U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

The Remediation of Configuration Weaknesses and Vulnerabilities in the Registered User Portal Should Be Improved

Report Information

Date Issued
Report Number
2018-20-036
Report Type
Audit
Joint Report
Yes
Participating OIG
Treasury Inspector General for Tax Administration
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View Report

Recommendations

The Chief Information Officer should Establish a policy for the contractor that ***********2************** ***************************************2***********************. In addition, correct the POA&Ms remediation time frame in the IEP Continuous Monitoring Plan that references the ****2**** and ***2*** schedule in ******2******.

The Chief Information Officer should Ensure that the Cybersecurity organization validates that the contractor corrected the **************2***************** weaknesses and that the servers are compliant with the configuration setting requirements during its next scheduled assessment.

The Chief Information Officer should ensure that when the contractor identifies potential system weaknesses or deficiencies from the *******2******* scans, the contractor complies with the POA&M process to document, manage, and eventually resolve the vulnerability. This process should also be used when the contractor meets the 90 percent SLO. For the **2** scan deficiencies, ensure that the contractor is more compliant with the ****2**** schedule outlined in ******2*****.

The Chief Information Officer should ensure that the contractor creates and maintains documentation of its *************2**************** vulnerabilities in which the contractor provided us an incorrect ***2***. In addition, ensure that, before the **************2***************** ***************************************2************************************** ***************************************2************************************** ********************2*******************.

The Chief Information Officer should ensure that a risk-based decision is prepared for IRS approval for the ********2********* (because its severity rating is critical) as well as for *******2********* ***************************************2**************************. For the ********2*********, ensure that the contractor’s technical team remediates the vulnerabilities as suggested by the industry leader (**********2************************************).