oversight

The First Phase of the Data Loss Prevention Solution Is Working As Intended, but the Remaining Phases Continue to Experience Delays

Published by the Office of the Treasury Inspector General for Tax Administration on 2019-08-22.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION




                        The First Phase of the Data Loss
                       Prevention Solution Is Working As
                      Intended, but the Remaining Phases
                         Continue to Experience Delays



                                        August 22, 2019

                             Reference Number: 2019-20-049




This report has cleared the Treasury Inspector General for Tax Administration disclosure review process
 and information determined to be restricted from public release has been redacted from this document.




Phone Number / 202-622-6500
E-mail Address / TIGTACommunications@tigta.treas.gov
Website        / http://www.treasury.gov/tigta
   To report fraud, waste, or abuse, call our toll-free hotline at:
                         1-800-366-4484


                              By Web:
                      www.treasury.gov/tigta/


                              Or Write:
          Treasury Inspector General for Tax Administration
                           P.O. Box 589
                        Ben Franklin Station
                    Washington, D.C. 20044-0589

Information you provide is confidential and you may remain anonymous.
                                                     HIGHLIGHTS


THE FIRST PHASE OF THE DATA LOSS                        generally identified and blocked common
PREVENTION SOLUTION IS WORKING                          Personally Identifiable Information types from
AS INTENDED, BUT THE REMAINING                          exfiltration by e-mail as designed, and that
PHASES CONTINUE TO EXPERIENCE                           potential incidents identified by the solution were
                                                        reviewed and resolved correctly. However,
DELAYS
                                                        continued delays with implementing other
                                                        components are preventing realization of the full
Highlights                                              benefits of the Data Loss Prevention solution.
                                                        The causes of the delays include technical,
Final Report issued on August 22, 2019                  project management, and administrative issues.
                                                        Because of the delays, two key components
Highlights of Reference Number: 2019-20-049             involving data in repositories and data in use are
to the Commissioner of Internal Revenue.                still not operational more than eight years after
                                                        the project started. Without these components,
IMPACT ON TAXPAYERS                                     Personally Identifiable Information continues to
The IRS is entrusted with protecting information        be at risk of loss. The delays have also resulted
received from taxpayers, including Personally           in the inefficient use of resources of
Identifiable Information and tax account data.          approximately $1.2 million in software costs for
Allowing this information to be removed or              the components that are not operational.
exfiltrated for unauthorized purposes could             WHAT TIGTA RECOMMENDED
erode public trust in the IRS’s ability to
administer our Nation’s tax system and in the           TIGTA recommended that the Chief Information
voluntary compliance nature of tax filing.              Officer deploy the components of the Data Loss
                                                        Prevention solution, ensure that project
WHY TIGTA DID THE AUDIT                                 documents are prepared and maintained as
This audit was initiated to determine whether the       required, and ensure that any issues requiring
IRS properly implemented controls to prevent            negotiations with the National Treasury
data loss, including data exfiltration of personal      Employees Union are identified and negotiations
information. The IRS is implementing a Data             started promptly.
Loss Prevention software solution to identify and       The IRS agreed with all three recommendations
prevent Personally Identifiable Information from        and plans to deploy the remaining components
leaving the IRS network, whether intentionally or       of the Data Loss Prevention solution and ensure
unintentionally. The software has multiple              that project documents are consistently
components that are being implemented over              prepared and maintained during the deployment
several years, and this audit evaluated the             of the remaining components. In addition, the
progress of the implementation.                         IRS stated that the Memorandum of
                                                        Understanding with the National Treasury
WHAT TIGTA FOUND
                                                        Employees Union is currently in the process of
The Safeguarding Personally Identifiable                concurrence signatures, and the IRS plans to
Information Data Extracts Project, which is             notify the Union of any issues regarding the
responsible for implementing the Data Loss              production implementation of the remaining
Prevention solution, started in Calendar                components.
Year 2010 and is ongoing. The project team
implemented and expanded the Data-in-Motion
component of the solution that includes
reviewing unencrypted e-mail and attachments,
file transfers, and web traffic for the most
common types of Personally Identifiable
Information used by the IRS. Our testing
indicated that the Data-in-Motion component
                                            DEPARTMENT OF THE TREASURY
                                                 WASHINGTON, D.C. 20220




