Security of Taxpayer Information: IRS Needs to Address Critical Safeguard Weaknesses
Your tax returns are filled with sensitive personal and financial data—which you expect the IRS to protect. However, recent disclosures of sensitive taxpayer data have made headlines.
We, and the Treasury Inspector General for Tax Administration, have also raised concerns about IRS's ability to safeguard taxpayer information.
In this review, we found weaknesses in training, information systems, contractor oversight, information-sharing, and more. Of the related recommendations we've made since 2010, 77 haven't been implemented as of March 2023. We're also making 16 new recommendations, including one for Congress to consider.
What GAO Found
The Internal Revenue Service (IRS) has implemented access controls and other safeguards to help mitigate risks to taxpayer information. However, continuing weaknesses pose a risk. Among its safeguards, in July 2022, IRS began requiring certain employees to seek senior executive approvals to gain access to taxpayer information. IRS employees also met the agency-wide 97 percent completion goal for training on protecting taxpayer information. However, IRS did not have a training goal for contractors, who had training completion rates well below employee completion rates—less than 75 percent. For example, 66 percent of the approximately 14,000 contractors assigned the Insider Threat Awareness training completed the course. As a result, IRS contractors are at increased risk of being unprepared to handle taxpayer information.
IRS Contractor and Employee Training Completion Rate, Fiscal Year 2021
In certain circumstances, IRS faces challenges ensuring taxpayer information it shares—as authorized by law—is properly protected. Federal tax law gives IRS the authority to inspect safeguards for agencies that receive taxpayer information from IRS in certain circumstances. However, in other cases where IRS shares taxpayer information pursuant to different statutory authority, it does not have direct authority to inspect agency safeguards. For these cases, Congress could provide IRS with direct authority to inspect agencies' safeguards, which would give IRS additional assurance that information will be protected sufficiently.
IRS policy requires the agency to maintain an inventory of its systems that store taxpayer information and to mitigate weaknesses in systems that lead to a higher risk of unauthorized disclosure of federal tax information or UNAX—the willful unauthorized access, attempted access, or inspection of federal tax information. However, as of December 2022, IRS omitted seven tax processing systems from its inventory. This limits its monitoring of UNAX prevention efforts.
GAO found that multiple IRS offices oversee contractors but IRS does not have overall oversight efforts related to IRS contractor UNAX. As a result, IRS has limited insight into contractor UNAX trends and assumes greater risk of missing opportunities to improve the agency's prevention efforts.
Weaknesses in IRS's information security controls present risks to taxpayer information. For example, IRS did not assess the risks of its method for transferring taxpayer information to contractors. Until IRS remediates these weaknesses, it will have limited assurance that taxpayer information is protected appropriately.
GAO and the Treasury Inspector General for Tax Administration (TIGTA) have previously reported on deficiencies in IRS's safeguards over taxpayer information. They have both made recommendations aimed at improving these safeguards. Since fiscal year 2010, GAO has made 451 recommendations to strengthen IRS safeguards for taxpayer information in areas such as governance for protecting taxpayer information; authentication and access to tax processing systems; and IRS monitoring of programs that process taxpayer information.
GAO's recommendations cover the five National Institute of Standards and Technology (NIST) cybersecurity core functions that provide a strategic view of life cycle management of cybersecurity risk. A majority of the recommendations cover the protect core function (74 percent)—actions related to developing and implementing appropriate safeguards. The remaining recommendations are in the other core functions— identify, detect, recover, and respond.
IRS had implemented 83 percent of GAO recommendations as of March 2023.
Status of GAO Recommendations Related to Protecting Taxpayer Information and NIST Cybersecurity Core Function, Fiscal Years 2010–March 2023
Since fiscal year 2019, TIGTA has made 246 recommendations to IRS related to protecting taxpayer information. As of April 2023, according to IRS, it has taken steps to address 202 of them—including implementing controls to manage IT supply chain risks—reducing the risk for disruptions to IRS's operations.
While IRS has taken substantial action to implement GAO recommendations, IRS did not always do so timely. For example, five recommendations have been open for more than 7 years. Additionally, IRS has yet to implement two recommendations GAO identified as high priority—updating a system modernization plan to more fully assess risk and developing a guidance structure to better protect taxpayer information while at third-party providers. Addressing the remaining GAO recommendations could help IRS better manage system security risks, implement safeguards to ensure protected service delivery, and identify cybersecurity events and incidents.
Why GAO Did This Study
The U.S. tax system is based largely on voluntary compliance. One factor that may influence taxpayers' willingness to voluntarily comply is the confidence that IRS is protecting their personal and financial information.
GAO was asked to review IRS's safeguards for taxpayer information. This report evaluates the extent to which IRS is following its tax safeguards for protecting taxpayer information.
To address this objective, GAO analyzed mandatory training and UNAX data for IRS employees and contractors, reviewed IRS and TIGTA documentation, and interviewed IRS and TIGTA officials at selected offices. In addition, GAO reviewed federal law authorizing other federal agencies to receive taxpayer information.
GAO also identified and tested selected management, operational, and technical controls on selected IRS systems that store or process taxpayer information, and observed controls in operation. GAO also has ongoing work assessing IRS's efforts to protect the confidentiality of taxpayer information, including its implementation of technical controls and breach response processes. GAO will publish this work in a subsequent report with limited distribution.
