The IRS has a detailed plan for achieving a state of zero trust on its information technology networks, which is something all agencies are under obligation to do for cybersecurity. But the IRS needs to put the right people and money behind the plan, … according to an audit by the Treasury Inspector General for Tax Administration (TIGTA). For more, Federal Drive with Tom Temin spoke with TIGTA’s Director of Enterprise Services, Jena Whitley.
Tom Temin What was your main purpose in this particular audit? Just to see whether the IRS was following the executive order and and the subsequent guidance from OMB that went to every agency on this whole zero trust business?
Jena Whitley Absolutely. Zero trust is actually a large umbrella strategy that combines a lot of different components and IT projects the IRS was already working on anyway. And what we wanted to do is take a look at their planning to address the OMB memo that you mentioned. And also the executive order came out the year before that Executive Order 14028. So we did want to look at how the IRS was addressing their future planning for to achieve a zero trust architecture. So essentially the umbrella that includes all things zero trust architecture, there are really kind of three major goals. The first being and each of those goals builds on one another. The first being all users are untrusted. And that’s not just addressing insider threat. That’s looking at to address those situations where a network has been penetrated. So you shouldn’t necessarily trust all internal traffic coming through that network or requests for data on that network. So that’s really looking at how to confirm that all users, all devices are both authenticated and authorized. With the eventual goal of verifying every access request every time. So that’s and we were just looking at how the IRS is pulling all of that information together for the all the individual IT projects that they’re already working on.
Tom Temin And you did find that they had developed a reference architecture, a road map and a pilot program, which seems to put them probably ahead of a lot of agencies.
Jena Whitley I can’t necessarily speak to other agencies, but yes, they were definitely already midstream on this zero trust architecture implementation. They have a plan. We made a few recommendations that basically should improve future planning, but they are already well underway in the world of zero trust architecture implementation for sure.
Tom Temin And they had also hired a contractor to kind of give a third party view. And you took a look at what that contractor found. Fair to say?
Jena Whitley Absolutely. We looked at and the IRS had done their own internal assessment. The Department of Homeland Security issued its own zero trust maturity model for federal agencies to use to evaluate their essentially their progress on their zero trust implementation. The contractor that the IRS hired also looked at, evaluated where the IRS was against those that maturity model, of which they’re five pillars. And I don’t know if you’re familiar with the model, but basically there’s the identity issue that I already mentioned for user access management looking at devices are all devices inventoried and does the IRS know how to prevent, detect and respond to incidents on each of those devices? And then there’s three other pillars. You’ve got applications and workloads, networks and then data. And in each of those pillars, there’s a list of capabilities that agencies should be prepared to deploy. And they range from routine empirical testing of applications, monitoring vulnerability reports at the application level. With regards to networks, you need to encrypt traffic, break down perimeter points of entry into isolated environments. And that’s especially important with an agency the size of the IRS. It’s spread throughout the country. And then looking at data, monitoring sense of data, making sure that they’re logging census access requests to sensitive data and that kind of thing. So the contractor also evaluated the IRS against their the systems maturity model. And they found that, yes, there’s work that needs to continue developing, but overall, they’re in a good position to continue this work.
Tom Temin We’re speaking with Jena Whitley. She’s director of enterprise services at the Treasury Inspector General for Tax Administration. And you found that, Yes, they’ve got all these great plans, reference architecture, road map testing and so forth. But there’s still some things they got to do to really push this big old boulder over the top of the mountain.
Jena Whitley Yeah, that’s right. Well, we recommended a couple of things. First of all, we wanted them to go ahead and try to develop a budget estimate for all of the various projects and initiatives they’re working on that will help them achieve the zero trust architecture. Right now, that information is spread across a number of different information technology functions. The IRS IT organization is large. They have a lot of great people working and on a lot of different priorities. But as of yet, there was not a consolidated sort of budget amount that could help them forecast how much all of this was going to cost long term. We also recommended they revise their zero trust architecture plan to include defined roles and responsibilities. Again, that goes back to the IRS, OIG organization being large and a lot of different efforts going on that will help address the zero trust architecture, the various pillars and whatnot to help them achieve that maturity and OMB have asked them to do. The third is to enhance their roadmap to include completion schedule for some of these capabilities and prioritize activities within each of the five pillars of that systems maturity model that I mentioned. And finally, we asked them to reassess their zero trust architecture implementation progress. I guess the maturity model to inform revised planning and budget formulation.
Tom Temin And just a side question, Maybe you looked at this, maybe not. But with the prospect of continuing resolution or even an interruption in appropriations coming on October 1st, could that hold off their plans or is this something that could be classified under continuing efforts? And if they had even a C.R., they could continue to spend on zero trust development?
Jena Whitley I can’t really comment on the what they would be spending their money on for continuing budget. So much of zero trust architecture is cybersecurity related. I can’t imagine that that wouldn’t be part of what they would do on a daily basis. It’s a 24/7 operation, cybersecurity is.
Tom Temin Sure, and so is the IRS, for that matter. There’s always something going out of there and agency.
Jena Whitley So so much of the zero trust architecture for cybersecurity already. You know this is taxpayer data is not going to go unprotected.
Tom Temin And did the agency generally accept and agree with the recommendations? And what do they plan to do next? According to how they answered you?
Jena Whitley They did. They agreed to all of our recommendations and planning is ongoing. It will probably end up revisiting this audit in the next fiscal year. TIGTA has not completed its annual audit planning process yet, but I imagine we’ll see more from them here in the future.
Tom Temin Well, I think the IRS, CIO and technology shop has a lot of it’s like a horse with a lot of flies to swat its tail at. But sounds like they’ve got this one under control in general.
Jena Whitley In general, they’re in a good they’re in a good place.