TREASURY INSPECTOR GENERAL
  FOR TAX ADMINISTRATION




                                           August 22, 2019


MEMORANDUM FOR COMMISSIONER OF INTERNAL REVENUE



FROM:                        Michael E. McKenney
                             Deputy Inspector General for Audit

SUBJECT:                     Final Audit Report – The First Phase of the Data Loss Prevention
                             Solution Is Working As Intended, but the Remaining Phases Continue
                             to Experience Delays (Audit # 201820003)

This report presents the results of our review to evaluate whether the Internal Revenue Service
(IRS) has properly implemented controls to prevent data loss, including data exfiltration of
personal information. This audit is included in our Fiscal Year 2019 Annual Audit Plan and
addresses the major management challenge of Security Over Taxpayer Data and Protection of
IRS Resources.
Management’s complete response to the draft report is included as Appendix V.
Copies of this report are also being sent to the IRS managers affected by the report
recommendations. If you have any questions, please contact me or Danny R. Verneuille,
Assistant Inspector General for Audit (Security and Information Technology Services).
                                 The First Phase of the Data Loss Prevention Solution
                                  Is Working As Intended, but the Remaining Phases
                                            Continue to Experience Delays




                                             Table of Contents

Background ............................................................................................................ Page 1

Results of Review ................................................................................................ Page 6
          The Data-in-Motion Component of the Data Loss
          Prevention Solution Has Been Implemented and Is
          Working As Intended .................................................................................... Page 6
          Delays Are Preventing the IRS From Realizing All the
          Benefits of the Data Loss Prevention Solution ............................................. Page 9
                     Recommendations 1 through 3:......................................... Page 16


Appendices
          Appendix I – Detailed Objective, Scope, and Methodology ........................ Page 17
          Appendix II – Major Contributors to This Report ........................................ Page 19
          Appendix III – Report Distribution List ....................................................... Page 20
          Appendix IV – Outcome Measure ................................................................ Page 21
          Appendix V – Management’s Response to the Draft Report ....................... Page 22
          Appendix VI – Office of Audit Comments on Management’s Response .... Page 26
         The First Phase of the Data Loss Prevention Solution
          Is Working As Intended, but the Remaining Phases
                    Continue to Experience Delays




                   Abbreviations

DAR          Data-at-Rest
DIM          Data-in-Motion
DIU          Data-in-Use
DLP          Data Loss Prevention
IRS          Internal Revenue Service
NTEU         National Treasury Employees Union
OMB          Office of Management and Budget
PII          Personally Identifiable Information
SPIIDE       Safeguarding Personally Identifiable Information Data Extracts
SSN          Social Security Number
TIGTA        Treasury Inspector General for Tax Administration
                            The First Phase of the Data Loss Prevention Solution
                             Is Working As Intended, but the Remaining Phases
                                       Continue to Experience Delays




                                            Background

All Federal Government agencies have the fiduciary responsibility to safeguard information in
their possession and prevent its loss to earn and retain the trust of the American public. The
importance of protecting these data is reflected in the various statutes and departmental and
agency guidance specific to data protection and privacy.
    •   The Privacy Act of 1974 1 requires agencies to establish appropriate administrative,
        technical, and physical safeguards to ensure the security and confidentiality of records
        and to protect against any anticipated threats or hazards to the records’ security or
        integrity that could result in substantial harm, embarrassment, inconvenience, or
        unfairness to any individual on whom information is maintained.
    •   The Office of Management and Budget (OMB) has released several memoranda to
        Federal agencies to address protecting the vast quantities of Personally Identifiable
        Information (PII) managed by the Federal Government. These include OMB M-06-16,
        Protection of Sensitive Agency Information, dated June 2016, which provides guidance
        on protecting data extracts containing PII, and OMB M-17-12, Preparing for and
        Responding to a Breach of Personally Identifiable Information, dated January 2017,
        which sets forth policy for Federal agencies to prepare for and respond to a breach of PII.
    •   The Department of the Treasury’s (hereafter referred to as the Treasury Department)
        Office of the Chief Information Officer instituted additional controls in its memorandum
        M-09-04, related to the management of the Treasury Department’s cybersecurity
        environment. These new controls focused particularly on the storage of data on
        removable media and the unauthorized transmission of information outside the Treasury
        Department, i.e., data exfiltration. Implementation of these controls was intended to help
        ensure better protection from emerging threats.
    •   National Institute of Standards and Technology Special Publication 800-122, Guide to
        Protecting the Confidentiality of Personally Identifiable Information, 2 and Special
        Publication 800-53 revision 4, Security and Privacy Controls for Federal Information
        Systems and Organizations, 3 recommend that agencies implement automated tools, such
        as a network data leakage prevention tool, to monitor transfers of PII and to monitor
        inbound and outbound communications for unauthorized activities.


