Consumers are becoming increasingly aware of the risk online activities pose to privacy and data security following the Equifax data breach and Cambridge Analytica’s use of social media sites to collect information about potential voters.  It is understandable that consumers are concerned about how private companies protect their information; what should be of greater concern is whether the federal government is performing due diligence in protecting the sensitive personal information the government itself maintains on taxpayers.

In 2015, a comprehensive review of the federal government’s cybersecurity policies, procedures, and practices was conducted, resulting in OMB Memo M-16-04, the Cybersecurity Strategy and Implementation Plan (CSIP).  Under CSIP, federal agencies are required to 1) prioritize identification and protection of high value information and assets (HVA); 2) timely detect and rapidly respond to cyber incidents; 3) rapidly recover from incidents when they occur and accelerate adoption of lessons learned from the assessment that formulated the CSIP recommendations; 4) recruit and retain the most highly-qualified cybersecurity workforce talent the federal government can bring to bear; and, 5) efficiently and effectively acquire and deploy existing and emerging technology.

On May 18, 2018, the Treasury Inspector General for Tax Administration (TIGTA) released an audit which reviewed the Internal Revenue Service’s (IRS) information technology (IT) systems and the protection of HVAs within that agency.  In this audit, TIGTA determined that two of the 47 systems identified as HVAs needed to be reported to the Department of Homeland Security due to the agency’s failure to fully execute the CSIP requirements.  TIGTA further noted that the IRS has failed to identify and document all its current system hardware components and effectively and timely mitigate critical and high-risk vulnerabilities within one of the HVAs.

As demonstrated by the two 2015 Office of Personnel Management data breaches, HVAs are the most likely targets of hackers, and require the highest level of cybersecurity protection.  The federal government, particularly the IRS maintains exceptionally sensitive information relating to taxpayers within its data systems, such as social security numbers, dates of birth, annual income, property values, investments, business operations. 

Protecting this information with the highest level of cybersecurity is crucial.  The IRS must modernize and increase security on its IT systems to shield taxpayers from current and future cybersecurity threats.