WASHINGTON, D.C. – House Ways and Means Committee Chairman Kevin Brady (R-TX), Ways and Means Committee Ranking Member Richard Neal (D-MA), Oversight Subcommittee Chairman Vern Buchanan (R-FL), and Oversight Subcommittee Ranking Member John Lewis (D-GA) today sent a letter to Internal Revenue Service (IRS) Commissioner John Koskinen requesting additional information regarding how the IRS identifies and addresses security risks for their online taxpayer tools and applications, including the recently suspended the Free Application for Federal Student Aid (FAFSA) Data Retrieval Tool (DRT). In the letter, the Members expressed concerns about the steps that the IRS takes to ensure that taxpayer information is adequately protected from breaches of its online tools and applications. The Members requested that the IRS provide them with detailed information on how it protects taxpayers using these online tools.
The Members wrote:
“In our current landscape, bad actors will always pose a cyber threat to federal systems, but the IRS must continue to focus on balancing the protection of taxpayer information with taxpayers’ rights to easily interface with the IRS, especially online. We remain deeply concerned that the IRS is not doing all that it can to assess properly and to prevent unauthorized access to taxpayer information, in particular through IRS online tools and applications.”
The IRS’s online tools and applications such as Identity Protection Personal Identification Number (IP PIN), Get Transcript, and the online DRT used to assist those filling out the FAFSA have been subject to cyberattacks, at times resulting in the loss of taxpayer information.
As a result of these attacks, the IRS has been forced to temporarily suspend online tools or applications, often for extended periods of time, until a long-term security solution can be found. The DRT, which populated the online FAFSA application using tax information retrieved from the IRS, was taken offline in March 2017 after the IRS and Department of Education found evidence of potentially fraudulent activity. Although an IRS risk assessment from October 2016 suggested concerning vulnerabilities with the tool, it was not until five months later in March 2017 that the tool was taken offline. The IRS Commissioner recently testified before the Senate Finance Committee that this most recent cyberattack may have compromised the information of as many as 100,000 taxpayers. Both the Treasury Inspector General for Tax Administration and the Government Accountability Office have raised concerns in recent years about the adequacy of the IRS’s authentication measures for its online tools.
CLICK HERE to view the entire letter.
Full text of the letter sent to Commissioner Koskinen:
April 28, 2017
The Honorable John Koskinen
Internal Revenue Service
1111 Constitution Avenue, NW
Washington, DC 20224
Dear Commissioner Koskinen:
Thank you for your April 6th letter providing an update on the recent events surrounding the suspension of the Internal Revenue Service’s (IRS) Data Retrieval Tool (DRT), which allows students and parents to access and transfer the tax return information needed to complete the Free Application of Federal Student Aid (FAFSA). This tool simplifies the process for those seeking federal student aid and ensures the accuracy of tax information used to make student aid decisions. While the temporary removal of this tool does not prevent applicants from completing their FAFSA form, it does put in place a significant barrier for those who do not have their previous tax returns readily available. Therefore, we still have a number of questions surrounding this latest incident, and we write today to request more information about this and other IRS online tools and applications.
The temporary removal of the DRT serves as the most recent example of a suspension of an IRS online tool or application due to cyberattacks seeking to gain access to taxpayer information. Similar events occurred with the Get Transcript and Identity Protection Personal Identification Numbers (IP PIN) applications, both of which were taken offline for significant periods of time and resulted in the loss of taxpayer information. In the case of the Get Transcript application, TIGTA determined that the process used to authenticate taxpayers did not meet National Institute of Standards and Technology standards, ultimately leading to the issuance of $490 million in potentially fraudulent tax refunds. In the case of the IP PIN application, the IRS did not sufficiently complete a required authentication risk assessment and repeatedly was warned by TIGTA that the application had significant security weaknesses that were not adequately addressed, which led to an eventual security breach.
In our current landscape, bad actors will always pose a cyber threat to federal systems, but the IRS must continue to focus on balancing the protection of taxpayer information with taxpayers’ rights to easily interface with the IRS, especially online. We remain deeply concerned that the IRS is not doing all that it can to assess properly and to prevent unauthorized access to taxpayer information, in particular through IRS online tools and applications. To assist the Committee in better understanding the IRS’s actions in this matter, please provide the following information:
- Please describe the process by which the IRS performs an authentication risk assessment of its online tools and applications and provide copies of any relevant governing policies or procedures.
a. Is the IRS required to perform an authentication risk assessment on all of its online tools and applications?
b. If so, how often are these performed on each tool or application?
- Please provide the following:
a. A list of all online IRS tools or applications currently deployed (including any that may be suspended or temporarily taken offline).
b. A list of the tools or applications that currently use the IRS’s Secure Access Authentication platform.
c. The date on which each tool or application listed in response to question 2(a) was first deployed.
d. The date(s) when the IRS performed an authentication risk assessment for each of these tools or applications to determine their security vulnerabilities.
e. The documented results of each of these assessments, including the level of authentication assurance that the assessment determined was needed.
f. The actual level of the authentication assurance in place for each tool or application. If the level of the authentication assurance changed over time, please indicate each level of authentication assurance and the time period for which it was in place.
g. A list of all major incidents related to the tools or applications listed in response to question 2(a) that have been reported to Congress in accordance with the requirements of the Federal Information Security Modernization Act. Please include the date they occurred, the date they were reported to Congress, the name of the tool or application involved, and a description of the incident.
- How does the IRS determine when a tool or application will be suspended? What criteria are used to make this determination?
- How does the IRS determine when a tool or application will be reinstated? What standards or criteria must be met for the IRS to determine that it is safe for an online application or tool to be relaunched?
- In the case of the DRT, despite knowing that there was a potential vulnerability in September 2016, the issue was not remedied and the tool remained online until March 2017 when an actual security incident occurred, forcing the tool to be taken offline. Why was the IRS unable to address the known security vulnerability prior to a security event occur?
- Does a security breach have to occur first to necessitate a tool or application being taken offline?
Thank you in advance for your prompt response to this request. We ask that you provide this information to the Committee no later than Thursday, May 18, 2017.