1
  5 U.S.C. § 552a (2013).
2
  National Institute of Standards and Technology Special Publication 800-122, Guide to Protecting the
Confidentiality of Personally Identifiable Information (Apr. 2010).
3
  National Institute of Standards and Technology Special Publication 800-53 Revision 4, Security and Privacy
Controls for Federal Information Systems and Organizations (Apr. 2013).
                                                                                                          Page 1
                             The First Phase of the Data Loss Prevention Solution
                              Is Working As Intended, but the Remaining Phases
                                        Continue to Experience Delays


The Internal Revenue Service (IRS) is entrusted with protecting information received from
taxpayers, including PII and tax account data. PII is any information that, by its nature or in
combination with other information, may be used to uniquely identify an individual. Examples
include name, Social Security Number (SSN), date and place of birth, mother’s maiden name,
and biometric records. Allowing PII to be removed or exfiltrated for unauthorized purposes
could erode public trust in the IRS’s ability to administer our Nation’s tax system and in the
voluntary compliance nature of tax filing. As part of this responsibility, the IRS relies on its
employees to safeguard tax information and implement systemic controls and measures to
safeguard such information.
In an effort to better control and protect information, such as PII, technical solutions known as
Data Loss Prevention (DLP), also referred to as Data Leak Prevention, are available to
organizations. DLP is the practice of detecting and preventing confidential data, such as PII,
from being “leaked” out of an organization’s boundaries, either intentionally or unintentionally.
In a white paper on DLP, 4 Ernst and Young wrote:
           In addition to obvious data loss methods such as the loss of physical assets such
           as laptops, many data loss incidents are due to accidental disclosure through
           electronic transmissions. In most cases, end users do not realize the risks
           associated with sending sensitive data through unencrypted e-mail, instant
           messages, webmail, and file transfer tools.
While DLP software solutions can vary in their capabilities, they commonly have the ability to
intercept some malicious or criminal attempts to steal information. An important distinction
between DLP and other security technologies is that it focuses on identifying sensitive
information that is critical to an organization and may be at risk by personnel who are authorized
to access the information (and others). This is in contrast with more traditional efforts such as
using a firewall or an intrusion detection system to prevent unauthorized access to data.
Unauthorized activities by employees or contractors to cause harm (wittingly or unwittingly) are
known by the term ‘insider threat.’ Insiders are considered one of today’s biggest security
threats across the government and commercial sectors, and therefore, some kind of DLP
capability is essential to reduce risks. However, given the complexities of identifying and
preventing these activities, it is understood that DLP technology alone cannot identify and
prevent all methods of data theft.
An example of how easily sensitive data can be compromised and misused by insiders involves
two well-known companies developing self-driving car technology. An employee of Google’s
self-driving car division (now Waymo) downloaded thousands of files with proprietary
information by a simple file transfer to a USB drive. The employee then quit and started his own
company specializing in self-driving cars, which was shortly after acquired by Uber, a direct

4
    Ernst and Young, Data Loss Prevention: Keeping Your Sensitive Data Out of the Public Domain (Oct. 2011).


                                                                                                         Page 2
                             The First Phase of the Data Loss Prevention Solution
                              Is Working As Intended, but the Remaining Phases
                                        Continue to Experience Delays


competitor of Waymo. It was then alleged that Uber used the information for its benefit. 5 If
DLP software had been used and properly configured, this incident may have been prevented or
readily identified to minimize the damage.
DLP capability is generally broken down into the protection of three key types of data as listed in
Figure 1. To be considered a full solution, a DLP solution must have the capability to address all
three data types and be integrated by a centralized management function.
                 Figure 1: The Potential Data Loss Sources by Type of Data




Source: Treasury Inspector General for Tax Administration (TIGTA) figure based on DLP definitions.

