Summary of Findings
The IRS is a massive and complex organization, collecting $5.1 trillion in federal tax payments and processing 267 million tax returns and forms in FY 2024. Its reliance on computerized systems is absolute, making IT security and modernization paramount. Despite efforts to modernize and secure its systems, the IRS faces mounting challenges due to funding cuts, workforce reductions, and persistent weaknesses in cybersecurity, access controls, and IT asset management.
Audits revealed that while the IRS is making strides in areas like identity proofing for its Direct File pilot and blocking suspicious email websites, it falls short in critical cybersecurity functions, proper management of user access, timely vulnerability remediation, and oversight of cloud services. Insider threats, incomplete audit trails, and inadequate separation of duties further exacerbate the risks.
Some Disturbing Revelations
- The IRS’s cybersecurity program was rated “not fully effective,” failing in three of five core cybersecurity functions (Identify, Protect, Detect), including shortcomings in system inventories, vulnerability remediation, encryption, and multifactor authentication.
- 279 former IRS users retained access to sensitive systems for up to 502 days after separation, exposing taxpayer data to unauthorized access and potential misuse.
- The IRS failed to timely remediate tens of thousands of critical and high-risk vulnerabilities, including 2,048 critical and 13,558 high-risk vulnerabilities in a single security application environment.
- Personally Identifiable Information (PII) for over 613,000 IRS user authentications was sent to unauthorized locations outside the U.S. due to a vendor’s flaw in the Login.gov system, placing sensitive data at risk.
- The IRS was unable to locate all cloud services contracts or determine their value for nearly half of its cloud applications, undermining financial oversight and increasing the risk of waste or duplication.
- 35% of IRS systems required to send audit trails for detecting unauthorized access to PII and Federal Tax Information failed to do so, severely limiting the ability to investigate or detect data breaches.
- The IRS did not fully comply with federal mandates to block TikTok on government devices, leaving more than 2,800 mobile devices and 900 computers potentially exposed to foreign surveillance risks.
- Inadequate separation of duties was found in 70% of reviewed cloud systems, with the same individuals controlling multiple key roles, heightening the risk of fraud or error going undetected.
- The IRS’s data loss prevention controls could be circumvented, allowing users to intentionally exfiltrate sensitive taxpayer data despite existing monitoring tools.
- Despite identifying 334 legacy systems needing updates or retirement, only 2 had specific decommissioning plans, leaving the IRS reliant on outdated, potentially insecure systems.
The findings underscore the need for the IRS to address IT security and management deficiencies. Without corrective action, the agency remains vulnerable to internal and external threats, risking taxpayer privacy, financial integrity, and the effective administration of the nation’s tax system.
Read the full report at this link: https://www.tigta.gov/sites/default/files/reports/2025-06/20252S0007fr.pdf