Advertisement

Tax watchdog says IRS has work to do on Login.gov security controls

A Treasury Inspector General for Tax Administration offered six recommendations to the tax agency to improve its security protocols around its use of the single sign-on service.
The Internal Revenue Service building is seen late in the evening on May 18, 2024 in Washington, D.C. (Photo by J. David Ake/Getty Images)

The IRS is making progress in moving its use of Login.gov toward compliance with federal standards, but the tax agency has more security improvements to implement around its expanded use of the single sign-on service, a new watchdog report found.

In findings released this week, the Treasury Inspector General for Tax Administration applauded the cybersecurity function within the tax agency’s Information Technology unit for completing an initial analysis of Login.gov’s FedRAMP security in a “timely” fashion. TIGTA also gave the IRS kudos for its transparency in how it uses the sign-on tool, posting a Privacy and Civil Liberties Impact Assessment for the Secure Access Digital Identity system to its website.

Where the IRS is falling short, the watchdog said, is in its requirements for how credential service providers (CSPs) capture and provide “sufficient audit log content.” 

“The IRS does not have consolidated guidance requiring CSPs that leverage the Secure Access Digital Identity system to capture all audit trail, including investigative, data elements,” TIGTA said in its report. “TIGTA’s Office of Investigations review of IRS CSP baseline requirements determined that they omit critical investigative audit trail data elements listed in its Audit Trail Needs document.”

Advertisement

The IRS has been using Login.gov, the single sign-on service housed within the General Services Administration, since 2022.

TIGTA recommended that the IRS’s chief information officer be tasked with developing and occasionally updating “consolidated guidance” on all audit trail data elements that credential service providers “must capture and provide for IRS IAL2 applications,” referring to applications in which evidence supports claimed identity and applicants that are verified remotely or physically. The IRS’s CIO should also ensure that audit trail data elements are provided to Login.gov before its identity proofing services are used in IRS IAL2 applications.

Other watchdog recommendations for the IRS CIO include the updating of the agency’s Digital Identity Risk Assessment Process Guide with quality preview processes for Digital Identity Acceptance Statements included; documenting continuous monitoring security review guidelines in monthly reports; keeping up to date with FedRAMP continuous monitoring security review guidelines and report templates; and making sure IRS management works in concert with Login.gov leaders on assessments of vulnerabilities from unauthorized access to applications that may compromise personally identifiable information. 

The IRS agreed with all TIGTA recommendations. CIO Rajiv Uppal said in a letter to the watchdog that the agency “recognizes the need for additional improvements to address security and monitoring controls and is committed to fully implementing and documenting all agreed upon corrective actions,” adding that work has “already begun to address deficiencies.’”

Matt Bracken

Written by Matt Bracken

Matt Bracken is the managing editor of FedScoop and CyberScoop, overseeing coverage of federal government technology policy and cybersecurity. Before joining Scoop News Group in 2023, Matt was a senior editor at Morning Consult, leading data-driven coverage of tech, finance, health and energy. He previously worked in various editorial roles at The Baltimore Sun and the Arizona Daily Star. You can reach him at matt.bracken@scoopnewsgroup.com.

Latest Podcasts