The Data-in-Motion (DIM) component of DLP covers data being transmitted outside of the
organization through Internet routers, e-mail gateways, and web proxies. This includes data
being transmitted through e-mail, Internet chat, and information entered into web pages. The
Data-at-Rest (DAR) component covers data residing in enterprise data repositories. This
includes data files, file servers, storage area networks, and even end-user workstation hard disks.
The Data-in-Use (DIU) component covers data accessed or used by a system at a point in time.
This includes copying data to a thumb drive, sending information to a printer, or even cutting and
pasting between applications.
In response to OMB and Treasury Department guidance, the IRS created the Safeguarding
Personally Identifiable Information Data Extracts (SPIIDE) Project to oversee the
implementation of controls over data loss, specifically the DLP solution, in Calendar Year 2010.




5
    YHB CPAs and Consultants, A Case for Data Loss Prevention Tools (Mar. 2017).
                                                                                                     Page 3
                          The First Phase of the Data Loss Prevention Solution
                           Is Working As Intended, but the Remaining Phases
                                     Continue to Experience Delays


The DLP solution, as envisioned for use by the IRS, was to be deployed in several releases to
accomplish the following tasks.
    1. Monitor DIM across the IRS infrastructure perimeter, and based on IRS policy, allow or
       prevent PII from leaving the IRS infrastructure or make the user confirm the transmission
       of the data.
    2. Discover DAR residing across the IRS infrastructure and assess whether PII has adequate
       protections.
    3. Monitor DIU created and manipulated on users workstations and allow or prevent the
       distribution of the data.
The IRS Cybersecurity Architecture and Implementation group is responsible for the SPIIDE
Project, with the project team being responsible for the technical development, deployment,
implementation, and testing of the DLP solution based on commercial off-the-shelf software.
The SPIIDE Project is governed by an Executive Steering Committee with oversight by the
Management Level Governance Board. There is also a dedicated working group that was
established to monitor the DLP program’s effectiveness, provide input on emergent decision
points, and ensure that the right resources are involved to drive DLP success. The working
group includes members from various IRS functional areas.
To accomplish the stated goals of the SPIIDE Project, the IRS contracted with a third-party
vendor for DLP software licenses in Calendar Year 2011. Initially, the IRS planned to fully
implement the DLP solution in April 2012; however, this date was later changed to July 2012.
In April 2013, the SPIIDE Project Executive Steering Committee approved changing the
implementation date of the DLP solution to December 31, 2014.
In our September 2014 audit report 6 on the progress of the SPIIDE Project’s implementation of
the DLP solution, TIGTA reported that the SPIIDE Project team had completed key required
enterprise life cycle deliverables and had identified and addressed security weaknesses as they
were detected. However, the report also indicated that the SPIIDE Project team continued to
face challenges with timely implementing the DLP solution to protect disclosure of PII and other
data.
This review was performed with information obtained from the Information Technology
organization’s Cybersecurity office in New Carrollton, Maryland, during the period
October 2017 through February 2019. We conducted this performance audit in accordance with
generally accepted government auditing standards. Those standards require that we plan and
perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objective. We believe that the evidence obtained
provides a reasonable basis for our findings and conclusions based on our audit objective.

6
 TIGTA, Ref. No. 2014-20-087, While the Data Loss Prevention Solution Is Being Developed, Stronger Oversight
and Process Enhancements Are Needed for Timely Implementation Within Budget (Sept. 2014).
                                                                                                      Page 4
                       The First Phase of the Data Loss Prevention Solution
                        Is Working As Intended, but the Remaining Phases
                                  Continue to Experience Delays


Detailed information on our audit objective, scope, and methodology is presented in Appendix I.
Major contributors to the report are listed in Appendix II.




