigations during and after an attack, and even recognize an 
ongoing attack. Audit and monitoring technologies include network and 
host-based intrusion detection systems, audit logging, security event 
correlation tools, and computer forensics. The Internal Revenue Manual 
requires that audit logging be enabled and configured on all systems 
to aid in the detection of security violations, performance problems, 
and flaws in applications. Additionally, the manual states that 
security controls in information systems shall be monitored on an 
ongoing basis.

IRS had strengthened its audit and monitoring processes by: 

* enabling security event auditing[Footnote 9] and system privilege 
auditing[Footnote 10] features on databases that support its access 
authorization, administrative accounting, and procurement systems;

* configuring mainframe audit logging to record the newer types of 
network activity that are supported by the operating system; and: 

* enabling user auditing for users with account attributes that are 
needed to perform sensitive mainframe system administration tasks.

However, IRS did not always effectively implement audit and monitoring 
controls on internal systems. Specifically, despite ongoing efforts 
dating back to 2007, IRS's enterprisewide mainframe security 
monitoring program, known as Enterprise Security Audit Trails (ESAT), 
has yet to deliver operational mainframe security monitoring reports 
to system owners or stakeholders. Without effective audit and 
monitoring, IRS's ability to establish individual accountability, 
monitor compliance with security and configuration management 
policies, and investigate information systems security violations is 
limited.

Although IRS had implemented numerous physical security controls, 
weaknesses reduced control effectiveness: 

Physical security controls restrict physical access to computer 
resources and protect them from intentional or unintentional loss or 
impairment. Adequate physical security controls over computer 
resources (e.g., computer facilities, network devices such as routers 
and firewalls, telecommunications equipment, and transmission lines) 
should be established that are commensurate with the risks of physical 
damage or access. Physical security controls over the overall facility 
and areas housing sensitive information technology components include, 
among other things, policies and practices for granting and 
discontinuing access authorizations; controlling badges, ID cards, 
smartcards, and other entry devices; controlling entry during and 
after normal business hours; and controlling the entry and removal of 
computer resources (such as equipment and storage media) from the 
facility. Physical security controls also include environmental 
controls, such as smoke detectors, fire alarms, extinguishers, 
uninterruptible power supplies, and redundancy in air cooling systems. 
At IRS, physical access control measures, such as physical access 
cards that are used to permit or deny access to certain areas of a 
facility, are vital to safeguarding facilities, computing resources, 
and information from internal and external threats. The Internal 
Revenue Manual requires a short-term uninterruptible power supply be 
provided to facilitate an orderly shutdown of information systems in 
the event of a primary power loss. The manual also requires that 
access controls be implemented to safeguard assets against possible 
theft and malicious actions. Further, the manual states that 
department managers of restricted areas are to review, validate, sign, 
and date the authorized access list for the restricted area on a 
monthly basis, and then forward the list to the physical security 
office for review.

IRS had implemented physical security controls at its enterprise 
computing centers to carry its facilities through a short power 
outage, and provide time to back up data and perform orderly shutdown 
procedures during extended power outages. For example, IRS installed 
redundant critical systems, such as uninterruptible power supplies and 
backup generators, at all three computing centers so that power would 
be adequate for an orderly shutdown. Further, IRS implemented 
safeguards to protect its assets against theft and malicious actions. 
For example, IRS reviewed visitor physical access cards at one 
computing center to ensure that they provided only the authorized 
levels of access to the restricted areas within the center.

However, physical security controls were not always effectively 
implemented. For example, during monthly reviews of individuals with 
an ongoing need to access restricted areas at two of the three 
computing centers, officials did not consistently indicate the need to 
remove individuals who no longer needed access. We previously made a 
recommendation in fiscal year 2011 to address this issue at one of the 
two computing centers.[Footnote 11] Because employees and visitors may 
be allowed inappropriate access to restricted areas, IRS has reduced 
assurance that its computing resources and sensitive information are 
being adequately protected from unauthorized access.

IRS Had Contingency Plans in Place, but Weaknesses in Other 
Information Security Controls Introduce Risk: 

In addition to access controls, other controls should be in place to 
ensure the confidentiality, integrity, and availability of an agency's 
information. These controls include policies, procedures, and 
techniques for securely configuring information systems with software 
updates and planning for continuity of operations. Weaknesses in 
system configurations increase the risk of unauthorized use, 
disclosure, modification, or loss of information to financial and tax 
processing systems and taxpayer data.

