Cybersecurity: Disturbing Revelations - Annual Assessment of the IRS’s Information Technology Program

The Treasury Inspector General for Tax Administration (TIGTA) released its annual assessment of the IRS’s Information Technology (IT) Program for 2024. This review, based on audit reports from TIGTA and the Government Accountability Office (GAO), paints a mixed picture: while progress has been made in some areas, significant vulnerabilities and management failures persist. These issues threaten the security of taxpayer data, the effectiveness of IRS operations, and public trust in the agency.

Summary of Findings

The IRS is a massive and complex organization, collecting $5.1 trillion in federal tax payments and processing 267 million tax returns and forms in FY 2024. Its reliance on computerized systems is absolute, making IT security and modernization paramount. Despite efforts to modernize and secure its systems, the IRS faces mounting challenges due to funding cuts, workforce reductions, and persistent weaknesses in cybersecurity, access controls, and IT asset management.

Audits revealed that while the IRS is making strides in areas like identity proofing for its Direct File pilot and blocking suspicious email websites, it falls short in critical cybersecurity functions, proper management of user access, timely vulnerability remediation, and oversight of cloud services. Insider threats, incomplete audit trails, and inadequate separation of duties further exacerbate the risks.

Some Disturbing Revelations

• The IRS’s cybersecurity program was rated “not fully effective,” failing in three of five core cybersecurity functions (Identify, Protect, Detect), including shortcomings in system inventories, vulnerability remediation, encryption, and multifactor authentication.

• 279 former IRS users retained access to sensitive systems for up to 502 days after separation, exposing taxpayer data to unauthorized access and potential misuse.

• The IRS failed to timely remediate tens of thousands of critical and high-risk vulnerabilities, including 2,048 critical and 13,558 high-risk vulnerabilities in a single security application environment.

• Personally Identifiable Information (PII) for over 613,000 IRS user authentications was sent to unauthorized locations outside the U.S. due to a vendor’s flaw in the Login.gov system, placing sensitive data at risk.

• The IRS was unable to locate all cloud services contracts or determine their value for nearly half of its cloud applications, undermining financial oversight and increasing the risk of waste or duplication.

• 35% of IRS systems required to send audit trails for detecting unauthorized access to PII and Federal Tax Information failed to do so, severely limiting the ability to investigate or detect data breaches.

• The IRS did not fully comply with federal mandates to block TikTok on government devices, leaving more than 2,800 mobile devices and 900 computers potentially exposed to foreign surveillance risks.

• Inadequate separation of duties was found in 70% of reviewed cloud systems, with the same individuals controlling multiple key roles, heightening the risk of fraud or error going undetected.

• The IRS’s data loss prevention controls could be circumvented, allowing users to intentionally exfiltrate sensitive taxpayer data despite existing monitoring tools.

• Despite identifying 334 legacy systems needing updates or retirement, only 2 had specific decommissioning plans, leaving the IRS reliant on outdated, potentially insecure systems.

The findings underscore the need for the IRS to address IT security and management deficiencies. Without corrective action, the agency remains vulnerable to internal and external threats, risking taxpayer privacy, financial integrity, and the effective administration of the nation’s tax system.

Read the full report at this link: https://www.tigta.gov/sites/default/files/reports/2025-06/20252S0007fr.pdf

___________________________________________

Disclaimer:

This information is intended for research and educational purposes and does not constitute political advocacy, legal advice, financial advice, or promotion of any illegal, harmful, or unsafe activities. This content is not designed to violate Google policies, including—but not limited to the following:

• No Promotion of Violence or Dangerous Acts: This post does not encourage, promote, or glorify violence, criminal activity, or harmful acts.
• No Hateful, Derogatory, or Adult Content: Content herein does not contain or endorse hate speech, harassment, discrimination, sexually explicit material, or offensive language.
• No Circumvention or Unauthorized Techniques: All mentions of policies, techniques or procedures are for educational awareness and are not intended to enable or facilitate unauthorized activity.
• No Policy Violations Related to Privacy or Data Collection: This blog complies with Google AdSense requirements regarding user privacy and does not misuse personal information.
• No Political Advocacy: This blog does not advocate for, endorse, or oppose any particular political positions, candidates, or parties, and aims to remain neutral on political matters.
• No Sales Links: Links to other sites are not product promotions.

This site strives for compliance with Google Policies, content standards, and legal requirements.