                                                                                         Page 5
                           The First Phase of the Data Loss Prevention Solution
                            Is Working As Intended, but the Remaining Phases
                                      Continue to Experience Delays




                                     Results of Review

The Data-in-Motion Component of the Data Loss Prevention Solution
Has Been Implemented and Is Working As Intended
The DIM component of the IRS DLP solution was deployed to a production environment in
May 2015. The current screening process includes reviewing unencrypted e-mail and
attachments, file transfers, and web traffic for the most common types of PII used by the IRS.
Our testing indicated that the DIM component generally identified and blocked common PII
types from exfiltration by e-mail as designed and that potential incidents identified by the DLP
solution were reviewed and resolved as required.

The DIM component criteria is based on PII
For internal e-mails with PII, the IRS uses the Secure Enterprise Messaging System, which
enables the IRS to digitally encrypt e-mail messages and attachments sent between IRS
employees. Accordingly, IRS policy states that employees may not e-mail PII outside the IRS
unless there is an approved exception from the Information Technology organization. 7 The
DIM component is a control to ensure that this policy is followed, and it is currently the only
operational component of the DLP solution. If the DIM component identifies potential
unencrypted PII leaving the internal network, it will take action to prevent exfiltration. For
example, an e-mail meeting specific criteria found in the DLP system policies will be blocked,
and the sending employee will receive a warning e-mail explaining why his or her e-mail was not
sent. The e-mail will also be manually reviewed to determine if the circumstances were
suspicious and if further action is warranted.
The IRS initially focused its DLP system policies on SSNs. When the DIM component was
implemented, the first set of policies included rules to identify SSNs based on a specific pattern
and in association with certain keywords, such as “Social Security Number” or “SSN.” After
addressing SSNs, the next set of policies implemented was focused on identifying
password-related terms. The password policy is comprised of multiple detection rules, including
detection of employee identifiers in combination with common password-related keywords. It
also includes detection of common IRS application names in proximity to password-related
keywords.



7
 The IRS is testing a type of secure communication with taxpayers through the Taxpayer Digital Communications
program. This provides a way for selected taxpayers and their representatives to exchange secure messages with
IRS employees for a variety of reasons, including providing requested documentation for examinations.
                                                                                                        Page 6
                        The First Phase of the Data Loss Prevention Solution
                         Is Working As Intended, but the Remaining Phases
                                   Continue to Experience Delays


Subsequently, the IRS expanded the SSN policy set to include similar types of PII that the IRS
assigns internally for other tax purposes, such as Taxpayer Identification Numbers and Adoption
Taxpayer Identification Numbers. The format of SSNs and these internal numbers are similar,
consisting of nine digit number strings, so there are similar complications with identifying them.
For example, when the IRS first began developing the policies used to identify SSNs, it
discovered other types of common nine digit numbers, such as a 5+4 zip code, that could also be
considered a match. Accordingly, the IRS has been working towards refining the formats and
types of data to be included in the DIM component to increase coverage while also decreasing
the number of false positives. This includes creating exclusion rules that will allow data proven
to result in a false positive to pass through the system. Over time, the IRS has further expanded
the types of data for review, with the most recent policy implemented to identify and protect
unencrypted credit card numbers. Overall, the DIM component is designed to prevent
employees from sending unencrypted e-mails with various PII types to external parties, whether
intentionally or unintentionally.

The DIM component generally identified and blocked common types of PII
To test whether the DIM component was working as intended, we created test e-mails containing
various types of common PII that were supposed to be identified and blocked based on current
DLP policies. We created 30 test e-mails that contained examples of test PII related to
12 common policy rules, with multiple variations of some rules, e.g., PII in the body of the
e-mail versus PII included in an e-mail attachment.
We coordinated with an IRS employee, who attempted to send the test e-mails to an external
e-mail address, and we documented in real time whether the DLP solution blocked the
unencrypted e-mails containing PII based on the related PII policy rule. We then researched any
e-mails that were not blocked to determine whether the criteria should be updated or whether
there was an acceptable reason the e-mails were not blocked. Based on this determination and
for the specific policy rules tested (including certain Taxpayer Identification Numbers,
keywords, and password terms), the DLP solution identified and blocked our test e-mails as
expected.

