Sponsored by Pluralsight

Despite need to finetune budgets and planning, IRS making progress on zero trust

The size and far-flung nature of the tax agency means that it has begun numerous cyber projects that can help it meet the administration’s zero trust demands....

Although the Treasury inspector general has called for IRS to make improvements in it zero trust efforts, the agency is making progress on the mandated cybersecurity initiative, pointed out Jena Whitley of the Treasury Inspector General for Tax Administration.

“We made a few recommendations that basically should improve future planning, but they are already well underway in the world of zero trust architecture implementation for sure,” said Whitley, TIGTA’s director of enterprise services during an interview with Tom Temin for the Federal Drive.

Whitley noted that IRS definitely had a plan that it was pursuing, but it needed refinements to ensure adequate progress going forward. “In general, they’re in a good place,” she said.

IG’s office offers four areas for improvement

In its report, TIGTA made four recommendations based on its IRS zero trust architecture review:

  • Better estimate the cost of adopting a zero trust architecture
  • Fully define roles and responsibilities in the agency ZTA pla
  • Detail a schedule for achieving the five ZTA pillars
  • Continue to reassess progress on implementing its ZTA so that IRS leadership can use that information to inform future planning and budget needs

Whitley noted that because “zero trust is actually a large umbrella strategy,” IRS needed to combine and account for work that was already underway across the agency. “We were looking at how the IRS is pulling all of that information together for the all the individual IT projects that they’re already working on,” she said.

IRS contractor came to similar conclusions

The tax agency worked with a contractor to evaluate its projects, particularly looking at network and data security, which are pillars three and five of the Zero Trust Maturity Model issued by the Cybersecurity and Infrastructure Security Agency.

“With regards to networks, you need to encrypt traffic, break down perimeter points of entry into isolated environments — and that’s especially important with an agency the size of the IRS. It’s spread throughout the country,” Whitley said.

As to data, she noted the critical need for monitoring both access to data and then continual tracking of access requests and data use.

“The contractor also evaluated the IRS against their systems maturity model,” Whitley said. “And they found that, yes, there’s work that needs to continue developing, but overall they’re in a good position to continue this work.”

Creating more complete big picture of zero trust program agencywide

Collectively, the recommendations by TIGTA reflect the far-flung nature of the IRS workforce and locations nationwide.

For instance, take those first two recommendations in the IG report, Whitley said.

“The IRS IT organization is large. They have a lot of great people working and on a lot of different priorities. But as of yet, there was not a consolidated sort of budget amount that could help them forecast how much all of this was going to cost long term,” she said. “We also recommended they revise their zero trust architecture plan to include defined roles and responsibilities.”

The request that the agency further define specific roles and responsibilities for zero trust also ties directly back to the size of agency — and the numerous projects it has underway to achieve zero trust, Whitley said.

And none of the findings stunned the agency or it’s tech leadership. “They agreed to all of our recommendations, and planning is ongoing. It will probably end up revisiting this audit” in fiscal 2024, she said. “TIGTA has not completed its annual audit planning process yet, but I imagine we’ll see more from them here in the future.”

Listen to the full discussion between TIGTA’s Jena Whitley and the Federal Drive’s Tom Temin.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories