Improvements Are Needed to Ensure the Protection of Data Transfers to External Partners

The Chief Information Officer should enforce IRS policy to encrypt all data transmissions from end to end using Federally compliant encryption and prohibit nonsecure protocols. In instances when external partners cannot use Federally compliant encryption, ensure that risk-based decisions have been properly approved and data transmissions and transfer protocols have been properly authorized in an Interconnection Security Agreement (ISA).

The Chief Information Officer should continue to work on reviewing the firewall rulesets to remove those that are no longer needed and ensure that only transmissions approved in a current ISA are allowed through the firewalls.

The Chief Information Officer should ensure that configuration settings are configured in accordance with Internal Revenue Manual (IRM) requirements and outdated operating systems are replaced.

The Chief Information Officer should ensure that patches are applied to file transfer components, including those located in the DMZ, within established time frames.

The Chief Information Officer should centralize and consolidate the IRS's external transfer environment to the extent possible using a managed file transfer solution that supports end-to-end Federally compliant encryption to maximize security and efficiency.