The Treasury Inspector General for Tax Administration (TIGTA) is calling on the IRS to create “timely remediations” for all of the agency’s Known Exploited Vulnerabilities (KEV) in its latest audit report.
The audit report, issued on Aug. 28, found that between September and December 2022, “there were between 494 and 5,976 KEVs past the remediation period,” as well as 14 KEVs that the IRS did not track.
“The IRS is not following established guidance to isolate or remove all vulnerable assets from its network,” the audit says.
The importance of tackling vulnerabilities at the agency is part of the Department of Homeland Security (DHS) Binding Operational Directive 22-01, which “focuses on vulnerabilities that are active threats and should be Federal agencies’ top priority,” according to the audit.
The report was compiled by the Cyber Threat Fusion Center (Ctfc) team within the Information Technology organization’s Cybersecurity function, which “supports KEV remediation efforts by administering the IRS’s directive program,” the audit says.
Other known findings from the report indicated that of 1,001 non-mission critical assets from the agency, 974 were isolated “within four business days,” while 27 were not.
“Failure to isolate or remove vulnerable assets from the network increases the risk of malicious attacks. When affected assets are not isolated, they could become targets of external exploitation with the intent to steal taxpayer data,” states the audit.
The audit concludes by giving the IRS the following recommendations:
- The chief information officer (CIO) should ensure timely remediation of all KEVs in accordance with the timeframes set forth in the Cybersecurity and Infrastructure Security Agency (CISAs) KEV catalog;
- The CIO should in accordance with the directive, immediately isolate or remove from the network all assets with the KEVs not remediated by the established due date;
- The CIO should assess attack signature changes to determine remediation time frames for each, and update data in the asset and vulnerability repository that includes signature change dates applicable to KEVs and the remediation time frame allowed for each signature change as assessed; and
- The CIO should finalize the standard operating procedures on internal vulnerability management and update the Internal Revenue Manual.
The IRS agreed with all four recommendations.