Potential incidents identified by the DLP solution were reviewed and resolved
properly
When the DLP solution identifies and blocks data that meet certain exception criteria as
designated in DLP system policies, the identified traffic is referred to the DLP Operations team,
which receives the event information in the form of potential incidents. The DLP Operations
team analyzes each potential incident to determine if a PII disclosure or attempted disclosure
occurred. If a potential incident is confirmed, the DLP Operations team escalates it to one or
more parties, depending on its categorization.
   •   Business System Process Liaison Event Responders are the primary recipients of DLP
       event alerts. They receive alerts of blocked events when an employee from the business
                                                                                           Page 7
                            The First Phase of the Data Loss Prevention Solution
                             Is Working As Intended, but the Remaining Phases
                                       Continue to Experience Delays


         unit attempts to send unencrypted PII to another governmental recipient or taxpayer
         representative while performing his or her work. The Business System Process Liaison
         Event Responders are supposed to triage the events and, if necessary, contact the
         manager of the employee for additional information or to provide feedback.
    •    TIGTA receives notice of suspicious e-mails in which an employee attempts to send PII
         to a private or foreign e-mail address with no context in the e-mail to indicate or establish
         if the e-mail was work related.
    •    The Privacy, Governmental Liaison, and Disclosure office receives notice of all events
         that involve possible loss of sensitive data from a privacy perspective, such as unblocked
         e-mails containing SSN information. If necessary, it will contact the appropriate
         Business System Partner for assistance with determining if an unauthorized disclosure
         occurred.
    •    The Computer Security Incident Response Center receives notice of events that could
         substantially increase the risk of exposure to IRS systems. For example, employees
         attempting to send documents that contain network diagrams or Internet Protocol
         addresses 8 of information technology assets.
If the party receiving the potential incident disagrees with the initial assessment, the potential
incident should be sent back to the DLP Operations team for further review.
To test whether potential incidents were reviewed, classified, and referred or otherwise resolved
correctly, we reviewed a sample of incidents on the DLP system. We selected a judgmental
sample 9 of 56 incidents of the 1,561 incidents that were generated during the two-week period
from May 1 through May 14, 2018. Incidents are classified by a Severity Rating of High,
Medium, or Low, determined by the policy set in use. For example, the severity for the SSN
policy is based on the number of criteria matches identified for that incident. For each of the
14 days, we judgmentally selected two High-, one Medium-, and one Low-Severity incident
(i.e., four per day) 10 and reviewed them to determine whether they were triaged and remediated
in accordance with IRS policy. We determined that all of the sampled incidents were reviewed
and resolved correctly.




8
  An identifier for a computer or device on a suite of communication protocols used to connect hosts on the Internet.
The format of an Internet Protocol address is a 32-bit numeric address written as four numbers separated by periods.
Each number can be zero to 255.
9
  A judgmental sample is a nonprobability sample, the results of which cannot be used to project to the population.
10
   For two of the days, there were no Medium-Severity incidents generated. In their place, we substituted
two High-Severity incidents selected at random that were generated the same days. Therefore, the total incidents
by category were 30 High-, 12 Medium-, and 14 Low-Severity incidents, for a total of 56 incidents reviewed.
                                                                                                             Page 8
                         The First Phase of the Data Loss Prevention Solution
                          Is Working As Intended, but the Remaining Phases
                                    Continue to Experience Delays


While we found that the DIM component of the DLP was working as intended, we are concerned
with the IRS’s progress on the remaining two components of the DLP solution, the DAR and
DIU.

Delays Are Preventing the IRS From Realizing All the Benefits of the
Data Loss Prevention Solution
As previously stated, the IRS initiated the SPIIDE Project to help meet the various requirements
set forth by the OMB and the Treasury Department and to address known shortcomings related
to PII protection. In the SPIIDE Project Charter Version 1.1, dated August 31, 2011, the IRS
acknowledged that it had no comprehensive plan in place to:
   •   Accurately discover or prevent Sensitive But Unclassified/PII data leakage.
   •   Ensure the public’s trust of conducting business electronically, e.g., electronic filing.
   •   Prevent unauthorized disclosure of information.
Accordingly, the intent of the SPIIDE Project was to implement a DLP solution to reduce the
risk of disclosure of PII or other tax information by monitoring PII data in the IRS network.
Some specific benefits of the DLP solution cited by the IRS are as follows:
   •   Protecting taxpayer data by reinforcing security due diligence with continuous
       monitoring and prevention of unauthorized or accidental use or disclosure of sensitive
       data.
   •   Protecting IRS employees by enhancing user security awareness with real-time
       educational notification prompts reinforcing IRS processes and policies.
   •   Providing enhanced protection against insider threats.
   •   Aiding potential investigations (including those by TIGTA) with logged event details.
The DLP solution was to be deployed in a multiple release approach utilizing a commercial
off-the-shelf DLP software with the three components, DIM, DAR, and DIU, to be released in
succession as shown in Figure 2.
                         Figure 2: IRS Proposed DLP Release Plan

