Tax watchdog says IRS has work to do on Login.gov security controls
The IRS is making progress in moving its use of Login.gov toward compliance with federal standards, but the tax agency has more security improvements to implement around its expanded use of the single sign-on service, a new watchdog report found.
In findings released this week, the Treasury Inspector General for Tax Administration applauded the cybersecurity function within the tax agency’s Information Technology unit for completing an initial analysis of Login.gov’s FedRAMP security in a “timely” fashion. TIGTA also gave the IRS kudos for its transparency in how it uses the sign-on tool, posting a Privacy and Civil Liberties Impact Assessment for the Secure Access Digital Identity system to its website.
Where the IRS is falling short, the watchdog said, is in its requirements for how credential service providers (CSPs) capture and provide “sufficient audit log content.”
“The IRS does not have consolidated guidance requiring CSPs that leverage the Secure Access Digital Identity system to capture all audit trail, including investigative, data elements,” TIGTA said in its report. “TIGTA’s Office of Investigations review of IRS CSP baseline requirements determined that they omit critical investigative audit trail data elements listed in its Audit Trail Needs document.”
The IRS has been using Login.gov, the single sign-on service housed within the General Services Administration, since 2022.
TIGTA recommended that the IRS’s chief information officer be tasked with developing and occasionally updating “consolidated guidance” on all audit trail data elements that credential service providers “must capture and provide for IRS IAL2 applications,” referring to applications in which evidence supports claimed identity and applicants that are verified remotely or physically. The IRS’s CIO should also ensure that audit trail data elements are provided to Login.gov before its identity proofing services are used in IRS IAL2 applications.
Other watchdog recommendations for the IRS CIO include the updating of the agency’s Digital Identity Risk Assessment Process Guide with quality preview processes for Digital Identity Acceptance Statements included; documenting continuous monitoring security review guidelines in monthly reports; keeping up to date with FedRAMP continuous monitoring security review guidelines and report templates; and making sure IRS management works in concert with Login.gov leaders on assessments of vulnerabilities from unauthorized access to applications that may compromise personally identifiable information.
The IRS agreed with all TIGTA recommendations. CIO Rajiv Uppal said in a letter to the watchdog that the agency “recognizes the need for additional improvements to address security and monitoring controls and is committed to fully implementing and documenting all agreed upon corrective actions,” adding that work has “already begun to address deficiencies.’”
