The IRS Needs to Improve Its Database Vulnerability Scanning and Patching Controls

The Chief Information Officer should ensure that the ISSOs have a formal process for recommending approval or disapproval of policy deviations to ensure that the operational security posture is consistent with current system security policy. This would include monitoring compliance with system security policy and providing guidance and recommendations to correct deficiencies.

Ensure that privileged vulnerability scans are performed on the cloud systems when possible.

Ensure that the IRS provides oversight to cloud service providers and obtains detailed scan results so the IRS can assess the database vulnerabilities.

The Chief Information Officer should ensure that IRS policy is followed and create POA&Ms for unresolved issues from database vulnerability scans.

The Chief Information Officer should ensure that databases are patched or upgraded to the latest version or appropriately document risk acceptance with a risk-based decision or Risk Acceptance Form and Tool.