Federal Information Security Management Act Report for Fiscal Year 2009

Memorandum for Assistant Inspector General for Audit
Office of the Treasury Inspector General

SUBJECT: Treasury Inspector General for Tax Administration – Federal Information Security Management Act Report for Fiscal Year 2009
(Audit # 200920010)
 
We are pleased to submit the Treasury Inspector General for Tax Administration's Federal Information Security Management Act (FISMA)1 report for Fiscal Year 2009. The FISMA requires the Office of Inspector General to perform an annual independent evaluation of information security policies, procedures, and practices as well as evaluate compliance with FISMA requirements. This report reflects our independent evaluation of the Internal Revenue Service's (IRS) information technology security program for the period under review.
 
We based our evaluation on the Office of Management and Budget (OMB) FISMA 2009 Reporting Guidelines. During the 2009 evaluation period,2 we conducted eight audits, as shown in Attachment I, to evaluate the adequacy of information security in the IRS. We considered the results of these audits in our evaluation. In addition, we evaluated a representative sample of 12 major IRS information systems for our FISMA work. For each system in the sample, we assessed the quality of the certification and accreditation process, the annual testing of controls for continuous monitoring, the testing of information technology contingency plans, and the quality of the Plan of Action and Milestones process. We also conducted tests to evaluate processes over inventory accuracy, configuration management, incident reporting, security awareness and specialized security training, and the information privacy program.
 
Included in Attachment II are our responses to the OMB Fiscal Year 2009 FISMA questions for the Inspector General. Major contributors to this report are listed in Attachment III.
 
We are confident that the IRS has:
 
- Established a materially correct inventory.
- Implemented a certification and accreditation process that follows the National Institute for Standards and Technology (NIST) framework.
- Sufficiently tested its information technology contingency plans.
- Implemented an adequate Plan of Action and Milestones process to ensure that security    weaknesses are remediated.
- Followed policies and procedures for reporting computer security incidents.
- Provided employees security awareness and specialized security training.
- Implemented adequate policies to protect privacy-related information.
 
Since the enactment of the FISMA in Calendar Year 2002, overall, the IRS has made steady progress in complying with FISMA requirements. In addition, the IRS continues to place a high priority on efforts to improve its security program. We observed significant improvements in information technology contingency plan testing and additional improvements in annual security controls testing, two security areas we identified as needing improvement in our 2008 FISMA evaluation.3 However, based on our 2009 evaluation, we believe the IRS still needs to take additional actions in the areas of certification and accreditation and configuration management to better secure its systems and data.
 
Certification and Accreditation Process The OMB guidelines for minimum security controls in Federal Government information systems require that all systems be certified and accredited every 3 years, or when major system changes occur. The NIST provides guidelines for conducting the system certifications and accreditations. Five of the 12 systems in our sample were certified and accredited in 2009. We evaluated the quality of the certification and accreditation process for these five systems and determined that all of them were properly certified and accredited in accordance with NIST guidelines.
 
The OMB also requires that system security controls be tested for every system at least annually.  In years when a system will not be certified and accredited, a subset of security controls must be tested. The NIST provides guidelines for annual testing of security controls. We reviewed the adequacy of annual testing of security controls for 7 of the 12 systems in our sample that were not certified and accredited in 2009. We found that an appropriate subset of management, operational, and technical controls was selected, documented, and approved for each of the seven systems. However, tests of the operational and technical controls for three of the seven systems were not sufficient to determine if the controls were in place and operating as intended.  Specifically, 11 (31 percent) of 35 operational controls and 15 (27 percent) of 56 technical controls selected for the 3 systems, collectively, were not adequately tested. The tests were limited to examining certification and accreditation documentation or conducting interviews without examining system evidence. For example, configuration change control is an operational control that ensures changes to the information system are authorized, documented, and controlled. For one of the systems, the IRS evaluated this control by examining the test results from the system's last certification and accreditation in 2007. For another system, the IRS evaluated the control by referring to a description of the control in the system's System Security Plan. In both examples, the IRS did not actually test the control. As a result, these tests were insufficient to determine whether the security controls were operating as intended.
 
Configuration Management The OMB required Federal Government agencies that use the Windows XP or VISTA operating systems to adopt a standard set of configuration settings by February 1, 2008. These configuration settings are referred to as the Federal Desktop Core Configuration (FDCC). The IRS has made significant progress in implementing FDCC standard settings. As of the end of the 2009 evaluation period, the IRS had implemented or had deviations approved by the Department of the Treasury for 265 (94 percent) of 282 FDCC settings. The IRS continues to test the remaining FDCC configurations and has a plan in place to reach full implementation by February 2010. The IRS has not, however, modified its software contracts to ensure purchased software will operate properly with the FDCC settings. In March 2009, we issued a report4 in which we identified that 27 of 30 software contracts that we examined did not include the required FDCC contract language. The IRS has not yet developed a policy that would require the inclusion of the FDCC language in contracts for new software products. The IRS responded to the report that it planned to issue an agency-wide policy that will incorporate the FDCC contract language in information technology acquisitions.
 
Please contact me at (202) 622-6510 if you have questions or Alan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology Services), at (202) 622-8510.