Further, GAO reviewed previously issued reports and recommendations, including those issued by TIGTA. GAO categorized them according to the five core security functions described in the NIST cybersecurity framework.
Recommendations
Since fiscal year 2010, GAO has made 451 recommendations to IRS aimed at safeguarding taxpayer information. While IRS has implemented many of these recommendations, 77 of them had not been implemented as of March 2023. These include two recommendations that GAO considers high priority. Fully implementing these recommendations could significantly improve IRS's ability to safeguard taxpayer information.
In addition to the remaining recommendations above, GAO is making one matter for congressional consideration. This matter would provide IRS with additional authority to inspect agencies' data safeguards in those instances where IRS shares taxpayer information but does not have direct authority to inspect agency safeguards.
GAO is making 15 additional recommendations. These include IRS
- establishing agency-wide training completion goals for contractors;
- maintaining a comprehensive inventory of systems that store or process taxpayer information;
- monitoring contractor UNAX and unauthorized disclosure cases and trends; and
- assessing risks of its method to transfer taxpayers' data electronically to contractors.
Matter for Congressional Consideration
| Matter | Status | Comments |
|---|---|---|
| Congress should consider providing IRS with direct statutory authority to inspect receiving agencies' safeguards for taxpayer information shared under subsection 6103(c) of the Internal Revenue Code. (Matter for Consideration 1) | When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information. |
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Internal Revenue Service | The Commissioner for Internal Revenue should officially assign the Human Capital Office responsibility for monitoring contractor training completion rates for courses related to protecting taxpayer information and ensure this role and responsibility is documented. (Recommendation 1) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Internal Revenue Service | The Commissioner for Internal Revenue should ensure that the Human Capital Office establish and document an agency-wide training completion goal for annual mandatory contractor training related to protecting taxpayer information. (Recommendation 2) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Internal Revenue Service | The Commissioner for Internal Revenue should ensure that the Human Capital Office monitor contractor training completion rates for courses related to protecting taxpayer information and take actions to ensure contractors complete training, such as sharing completion rates with contracting officer representatives (COR) and other appropriate offices. (Recommendation 3) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Internal Revenue Service | The Commissioner for Internal Revenue should ensure that the Enterprise Contract Oversight Center and other appropriate offices develop guidance for CORs on the process of documenting and reporting UNAX and unauthorized disclosure incidents, including processes for cases that are substantiated. (Recommendation 4) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Internal Revenue Service | The Commissioner for Internal Revenue should ensure that the Enterprise Contract Oversight Center and other appropriate offices develop training for CORs on the process of documenting and reporting UNAX and unauthorized disclosure incidents, including processes for cases that are substantiated. (Recommendation 5) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Internal Revenue Service | The Commissioner for Internal Revenue should ensure that the IT office, in collaboration with the Privacy, Governmental Liaison and Disclosure (PGLD) office, ensure that information is complete and accurate in the authoritative databases and other data sources that identify IRS systems that process or store taxpayer information. (Recommendation 6) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Internal Revenue Service | The Commissioner for Internal Revenue should ensure that the IT Cybersecurity office, in collaboration with PGLD, maintain a comprehensive inventory of IRS systems that process or store taxpayer information. (Recommendation 7) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Internal Revenue Service | The Commissioner for Internal Revenue should ensure that PGLD includes the number of IRS employees authorized to access taxpayer information in its UNAX case monitoring efforts. (Recommendation 8) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should direct the appropriate offices to ensure contractor data on UNAX and unauthorized disclosure cases are reliable and can be used to monitor case amounts and trends. (Recommendation 9) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Internal Revenue Service | The Commissioner for Internal Revenue should ensure that PGLD monitor contractor UNAX and unauthorized disclosure cases and trends and take action, as appropriate. (Recommendation 10) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Internal Revenue Service | The Commissioner for Internal Revenue should ensure that the IT Cybersecurity office ensure that the Large Business and International Division (LB&I) Pass-Through Entities office completes the inventory classification process for the system used for tracking affluent taxpayers' risk of tax noncompliance. (Recommendation 11) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Internal Revenue Service | The Commissioner for Internal Revenue should ensure that the LB&I Pass-Through Entities office develop key security assessment and authorization documentation, to include a system security plan and authorization to operate for the system used for tracking affluent taxpayers' risk of tax noncompliance, as appropriate. (Recommendation 12) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Internal Revenue Service | The Commissioner for Internal Revenue should ensure that the Office of Research, Applied Analytics, and Statistics (RAAS) Data Management Division implement processes to determine when to delete taxpayer information residing in the Compliance Data Warehouse, if required, according to the approved Records Control Schedule. (Recommendation 13) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Internal Revenue Service | The Commissioner for Internal Revenue should ensure that the RAAS Data Management Division implement processes to determine when to delete or archive taxpayer information residing in the Link Analysis Tool, if required, according to the approved Records Control Schedule. (Recommendation 14) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Internal Revenue Service | The Commissioner for Internal Revenue should ensure that the Small Business/Self-Employment Division Collection office assess the risks of its method to transfer taxpayers' data electronically to private collection agencies, and take action, as appropriate. (Recommendation 15) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|