Actions Have Been Taken to Improve Security Controls for the Planned Expanded Use of Login.gov; However, Additional Security Improvements Are Needed

Develop and periodically update consolidated guidance to comprise all audit trail data elements, including investigative elements provided by TIGTA Office of Investigations, that CSPs must capture and provide for IRS IAL2 applications.

Ensure that a process is in place to validate that all audit trail data elements, including investigative elements provided by TIGTA Office of Investigations, are being captured and can be provided by Login.gov prior to using its identity proofing services for IRS IAL2 applications.

The Chief Information Officer should ensure that DIRA guidance is updated to include a quality review process to help ensure that DIASs are accurate prior to issuance.

Current continuous monitoring security review guidelines are followed by timely performing reviews of Login.gov artifacts, documenting the results in a monthly Continuous Monitoring Report, and timely submitting the report to the Authorizing Official for review as required.

The Chief Information Officer should ensure that appropriate IRS management works in conjunction with Login.gov management to assess the extent and impact that the critical vulnerability had on the users who authenticated via Login.gov to access IRS applications and may have had their Personally Identifiable Information sent to unauthorized locations outside of the United States.