Weaknesses continued to exist in updating software: 

Configuration management controls are intended to prevent unauthorized 
changes to information system resources (for example, software 
programs and hardware configurations) and to provide reasonable 
assurance that systems are configured and operating securely and as 
intended. Change control procedures, a component of configuration 
management, are important to ensure that only authorized and fully 
tested systems are placed in operation. To ensure that changes to 
systems are necessary, work as intended, and do not result in the loss 
of data or program integrity, such changes should be documented, 
authorized, tested, and independently reviewed. Patch management, yet 
another component of configuration management, is an important element 
in mitigating the risks associated with known vulnerabilities. When 
vulnerabilities are discovered, the vendor may release an update to 
mitigate the risk. Without the update applied in a timely manner, an 
attacker may exploit a vulnerability not yet mitigated, enabling 
unauthorized access to an information system or enabling users to have 
access to greater privileges than authorized. Unsupported software 
increases risk because vendors no longer provide updates to known 
vulnerabilities. Accordingly, the Internal Revenue Manual states that 
all changes to production systems and processing must be requested and 
approvals documented. The manual also requires IRS to reduce 
vulnerabilities to systems by installing patches in a timely manner. 
Specifically, it states that IRS should implement critical priority 
security-related patches within 72 hours of patch availability and 
high-priority security-related patches within 5 business days of patch 
availability. Further, the manual states that the agency should ensure 
that the version of an application being used is one for which the 
vendor continues to offer technical support, and that database 
software be removed or updated prior to a vendor dropping support.

Although IRS has change control and patch management processes in 
place, it did not effectively document and approve changes or install 
patches in a timely manner. For example, of 32 changes to mainframe 
production processing recorded in the system logs during the 1-week 
period we reviewed, no requests or approvals had been made or 
documented. This activity had not been detected by system monitoring 
processes. By not enforcing change controls in the production 
mainframe system, the integrity and availability of IRS's data and 
systems are jeopardized. Also, IRS had not applied critical patches 
within required time frames to servers supporting multiple systems we 
reviewed, including the authorization, procurement, and e-mail 
systems. By not installing critical patches in a timely fashion, IRS 
increases the risk that known vulnerabilities in its systems may be 
exploited. Further, the agency used an unsupported software 
application on its workstations, and database software used to support 
the access authorization system was no longer supported. Running 
outdated and unsupported software increases security exposure, as the 
vendor will not be supplying any security patches to the unsupported 
software.

IRS had contingency plans in place for systems reviewed: 

Contingency planning, which includes developing contingency and 
business continuity plans, should be tested to ensure that when 
unexpected events occur, critical operations can continue without 
interruption or can be promptly resumed, and that information 
resources are protected. The Internal Revenue Manual requires the 
agency to develop, test, and maintain information system contingency 
plans for all systems. In addition, according to the manual, IRS shall 
implement and enforce backup procedures for all systems and 
information and test the plans to determine their effectiveness and 
the agency's readiness to execute the plans.

IRS had processes in place to ensure recovery of their information 
system resources through continuity of operations, which included 
contingency plans and their associated test plans. For the seven 
contingency plans we reviewed, the agency had appropriately documented 
and maintained current plans and had tested the plans, and had the 
appropriate backup procedures in place to ensure recovery of its data 
and information system resources.

IRS Had Developed an Information Security Program, but Had Not Always 
Effectively Implemented Elements of the Program: 

A key reason for the information security weaknesses in IRS's 
financial and tax-processing systems was that, although the agency has 
developed and documented a comprehensive agencywide information 
security program, it had not effectively implemented elements of it.

An agencywide information security management program should establish 
a framework and continuous cycle of activity for assessing risk, 
developing and implementing effective security procedures, and 
monitoring the effectiveness of these procedures. FISMA requires each 
agency to develop, document, and implement an information security 
program that, among other things, includes: 

* periodic assessments of the risk and magnitude of harm that could 
result from the unauthorized access, use, disclosure, disruption, 
modification, or destruction of information and information systems;

* policies and procedures that (1) are based on risk assessments, (2) 
cost-effectively reduce information security risks to an acceptable 
level, (3) ensure that information security is addressed throughout 
the life cycle of each system, and (4) ensure compliance with 
applicable requirements;

* plans for providing adequate information security for networks, 
facilities, and systems;

* security awareness training to inform personnel of information 
security risks and of their responsibilities in complying with agency 
policies and procedures, as well as training personnel with 
significant security responsibilities for information security;

* periodic testing and evaluation of the effectiveness of information 
security policies, procedures, and practices, performed with a 
frequency depending on risk, but no less than annually, and that 
include testing of management, operational, and technical controls for 
every system identified in the agency's required inventory of major 
information systems;

* a process for planning, implementing, evaluating, and documenting 
remedial action to address any deficiencies in information security 
policies, procedures, or practices; and: 

* procedures for detecting, reporting, and responding to security 
incidents.

