Cybersecurity measures are falling short at the Internal Revenue Service, according to a recent Treasury Department audit.
The Inspector General for Tax Administration found that the IRS’ host-based intrusion detection systems were not monitoring nearly 34 percent of the agency’s servers.
The report, published March 12, indicated that the 766 servers comprising the IRS’ criminal investigation unit are not being monitored by intrusion detection systems.
The agency’s cyber systems monitor 43 percent of the IRS’ research, analysis and statistics unit servers, according to the report.
TIGTA auditors recommended for the agency to improve its cybersecurity data warehouse to ensure it is capable of correlating and reconciling the network’s active servers with the monitored servers.
IRS Chief Technology Officer Terence Milholland told auditors in a written response that the IRS agreed with the audit.
He added that the IRS would identify impacted organizations and launch a response by Dec. 31.
The chief information officer would identify additional tools and related applications the agency would need to provide information technology asset information, according to Milholland.
Milholland wrote that the cyber data warehouse is not a repository of IT information, which will lead to a variant-ridden timeline for the IRS CIO’s findings.
Auditors wrote that the IRS’ proposed plan to mitigate security shortfalls did not match report recommendations, specifically regarding the implementation of an automated internal control to identify servers connected to the network without protection.
The IRS later agreed to implement controls but indicated it was not comfortable defining a timeline to roll out the changes.
The agency said implementation dates would depend on another modernization and IT services team.
Auditors additionally found the agency is not reporting all security incidents to the Treasury Department.
The IRS agreed with additional claims that it lacked incident response policies.
IRS has since suggested corrective actions which auditors found insufficient.