Office of Management and Budget and Treasury Department directives require that all information systems that process sensitive but unclassified information, including taxpayer data, be certified and accredited prior to being placed into operation. In addition, these information systems are required to be re-certified and re-accredited at least every three years or when significant modifications occur. Certifying that adequate security controls have been developed and accrediting that the risks of security breaches have been adequately reduced are the two primary controls for ensuring that security controls are built into new information systems and remain up-to-date afterwards. At stake is the privacy of information for over 123 million taxpayers.

The Certification Program Office, under the direction of the Office of Security and Privacy Oversight, is responsible for certifying that Internal Revenue Service (IRS) information systems have sufficient security controls. The IRS executive in charge of the function using each information system is responsible for accrediting the system. When accrediting, executives state that they are aware of and accept the risks associated with operating the system.

In 1995, the IRS began monitoring sensitive systems certification as a potential management control weakness and in 1997 officially reported it as a material weakness. This issue continues to be an open item on its Fiscal Year 1999 assessment of management controls.

The overall objective of this audit was to assess the effectiveness of the IRS’ security certification and accreditation processes for information systems and networks.

The majority of IRS information systems are still not certified and accredited. Although the IRS is taking steps through contractor support to alleviate this situation, more emphasis is needed to resolve this material control weakness in a timely manner.

Of the 258 systems listed on the inventory of sensitive systems in January 2000, 232 (89.9 percent) were not certified. Responsible executives had granted temporary authorities to operate 143 of the uncertified systems but had accepted no accountability for the security risks of operating the other 89 systems.

We attribute these conditions in part to the lack of emphasis the IRS has placed on building security controls into new information systems. It has become a standard practice in the IRS to implement a system without the necessary certification and accreditation of security controls. We are aware of only one information system currently in use that had been certified and accredited before it was initially implemented.

Documenting security controls for the uncertified systems after they have been implemented will cost the IRS about $26 million. This cost could have been greatly reduced if security controls had been built in and certification and accreditation had been accomplished during systems development.

IRS guidelines require that the Certification Program Office provide timely status and technical information regarding certification and accreditation of IRS information systems to responsible executives. However, there is no control in place within the certification program to ensure that accreditations are granted and granted timely for certified systems.

The IRS should place more emphasis on building security controls into new information systems. To ensure this happens, IRS management should not authorize the implementation of any new system until controls are sufficient and the system has the required security certification and accreditation.

For systems that are already implemented, the IRS needs to place additional emphasis on timely certification and accreditation. The IRS should ensure that funds continue to be allocated for contractor support during the certification process and consideration should be given to increasing this allocation in order to get systems certified as soon as possible. Consideration should also be given to increasing the human resources within the IRS devoted to certifying and accrediting the security features of systems.

Also, the process for identifying all information systems requiring certification and accreditation, and the tracking of their certification and accreditation status, should be centralized.

Management’s Response: Management generally agreed with our findings and recommendations. They are developing a new process for certifying new systems within the systems development life cycle. Management anticipates that systems will be implemented without full certification only in special circumstances. Contractor support will continue to be used to reduce the backlog of uncertified systems. Management’s complete response to the draft report is included as Appendix V.

Office of Audit Comment: We believe that management’s response is adequate with one important exception. Considering the sensitivity of the data processed by the IRS and the risks inherent in today’s interconnected computer systems, we do not believe that any new system should be implemented without appropriate security controls.