Further, the current administration has made continuous monitoring of 
federal information systems a top cyber-security priority. Continuous 
monitoring of security controls employed within or inherited by the 
system is an important aspect of managing risk to information from the 
operation and use of information systems. An effective information 
security program also includes a rigorous continuous monitoring 
program integrated into the system development life cycle. As 
described by the National Institute of Standards and Technology, 
[Footnote 12] effective continuous monitoring begins with development 
of a strategy that addresses requirements and activities at each 
organizational tier. The Internal Revenue Manual states that the 
agency should document its continuous monitoring strategy as defined 
by this guidance.

IRS had implemented a comprehensive information security program, as 
illustrated by the following examples: 

* IRS had developed and documented an information technology security 
risk management policy that required all sensitive applications to be 
periodically assessed for the risk and magnitude of harm that could 
result from vulnerabilities and potential threats.

* The agency had developed policies and procedures that considered 
risk, appropriately addressed purpose, scope, roles, responsibilities, 
and compliance, and were approved by management.

* IRS had developed and documented security plans for all of its major 
systems that we reviewed that addressed policies and procedures for 
providing management, operational, and technical controls.

* IRS had a process in place for providing employees with security 
awareness and specialized training. All employees with specific 
security-related roles that we reviewed met the required minimum 
specialized training hours.

* The agency had implemented numerous processes for testing and 
evaluating the effectiveness of controls, and told us that it had 
previously identified many of the issues we raise in this report.

* IRS had completed actions to address 42[Footnote 13] of the 91 
recommendations we reported in 2013 that were still unresolved at the 
time of our last review (as of September 30, 2012).[Footnote 14]

* IRS had a process in place to ensure that its Computer Security 
Incident Response Center incident tickets were opened, managed, and 
closed in accordance with IRS's policies and procedures governing 
incident detection, handling, and response. Of the 45 incident tickets 
we reviewed, we validated that each had been opened, managed, and 
closed by center personnel and handled according to its proper 
incident categorization as outlined by the National Institute of 
Standards and Technology.

However, not all elements of IRS's information security program had 
been effectively implemented, as illustrated in the following examples: 

* Although IRS had developed and documented information security 
policies and procedures covering key topics such as risk assessments, 
security awareness training, testing and evaluation of security 
controls, configuration management, continuity of operations, and 
incident response, shortcomings existed with policies and procedures.

- IRS had not updated policies and procedures to ensure that they 
address (1) both methods available for granting all users access to 
mainframe resources, (2) audit and monitoring of access from one 
processing environment to another, (3) use of appropriate accounts by 
multiple databases on a single server, (4) data storage shared between 
systems, (5) out-of-date security standards, and (6) reconciliation of 
access privileges. We previously made a recommendation to address 
these issues.[Footnote 15]

- IRS does not record or maintain sufficiently detailed or organized 
information of system access requests and access assignments to 
facilitate effective review or verification of users' system access 
privileges. The Internal Revenue Manual contains no requirements for 
the content of access information to be entered or maintained in the 
IRS on-line access request and approval system. As a result, 
individual users' access privileges for both mainframe and distributed 
computing-based applications cannot be accurately verified. This 
increases the likelihood that erroneous and outdated access privileges 
will not be detected.

- Internal system documentation entries for important automated 
mainframe processes that were recently added to the system were not 
completed. IRS procedures did not specify the information required to 
be recorded in the internal system documentation. Absent this system 
documentation, the effectiveness of monitoring of these important 
automated processes is diminished.

