The road to recovery for the IRS after the 2015 cybersecurity incident of its Get Transcript application can be traced back to a long-term effort to standardize IT processes.
The IRS has been climbing up the maturity models of international standards for managing technology and systems for much of the last five years.
Terry Milholland, the former chief information officer and chief technology officer, said he pushed the bureau to be world class in using the IT Information Library (ITIL) and the standards contained in the Capability Maturity Model Integration (CMMI).
“The IRS is the only agency to be level 3 CMMI and ITIL across the board,” Milholland said during his “exit” interview on Ask the CIO. “What that does is open up a landscape of productivity and quality that heretofore was missing. And now, it’s somewhat a statement of pride. The federal government told its suppliers to be level 3 and all of them were, but when we did business with them, we would bring them down to our level, level 1. But now, we were on the same playing field as our suppliers.”
Milholland left the IRS after seven years in June after Congress failed to renew the special pay authority he was hired under.
Milholland said when the cyber incident happened in 2015, having standardized programming languages and IT architecture made putting up defenses and fixing problems more straightforward than in the past.
“Working with the Homeland Security Department and others, we wanted them to penetrate us both from the outside and inside, and be a trusted insider and try to gain entry into things like the master file. They did some excellent work and found one place where there was a potential [vulnerability] so we closed that off,” he said. “We also implemented some very interesting technology, working with our portal supplier, Accenture, and using some things from Akamai and some other technology that would essentially detect when attacks were coming that we saw by either Internet protocol (IP) addresses or locations around the world that we shouldn’t be getting requests from. We get alerts and react to them very well.”
Milholland said the IRS also had to prove to Congress, to the Treasury Department and to DHS that its systems were as cyber secure as one could expect.
Milholland said modernizing the bureau’s IT systems to keep up with the assortment of challenges the IRS faces each year, such as cyber and new legislative mandates, has been based on a three-pronged approach.
“One was establishing the new programming language, JAVA, so open source products could be brought in off-the-shelf. We wanted to avoid customization so that if we wanted a feature from a supplier, we would only implement that if the supplier would put it into their product. It required a lot of collaboration with people, but we avoided the customization issue that years from now would trap you,” he said. “The second thing was conversation programs. Our approach was to take the thorniest problems first. We are converting the rest of the ancient legacy systems to JAVA.”
The third pronged is making the IRS data centric where functionality, cyber protections and other capabilities centered around users’ data needs.
“This may sound trivial, but it’s not because the IRS is forms driven. When you talk to the IRS, you bring up a 1040 or you have to file your 1099 or have to do a W2. People in the IRS talk forms,” he said. “My agreement was let’s talk data. What is the data you actually need to make a decision? What data does the taxpayer need? That changes the equation. That changes the way we do design, the way we do development, the way that we manage, and that has a long staying course,” he said. “Over a three year window with budgets being what they are, that is the heart and soul of completing the journey of modernizing the legacy systems.”
Milholland said the IT modernization effort will take three years mainly because of the funding challenges the bureau faces.
“We know how to do it. It’s a matter of staying the course to get off of this. As the staff ages, they will be leaving the IRS so we have to get into a state where the [old] language is done [being used],” he said.
He said he recognized the need to the move to CMMI and ITIL early on. He said the IT shop was set up like Medieval guilds where each IT office had experts, journeymen and apprentices based on “their own way” of doing things, and there was not an IRS way of developing or managing technology.
Milholland said one organization would write code in C Sharp and another would write in C++ and yeet another would continue to use COBOL.
“Nothing was compatible or integrated,” he said. “I saw an opportunity for reducing variation. For example with our architecture, we said here is what you should use when doing for each project, but there were more waivers to the architecture than there were architecture pieces. By becoming world class, it also meant we would start hard-lining the architecture and there would be no more waivers. You will use the products we have and use the process to update the architecture. It also meant we would standardize on one programming language, in this case JAVA. That also settled the guild question. If you wanted to do something new, you had to do it this way.”
Milholland said the IRS saw a 25 percent increase in capacity and quality by moving to Level 3 of CMMI.
“Congress would decrease our budget so I’d have a bogey of say $200 million to-$300 million—don’t take these numbers to the bank—that I would have to find in my shop every year. It was a deficit so to speak. There was no easy place else to get it because dollars can’t be transferred easily, you can’t get rid of people so you had to change the way we do things. It was the classic ‘do more with less’ situation,” he said. “Where most people look at this as a burden, I said it was an opportunity to demonstrate we are world class and do things smoother by recognizing that who is giving us stuff upstream should be accountable for the quality of what they give us, including the when, and then we do our thing in the middle of the process and pass it one to someplace else. We are now a customer of the upstream and a supplier of the downstream. Level 2 changes where you start establishing change management, problem management, configuration management processes for software engineering and operations. Level 3 give s you a bigger bump in that.”