The Internal Revenue Service has been expanding its telework programs during the pandemic while also trying to fend off cyberattacks.
A recent report from the Treasury Inspector General for Tax Administration, in response to a request from the House Oversight and Reform Committee, examined cybersecurity related to IRS telework, which the agency has expanded during the COVID-19 pandemic. The report found in March 2020, approximately 26,000 IRS employees were teleworking, but as of September 2020, nearly 60,700 employees were teleworking. Remote access to IRS systems is allowed through a virtual private network, or VPN, and IRS policy requires two-factor authentication to safeguard security. The IRS has received and allocated $37 million for equipment and licenses for teleworking employees. The IRS is already using or plans to start using several collaboration platforms, including Zoom for Government and Cisco WebEx, to connect its internal and external stakeholders.
“Utilizing these applications minimized the impact of the COVID-19 pandemic but also increased the potential for data breaches and unauthorized disclosure,” said the report.
TIGTA noted that the U.S. has recently been the target of several high-profile cyberattacks, and as cybersecurity threats against the federal government and other entities continue to grow, protecting the confidentiality of taxpayer information continues to be a top concern for the IRS.
For those meetings supported by Zoom for Government and Cisco WebEx, the participants could only attend after they received a direct invitation from the IRS host. File sharing was disabled for both the platforms.
The IRS is also working to complete its testing of Microsoft Teams and is starting the implementation with a small group of pilot users in the production environment.
The IRS has some guidance in place with the goal of preventing the unauthorized dissemination of personally identifiable information and sensitive but unclassified information. In September 2020, the IRS put in place a scalable IT asset management program, which improved the accuracy of compliance and other internal inventory reporting needs. This asset management program matured its capabilities to provide visibility into asset data by integrating additional configuration and asset inventory data of laptop computers, virtual workstations, and Personal Digital Assistants. The IRS waived the requirement for employees to have an approved telework agreement and it encouraged, but didn’t require, new teleworkers to go through a telework training program. The telework policies will be waived through March 23, 2022, but the IRS plans to reassess them periodically and may lift the waiver earlier.
The IRS has continuous monitoring and network scanning technology in place to help it identify security vulnerabilities, and those processes weren’t affected by the transition to telework. The IRS does vulnerability scanning six days a week, and the scan results are brought into an analytics and reporting tool, giving the agency continuous visibility into vulnerability data. The IRS also has various network management programs, including configuration compliance scanning, audit log management, incident monitoring, and malicious code detection, in place.