* Although IRS had processes in place for providing employees with 
security awareness and specialized training, the agency did not always 
ensure that contractors received security awareness training. The 
Internal Revenue Manual requires that all new employees and 
contractors receive security awareness training within 5 days of 
receiving system access. Processes for ensuring contractors received 
required training were not in place. We reported in 2013 that more 
than half of the contractors we evaluated had not met IRS' security 
awareness training requirement. We previously made a recommendation in 
2010 to address contractor security awareness training.[Footnote 16]

* IRS's procedures for testing and evaluating controls were not always 
effective. A key element of an information security program is 
conducting tests and evaluations of policies, procedures, and controls 
to determine whether they are effective and operating as intended. 
However, for one financial reporting system that we reviewed, the 
testing methodology did not always determine whether required 
authentication controls were operating effectively. Also, IRS had not 
identified some of the other issues raised in this report, including 
weaknesses involving missing patches and undocumented mainframe 
changes. In addition, IRS had not yet updated mainframe test and 
evaluation processes to improve periodic monitoring of compliance with 
policies, including the shortcomings with its ESAT program discussed 
in this report. We previously made recommendations to address these 
issues.[Footnote 17]

* Although IRS had a process in place for evaluating and tracking 
remedial actions, it had not consistently developed a remedial action 
plan for known vulnerabilities. The Internal Revenue Manual requires 
that such a plan be developed for information systems to document the 
planned remedial actions to correct weaknesses or deficiencies noted 
during an assessment of security controls and to reduce or eliminate 
known vulnerabilities in the system. However, IRS had not developed a 
plan to document remedial actions to eliminate known vulnerabilities 
in one of its workload automation software environments.

* As we reported in 2013, IRS had not fully documented its continuous 
monitoring strategy. The agency created a diagram that logically 
depicts certain information security continuous monitoring data flows 
and activities; had developed various standard operating procedures; 
and is collecting, analyzing, and reporting on certain data. However, 
it had not developed a strategy that addresses requirements and 
activities at each organizational tier. We previously made a 
recommendation to address this issue.[Footnote 18]

Until IRS effectively implements all key elements of its information 
security program, the agency will not have reasonable assurance that 
computing resources are consistently and effectively protected from 
inadvertent or deliberate misuse, including fraud or destruction.

Conclusions: 

IRS continued to make progress in addressing information security 
control weaknesses, improving its internal control over financial 
reporting; however, serious weaknesses remain that could affect the 
confidentiality, integrity, and availability of financial and 
sensitive taxpayer data. During fiscal year 2013, IRS management 
continued to devote attention and resources to addressing information 
security controls, and resolved a significant number of the 
information security control deficiencies that we previously reported. 
However, information security weaknesses existed in access and other 
information system controls over IRS's financial and tax-processing 
systems. The financial and taxpayer information on IRS systems will 
remain particularly vulnerable to internal threats until the agency 
(1) addresses weaknesses pertaining to identification and 
authentication, authorization, cryptography, audit and monitoring, 
physical security, and configuration management; and (2) effectively 
implements key components of its comprehensive information security 
program that ensure processes intended to test, monitor, and evaluate 
internal controls are appropriately detecting vulnerabilities, 
including updating policies and procedures for system-level 
authentication and authorization, and developing remedial action plans 
for identified weaknesses. These deficiencies are the basis of our 
determination that IRS had a significant deficiency in internal 
control over financial reporting in its information security in fiscal 
year 2013. Continued and consistent management commitment and 
attention to an effective information security program will be 
essential to the maintenance of, and continued improvements in, the 
agency's information security controls.

Recommendations for Executive Action: 

In addition to implementing our previous recommendations, we are 
recommending that the Commissioner of Internal Revenue take the 
following three actions to effectively implement key components of the 
IRS information security program: 

* Update access request policies and procedures to ensure that they 
contain sufficiently detailed information of access requests and 
access assignments to facilitate effective review and verification of 
appropriate access privileges.

* Update procedures to specify the information required to be recorded 
in the internal system documentation for important mainframe system 
processes.

* Develop a remedial action plan to address known information system 
weaknesses or deficiencies in the workload automation software 
environment.

We are also making 23 detailed recommendations in a separate report 
with limited distribution. These recommendations consist of actions to 
be taken to correct specific information security weaknesses related 
to identification and authentication, authorization, cryptography, and 
configuration management.

