Improvements Are Needed to Ensure That External Interconnections Are Identified, Authorized, and Secured

The Chief Technology Officer should identify all external interconnections and ensure that they are documented appropriately and maintained in a centralized inventory.

The Chief Technology Officer should establish a repeatable process for conducting annual searches for external interconnections and for updating the centralized inventory accordingly.

The Chief Technology Officer should ensure that policies and procedures are developed and implemented for monitoring the IRS's entire inventory of external interconnections and ensuring that all appropriate ISAs and MOUs (or other approved agreements) are in place before interconnections are allowed to be established and activated.

The Chief Technology Officer should establish an escalation process to resolve ISA and MOU renewal issues at a higher level when the SAS office's contact efforts have been exhausted with no resolution. Consideration should be given to suspending the connection if system owners do not cooperate with the SAS office to resolve expired ISAs and MOUs

The Associate Chief Information Officer, Cybersecurity, should ensure that the SAS office monitors ISA-related MOUs in a similar manner as ISAs to ensure that ISA-related MOUs meet Internal Revenue Service (IRS) policies and are renewed timely.