The IRS’s Enterprise Case Management (ECM) System failed to meet all established cloud security requirements identified in reviews stretching back to 2021, according to a recent report from the Treasury Department’s Inspector General (IG).
The ECM system is a hybrid cloud system aimed at modernizing and consolidating the IRS’s legacy case management system. It processes and stores sensitive information within the IRS, providing restricted access to IRS employees via the Internet.
However, control weaknesses within the ECM system “can pose a substantial risk to taxpayer records currently residing in the system. The potential harm includes breach, unauthorized access, and disclosure of taxpayer information,” the report says
Specifically, IRS did not meet agency guidelines for the timely creation and documentation of Plans of Action and Milestones (POA&M) to address nine security risks identified in a February 2021 Cloud Security Assessment Report. While the IRS created nine POA&Ms, only three were in a timely prepared and only two met documentation requirements.
In addition, the IRS did not have the necessary malicious code protections for ECM system servers. According to the IG, the agency failed to address this issue for more than a year because it was not using the proper security policy.
The report also found that the IRS did not remediate 24 high-risk and two medium-risk vulnerabilities in the system promptly. The IG also discovered that ECM system user account controls are ineffective. While the agency took corrective actions, the IG found that privileged user accounts are still not being properly monitored.
However, the report does note that the IRS has taken steps to address the unsolved POA&Ms problem while the IG conducted its audit. The IRS also started a pilot program to test a malicious code protection application for the servers, during the IG’s audit.
The IG made four recommendations to the IRS chief information officer:
- Make sure the Internal Revenue Manuals are consistent with guidelines for malicious code protection requirements for Linux Servers, as set by the National Institute of Standards and Technology.
- Finish developing and testing an automated malicious code protection application and implement the application on all Linux servers.
- Have all ECM servers in the cloud meet requirements for malicious code protection.
- Check that privileged user activity logs are monitored, and inactive privileged accounts are deactivated.