Agency Comments and Our Evaluations: 

In providing written comments (reprinted in app. II) on a draft of 
this report, the Commissioner of Internal Revenue stated that the 
security and privacy of taxpayer and financial information is of the 
utmost importance to the agency and that IRS will provide a detailed 
corrective action plan addressing each of our recommendations. 
Further, the Commissioner stated that the integrity of IRS's financial 
systems continues to be sound. However, as we noted in this report, 
although IRS has continued to make progress in addressing information 
security control weaknesses, it had not always effectively implemented 
access and other controls to protect the confidentiality, integrity, 
and availability of its financial systems and information. The 
effective implementation of our recommendations in this report and in 
our previous reports will assist IRS in protecting taxpayer and 
financial information.

This report contains recommendations to you. As you know, 31 U.S.C. § 
720 requires the head of a federal agency to submit a written 
statement of the actions taken on our recommendations to the Senate 
Committee on Homeland Security and Governmental Affairs and to the 
House Committee on Oversight and Government Reform not later than 60 
days from the date of the report and to the House and Senate 
Committees on Appropriations with the agency's first request for 
appropriations made more than 60 days after the date of this report. 
Because agency personnel serve as the primary source of information on 
the status of recommendations, we request that the agency also provide 
us with a copy of the agency's statement of action to serve as 
preliminary information on the status of open recommendations.

We are also sending copies of this report to the Secretary of the 
Treasury, the Treasury Inspector General for Tax Administration, and 
interested congressional parties.

If you have any questions regarding this report, please contact Nancy 
R. Kingsbury at (202) 512-2700 or Gregory C. Wilshusen at (202) 512-
6244. We can also be reached by e-mail at kingsburyn@gao.gov and 
wilshuseng@gao.gov. Key contributors to this report are listed in 
appendix III.

Sincerely yours, 

Signed by: 

Nancy R. Kingsbury: 
Managing Director, Applied Research and Methods: 

Signed by: 

Gregory C. Wilshusen: 
Director, Information Security Issues: 

[End of section] 

Appendix I: Objective, Scope, and Methodology: 

The objective of our review was to determine whether controls over key 
financial and tax processing systems were effective in protecting the 
confidentiality, integrity, and availability of financial and 
sensitive taxpayer information at the Internal Revenue Service (IRS). 
To do this, we examined IRS information security policies, plans, and 
procedures; tested controls over key financial applications; and 
interviewed key agency officials. This enabled us to (1) assess the 
effectiveness of corrective actions taken by IRS to address weaknesses 
we previously reported and (2) determine whether any additional 
weaknesses existed. This work was performed in connection with our 
audit of IRS's fiscal years 2013 and 2012 financial statements for the 
purpose of supporting our opinion on internal control over the 
preparation of those statements and may not be sufficient for other 
purposes.

To determine whether controls over key financial and tax processing 
systems were effective, we considered the results of our evaluation of 
IRS's actions to mitigate previously reported weaknesses, and 
performed new audit work at the three enterprise computing centers 
located in Detroit, Michigan; Martinsburg, West Virginia; and Memphis, 
Tennessee, as well as IRS facilities in New Carrollton, Maryland; 
Beckley, West Virginia; and Washington, D.C. We concentrated our 
evaluation on threats emanating from sources internal to IRS's 
computer networks. In consideration of systems that directly or 
indirectly support the processing of material transactions that are 
reflected in the agency's financial statements, we focused our 
technical work on the general support systems that directly or 
indirectly support key financial and taxpayer information systems.

Our evaluation was based on our Federal Information System Controls 
Audit Manual, which contains guidance for reviewing information system 
controls that affect the confidentiality, integrity, and availability 
of computerized information; National Institute of Standards and 
Technology guidance; and IRS policies, procedures, practices, and 
standards. We evaluated controls by: 

* testing the complexity, expiration, and policy for passwords on 
databases to determine if strong password management was being enforced;

* examining IRS's implementation of encryption to secure transmissions 
on its internal network;

* analyzing the audit logs recorded by the mainframe environment, 
which processes tax data and supports revenue and unpaid assessment 
financial reporting;

* reviewing physical security processes and procedures at each of the 
enterprise computing centers;

* evaluating the mainframe operating system controls that support the 
operation of applications and databases that support revenue accounting;

* evaluating the controls of mainframe configurations that shared disk 
storage with multiple mainframe processing environments;

* reviewing access configurations on key systems and database 
configurations;

* examining the status of patching for key databases and system 
components to ensure that patches are up to date;

* reviewing the process for IRS's risk assessment reviews to determine 
if risk assessment reviews were being performed at least annually; and: 

* examining documentation to determine the extent to which IRS was 
performing internal controls reviews of key financial systems.

