By Jason Bramwell
Under FISMA, which was enacted to strengthen the security of information and systems within federal government agencies, the Offices of Inspectors General are required to perform an annual independent evaluation of each federal agency's information security programs and practices.
While generally compliant, three security program areas – incident response and reporting, security training, and remote access management – were not fully effective due to one program attribute that was missing or not working as intended, according to TIGTA.
The remaining six security program areas included all of the program attributes specified by the FISMA reporting metrics. Those security program areas included:
- Continuous monitoring management
- Risk management
- Plan of action and milestones
- Contingency planning
- Contractor systems
- Security capital planning
"The IRS collects and maintains a significant amount of personal and financial information on each taxpayer," the report stated. "As custodians of taxpayer information, the IRS has an obligation to protect the confidentiality of this sensitive information against unauthorized access or loss. Otherwise, taxpayers could be exposed to invasion of privacy and financial loss or damage from identity theft or other financial crimes."
TIGTA stated it does not include recommendations as part of its annual FISMA evaluation and reports only on the level of performance achieved by the IRS using the guidelines issued by the DHS for the applicable FISMA evaluation period.