WASHINGTON - The Treasury Inspector General for Tax Administration (TIGTA) performed its annual evaluation of the information security programs and practices of the Internal Revenue Service (IRS), as required by the Federal Information Security Modernization Act (FISMA). This report presents the results of TIGTA's evaluation for Fiscal Year 2015.
TIGTA found that the IRS's Information Security Program generally complied with the FISMA requirements. Three program areas met all FISMA performance attributes as specified by the Department of Homeland Security: Risk Management, Incident Response and Reporting, and Contingency Planning.
Four other security program areas met all attributes, with the exception of two or fewer program attributes that were not met: Security Training, Plan of Action and Milestones, Remote Access Management, and Contractor Systems.
However, three security program areas failed to meet FISMA requirements overall due to not meeting many of the performance attributes specified by the Department of Homeland Security: Continuous Monitoring Management, Configuration Management, and Identity and Access Management.
Until the IRS takes steps to improve its security program deficiencies and fully implement all security program areas in compliance with FISMA requirements, taxpayer data will remain vulnerable to inappropriate and undetected use, modification, or disclosure.
"The IRS collects and maintains a significant amount of personal and financial information about taxpayers," said J. Russell George, Treasury Inspector General for Tax Administration. "As custodians of this sensitive information, the IRS has an obligation to protect it against unauthorized access or loss," he added.
TIGTA does not include recommendations as part of its annual FISMA evaluation and reports on only the level of performance achieved by the IRS using the guidelines issued by the Department of Homeland Security for the applicable FISMA evaluation period.