By Jason Bramwell
In a report released publicly on November 14, the Treasury Inspector General for Tax Administration (TIGTA) emphasized that the IRS should take further steps to improve security at some of its facilities.
From October 2010 to September 2011, there were more than 1,400 reported threat incidents directed toward IRS employees and physical infrastructure, according to the TIGTA report, The Physical Security Risk Assessment Program Needs Improvement.
The IRS Agency-Wide Shared Services Physical Security and Emergency Preparedness (PSEP) office is responsible for the protection of employees, visitors, and property at IRS facilities as well as the security of IRS infrastructure and classified information.
To fulfill one of its primary responsibilities, the PSEP office implemented a risk assessment program based on the Department of Homeland Security Interagency Security Committee Standards and Best Practices, according to TIGTA. Risk assessments evaluate both internal and external security risks and are conducted on a pre-established schedule depending on the assigned facility security level of the facility.
TIGTA's overall objective of its review was to determine whether comprehensive physical security risk assessments were conducted in a timely manner, as required at all IRS facilities.
While the IRS conducted 630 risk assessments at nearly all of its facilities and met its requirement to provide a report summarizing the findings to the IRS commissioner in January 2011, TIGTA found that risk assessments were not completed at fourteen IRS facilities occupied by IRS employees.
In addition, the PSEP office did not complete risk assessments at forty-nine other facilities – including child care centers, parking lots and garages, and storage units – that were not specifically occupied by IRS employees but were located in or adjacent to the buildings. The IRS stated that security at those buildings were the responsibility of the Federal Protective Service but did not provide evidence that the facilities received a risk assessment.
"While PSEP office management did not explain why risk assessments were not performed at the fourteen facilities we identified, the PSEP office's method of tracking its inventory of facilities may have contributed to the omission", TIGTA stated in the report. "The PSEP office compiles its inventory list by maintaining an Excel spreadsheet based on real estate data contained in the IRS' Graphic Database Interface (GDI). Because the Excel spreadsheet is a standalone document and not linked to the GDI, any changes in a facility's status must be noted by the PSEP office employee and transferred to the spreadsheet manually. Therefore, if the PSEP office employee does not reconcile the changes between the GDI and the Excel spreadsheet, there may be errors and omissions in the inventory list maintained by the PSEP office."
Completed risk assessments prepared by the IRS identified numerous additional security countermeasure needs at IRS facilities. However, TIGTA found that some countermeasures were not implemented due to resource constraints, the IRS cited. For example, the IRS did not implement blast mitigation countermeasures at approximately 191 facilities and has not added additional guards or other countermeasures at certain taxpayer assistance centers.
During site visits to IRS facilities, TIGTA also found that risk assessments did not identify additional vulnerabilities. For example, a child care center allows direct access to one IRS facility without the required security screening. At another facility, a local IRS manager chose not to implement countermeasure improvements paid for and provided to the facility.
"Without access to prior risk assessment documentation, the program lacks transparency, and the PSEP office cannot provide assurance that the required risk assessments are performed timely or that security vulnerabilities raised in the past have been mitigated or resolved", TIGTA stated in the report.
TIGTA made seven recommendations to the IRS to address identified weaknesses. For example, TIGTA recommended the IRS include the development of a process to ensure that inventory records contain all relevant information, including the dates when risk assessments should be performed. TIGTA also recommended the IRS implement appropriate security protocols at the facility with the child care center to screen all visitors entering the grounds and the building according to requirements.
IRS management agreed with the recommendations and plans to implement corrective actions to address them. For example, the IRS is making sure that inventory records include all relevant information and is developing a process that requires all countermeasures are put in place and functioning at all taxpayer assistance centers.
David Grant, chief of the IRS Agency-Wide Shared Services, wrote in response to the report",Ensuring the security of IRS employees, facilities, and taxpayers is of the utmost importance to us."