While the Internal Revenue Service (IRS) has made strides in safeguarding taxpayer data, the Government Accountability Office (GAO) said in a new report that thousands of IRS contractors are not undergoing the same insider threat awareness training that agency staff engages in, and that this training deficit means that contractors are “at increased risk of being unprepared to handle taxpayer information.”
GAO’s Sept. 11 report says that the IRS “has implemented access controls and other safeguards to help mitigate risks to taxpayer information. However, continuing weaknesses pose a risk.”
The report zeros in on problems with the low number of IRS contractors who have completed essential training, including insider threat awareness training and willful unauthorized access, attempted access, or inspection of federal tax information (UNAX) training.
“IRS employees … met the agency-wide 97 percent completion goal for training on protecting taxpayer information,” GAO reported. “However, IRS did not have a training goal for contractors, who had training completion rates well below employee completion rates—less than 75 percent,” the watchdog agency said.
The report also says that the “IRS did not assess the risks of its method for transferring taxpayer information to contractors. Until IRS remediates these weaknesses, it will have limited assurance that taxpayer information is protected appropriately.”
GAO made 15 recommendations to IRS which cover “the five National Institute of Standards and Technology (NIST) cybersecurity core functions that provide a strategic view of life cycle management of cybersecurity risk.” Those include:
- Establishing agency-wide training completion goals for contractors;
- Maintaining a comprehensive inventory of systems that store or process taxpayer information;
- Monitoring contractor UNAX and unauthorized disclosure cases and trends; and
- Assessing risks of its method to transfer taxpayers’ data electronically to contractors.
The IRS agreed with 14 of the 15 recommendations. The agency disagreed with a recommendation to delete taxpayer information residing in a compliance data warehouse.
“Addressing the remaining GAO recommendations could help IRS better manage system security risks, implement safeguards to ensure protected service delivery, and identify cybersecurity events and incidents,” GAO said.