Some Corrective Actions to Address Reported Information Technology Weaknesses Were Not Fully and Effectively Implemented and Documented

For the prematurely closed PCAs identified during this review, the Chief Information Officer (CIO) should Implement mitigating controls for the **********2********** that are ********2********..

For the prematurely closed PCAs identified during this review, the Chief Information Officer (CIO) should ensure that patches are applied to file transfer servers, including those located in the Demilitarized Zone, within established time frames.

For the prematurely closed PCAs identified during this review, the Chief Information Officer (CIO) should verify through testing that the IRS IT organization is able to recover mission-essential functions identified by the Cybersecurity function within the maximum tolerable downtimes or recovery time objectives.

The Chief Risk Officer should ensure that any appropriate documentation subsequently provided during this review is uploaded to the JAMES for the judgmentally sampled PCAs that lacked sufficient documentation to support their closure.