Dear Commissioner Koskinen:
Thank you for your April 6th letter providing an update on the recent events surrounding the suspension of the Internal Revenue Service’s (IRS) Data Reporting Tool (DRT), which allows students and parents to access and transfer the tax return information needed to complete the Free Application of Federal Student Aid (FAFSA). This tool simplifies the process for those seeking federal student aid and ensures the accuracy of tax information used to make student aid decisions. While the temporary removal of this tool does not prevent applicants from completing their FAFSA form, it does put in place a significant barrier for those who do not have their previous tax returns readily available. Therefore, we still have a number of questions surrounding this latest incident, and we write today to request more information about this and other IRS online tools and applications.
The temporary removal of the DRT serves as the most recent example of a suspension of an IRS online tool or application due to cyberattacks seeking to gain access to taxpayer information. Similar events occurred with the Get Transcript and Identity Protection Personal Identification Numbers (IP PIN) applications, both of which were taken offline for significant periods of time and resulted in the loss of taxpayer information. In the case of the Get Transcript application, TIGTA determined that the process used to authenticate taxpayers did not meet National Institute of Standards and Technology standards, ultimately leading to the issuance of $490 million in potentially fraudulent tax refunds. In the case of the IP PIN application, the IRS did not sufficiently complete a required authentication risk assessment and repeatedly was warned by TIGTA that the application had significant security weaknesses that were not adequately addressed, which led to an eventual security breach.
In our current landscape, bad actors will always pose a cyber threat to federal systems, but the IRS must continue to focus on balancing the protection of taxpayer information with taxpayers’ rights to easily interface with the IRS, especially online. We remain deeply concerned that the IRS is not doing all that it can to assess properly and to prevent unauthorized access to taxpayer information, in particular through IRS online tools and applications. To assist the Committee in better understanding the IRS’s actions in this matter, please provide the following information:
1. Please describe the process by which the IRS performs an authentication risk assessment of its online tools and applications and provide copies of any relevant governing policies or procedures.
a. Is the IRS required to perform an authentication risk assessment on all of its online tools and applications?
b. If so, how often are these performed on each tool or application?
1. Please provide the following:
a. A list of all online IRS tools or applications currently deployed (including any that may be suspended or temporarily taken offline).
b. A list of the tools or applications that currently use the IRS’s Secure Access Authentication platform.
c. The date on which each tool or application listed in response to question 2(a) was first deployed.
d. The date(s) when the IRS performed an authentication risk assessment for each of these tools or applications to determine their security vulnerabilities.
e. The documented results of each of these assessments, including the level of authentication assurance that the assessment determined was needed.
f. The actual level of the authentication assurance in place for each tool or application. If the level of the authentication assurance changed over time, please indicate each level of authentication assurance and the time period for which it was in place.
g. A list of all major incidents related to the tools or applications listed in response to question 2(a) that have been reported to Congress in accordance with the requirements of the Federal Information Security Modernization Act. Please include the date they occurred, the date they were reported to Congress, the name of the tool or application involved, and a description of the incident.
1. How does the IRS determine when a tool or application will be suspended? What criteria are used to make this determination?
1. How does the IRS determine when a tool or application will be reinstated? What standards or criteria must be met for the IRS to determine that it is safe for an online application or tool to be relaunched?
1. In the case of the DRT, despite knowing that there was a potential vulnerability in September 2016, the issue was not remedied and the tool remained online until March 2017 when an actual security incident occurred, forcing the tool to be taken offline. Why was the IRS unable to address the known security vulnerability prior to a security event occur?
1. Does a security breach have to occur first to necessitate a tool or application being taken offline?
Thank you in advance for your prompt response to this request. We ask that you provide this information to the Committee no later than Thursday, May 18, 2017.