Using the requirements in the Federal Information Security Management 
Act, which established elements for an agencywide information security 
program, we reviewed and evaluated IRS's implementation of its 
security program by: 

* reviewing risk assessments to determine whether the assessments were 
up to date, documented, and approved;

* reviewing IRS's policies, procedures, practices, and standards to 
determine whether its security management program had been documented, 
approved, and was up to date;

* reviewing IRS's system security plans for specified systems to 
determine the extent to which the plans had been reviewed, and 
included information as required by the National Institute of 
Standards and Technology;

* verifying whether employees with security-related responsibilities 
had received specialized training within the year;

* analyzing documentation to determine if the effectiveness of 
security controls had been periodically assessed;

* reviewing IRS's actions to correct weaknesses to determine if they 
had effectively mitigated or resolved the vulnerability or control 
deficiency;

* reviewing IRS's Computer Security Incident Response Center incident 
tickets to determine if security violations and activities had been 
reported and investigated, and validating that the agency was 
correctly categorizing incidents per federal guidance; and: 

* reviewing continuity-of-operations planning documentation for seven 
systems to determine if such plans had been appropriately documented 
and tested.

In addition, we discussed with management officials and key security 
representatives, such as those from IRS's Computer Security Incident 
Response Center and Information Technology Cybersecurity organization, 
as well as the three computing centers, whether information security 
controls were in place, adequately designed, and operating effectively.

We performed our audit from April 2013 to April 2014 in accordance 
with U.S. generally accepted government auditing standards. We believe 
our audit provides a reasonable basis for our opinions and other 
conclusions in this report. 

[End of section] 

Appendix II: Comments from the Internal Revenue Service: 

Department of The Treasury: 
Commissioner: 
Internal Revenue Service: 
Washington, D.C. 20224: 

April 1, 2014: 

Mr. Gregory C. Wilshusen: 
Director, Information Security Issues: 
U.S. Government Accountability Office: 
441 G Street, N.W. 
Washington, DC 20548: 

Dear Mr. Wilshusen: 

Thank you for the opportunity to comment on the draft report titled, 
Information Security: IRS Needs to Address Control Weaknesses That 
Place Financial and Taxpayer Data at Risk (GAO-14-405). 

We are pleased the Government Accountability Office (GAO) recognized 
the progress we have made in several areas: (1) addressing a large 
number of system control deficiencies previously reported, (2) 
implementing a new procurement system, and (3) upgrading our 
administrative accounting system software. The IRS is dedicated to
improving its financial management, internal controls, information 
technology security posture, and the overall effectiveness of 
information system controls. 

We will review all of GAO's reported recommendations to ensure that 
our actions include sustainable fixes that implement appropriate 
security controls. We will provide the detailed corrective action plan 
addressing each of the recommendations with our response to the final 
report. 

In closing, the security and privacy of all taxpayer information is of 
the utmost importance to us, and the integrity of our financial 
systems continues to be sound. We appreciate your continued support 
and guidance as we work to address the recommendations and look 
forward to working with you to develop appropriate measures. 

If you have any questions, please contact me or a member of your staff 
may contact Terence V. Milholland, Chief Technology Officer, at (202) 
317-5000. 

Sincerely, 

Signed by: 

John A. Koskinen: 

[End of section] 

Appendix III: GAO Contacts and Staff Acknowledgments: 

GAO Contacts: 

Nancy R. Kingsbury (202) 512-2700 or kingsburyn@gao.gov Gregory C. 
Wilshusen (202) 512-6244 or wilshuseng@gao.gov: 

Staff Acknowledgments: 

In addition to the individuals named above, David Hayes and Jeffrey 
Knott (assistant directors), Mark Canter, Jennifer R. Franks, Nancy 
Glover, Mickie Gray, J. Andrew Long, Linda Kochersberger, Kevin 
Metcalfe, Eugene Stevens, Michael Stevens, and Daniel Swartz made key 
contributions to this report.

[End of section] 

Footnotes: 

[1] Information security controls include logical and physical access 
controls, configuration management, and continuity of operations. 
These controls are designed to ensure that access to data is 
appropriately restricted, physical access to sensitive computing 
resources and facilities is protected, only authorized changes to 
computer programs are made, and back-up and recovery plans are 
adequate and tested to ensure the continuity of essential operations.

