Security Over High Value Assets Should Be Strengthened

The Chief Information Officer should implement the OMB CSIP actions to identify and document current system hardware components for all IRS HVAs.

The Chief Information Officer should develop an effective process to update the IDRS and the IMF system security plans, including any system changes outside of the security control assessment cycle.

The Chief Information Officer should direct the Enterprise Operations organization to develop an approach and implementation timeline for how to automate the process that identifies privileged users and their approved privileged access authorizations to enhance the IRS's ability to validate system access to HVAs and minimize access inventory.

The Chief Information Officer should direct the IRS Enterprise Operations organization to ensure that patching of security vulnerabilities is completed within the required 30-calendar-day time frame.