[2] GAO, Financial Audit: IRS's Fiscal Years 2013 and 2012 Financial 
Statements, [hyperlink, http://www.gao.gov/products/GAO-14-169] 
(Washington, D.C.: Dec. 12, 2013).

[3] A significant deficiency is a deficiency, or a combination of 
deficiencies, in internal control that is less severe than a material 
weakness, yet important enough to merit the attention of those charged 
with governance. A material weakness is a deficiency, or combination 
of deficiencies, in internal control such that there is a reasonable 
possibility that a material misstatement of the entity's financial 
statements will not be prevented, or detected and corrected on a 
timely basis. A deficiency in internal control exists when the design 
or operation of a control does not allow management or employees, in 
the normal course of performing their assigned functions, to prevent, 
or detect and correct, misstatements on a timely basis.

[4] GAO, High-Risk Series: Information Management and Technology, 
[hyperlink, http://www.gao.gov/products/GAO/HR-97-9] (Washington, 
D.C.: February 1997) and High-Risk Series: An Update, [hyperlink, 
http://www.gao.gov/products/GAO-13-283] (Washington, D.C.: February 
2013).

[5] Pub. L. No. 97-255, 96 Stat. 814 (1982). The Federal Managers' 
Financial Integrity Act (FMFIA) was codified at 31 U.S.C. § 3512.

[6] GAO, Standards for Internal Control in the Federal Government, 
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] 
(Washington, D.C.: November 1999).

[7] FISMA was enacted as title III, E-Government Act of 2002, Pub L. 
No. 107-347, 2002.

[8] TIGTA, Management and Performance Challenges Facing the Internal 
Revenue Service for Fiscal Year 2014 (Washington, D.C.: November 2013).

[9] Security event auditing is used to log authentication events.

[10] System privilege auditing logs the use of powerful system 
privileges that enable corresponding actions. Privilege auditing can 
be set to log a selected user or every user in the database.

[11] GAO, Information Security: IRS Needs to Enhance Internal Control 
over Financial Reporting and Taxpayer Data, [hyperlink, 
http://www.gao.gov/products/GAO-11-307SU] (Washington, D.C.: March 
2011).

[12] National Institute of Standards and Technology, Information 
Security Continuous Monitoring for Federal Information Systems and 
Organizations, Special Publication 800-137 (Gaithersburg, Md.: 
September 2011).

[13] We consider six additional recommendations to no longer be 
relevant due to the changing operating environment; however, we are 
making three new specific technical recommendations that address 
similar issues in the current environment. 

[14] GAO, Information Security: IRS Has Improved Controls but Needs to 
Resolve Weaknesses, [hyperlink, http://www.gao.gov/products/GAO-13-
350] (Washington, D.C.: March 2013).

[15] [hyperlink, http://www.gao.gov/products/GAO-13-350].

[16] GAO, Information Security: IRS Needs to Continue to Address 
Significant Weaknesses, [hyperlink, 
http://www.gao.gov/products/GAO-10-355] (Washington, D.C.: March 2010).

[17] [hyperlink, http://www.gao.gov/products/GAO-13-350].

[18] [hyperlink, http://www.gao.gov/products/GAO-13-350].

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation, and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the 
performance and accountability of the federal government for the 
American people. GAO examines the use of public funds; evaluates 
federal programs and policies; and provides analyses, recommendations, 
and other assistance to help Congress make informed oversight, policy, 
and funding decisions. GAO's commitment to good government is 
reflected in its core values of accountability, integrity, and 
reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's website [hyperlink, http://www.gao.gov]. Each 
weekday afternoon, GAO posts on its website newly released reports, 
testimony, and correspondence. To have GAO e-mail you a list of newly 
posted products, go to [hyperlink, http://www.gao.gov] and select 
"E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO's actual cost of 
production and distribution and depends on the number of pages in the 
publication and whether the publication is printed in color or black 
and white. Pricing and ordering information is posted on GAO's 
website, [hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or 
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card, 
MasterCard, Visa, check, or money order. Call for additional 
information. 

Connect with GAO: 

Connect with GAO on facebook, flickr, twitter, and YouTube.
Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts.
Visit GAO on the web at [hyperlink, http://www.gao.gov]. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 
Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; 
E-mail: fraudnet@gao.gov; 
Automated answering system: (800) 424-5454 or (202) 512-7470. 

Congressional Relations: 

Katherine Siggerud, Managing Director, siggerudk@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, DC 20548. 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, DC 20548. 

[End of document]