               Release              Component
               Number               in Release                   Target Release Date
                   1                    DIM                       December 31, 2012
                   2                    DAR                         August 1, 2013
                   3                    DIU                       December 31, 2014
          Source: IRS SPIIDE Project Charter Version 1.1, dated August 31, 2011.

                                                                                              Page 9
                         The First Phase of the Data Loss Prevention Solution
                          Is Working As Intended, but the Remaining Phases
                                    Continue to Experience Delays


However, the IRS was unable to meet any of these targeted release dates. In addition, the DAR
and DIU components have still not been deployed at this time, which is more than five years
after the initial target release date for the DAR component. Continued delays have prevented the
risks of PII being inadvertently or intentionally released during the course of normal duties from
being fully addressed and the full benefits of the DLP solution from being realized. Until all
three components are operational, the IRS will not meet the original OMB and Treasury
Department requirements.

The DAR and DIU components are important parts of the DLP solution
The IRS deployed the DIM component and expanded its criteria, which is an important
accomplishment; however, the DAR and DIU components are also important parts of the full
solution. The DAR component provides the capability to scan data residing in data repositories
to identify data vulnerable to exfiltration, at which point actions can be taken to address them.
These data repositories can include data on workstations, server drives, or network shares. Once
data at risk are identified, appropriate actions can be taken, including encrypting the data or
deleting the data if they are not needed. This capability is especially useful given the large
number of data repositories maintained by the IRS.
The purpose of the DIU component is to provide protection at the ‘endpoint’ (i.e., workstation or
laptop) as the proposed workflow for DIU allows users to correct their content before it is sent
out. This is accomplished by monitoring and blocking confidential data from being printed,
faxed, or copied to USB drives or other removable media.
The effectiveness of the two components is further increased when they are integrated into the
overall DLP solution to work in concert with each other and with the DIM component. This
includes using a common dashboard and reporting methodology for overall analytics and control
and leveraging existing DIM policy sets for use as criteria. While the DIM component addresses
the most obvious method of data exfiltration, PII is still at risk to insider threats by other avenues
until the DAR and DIU components are deployed.

Implementation progress of the DAR and DIU components was severely limited
The reasons for DLP project delays are varied, but they have been significant and ongoing,
especially in regard to the development and deployment of the DAR and DIU components. The
delays on the project as a whole and to the DAR and DIU components in particular have resulted
in multiple changes to target release dates since the project began.
In TIGTA’s September 2014 audit report on the IRS’s progress with the implementation of the
DLP solution, we reported that:
       Based on its new projected implementation date of December 31, 2014, the IRS
       will have taken more than four years to build and develop its DLP solution.



                                                                                              Page 10
                           The First Phase of the Data Loss Prevention Solution
                            Is Working As Intended, but the Remaining Phases
                                      Continue to Experience Delays


We concluded that:
         Because of the length of time taken, TIGTA believes that stronger management
         oversight is needed to ensure that the DLP solution meets its new implementation
         date within budget. 11
On May 22, 2015, the IRS Cybersecurity office placed the DIM component into production,
more than two years after the initial target release date and almost five months after its revised
target date. In the years following the DIM component deployment, the project team continued
to make incremental improvements to it. For example, during Calendar Year 2016, the DLP
team expanded DIM criteria by including different Taxpayer Identification Number types in the
SSN policy set, and in Calendar Year 2017, evaluation and testing of potential new policies
(including credit card numbers) were performed. Also, new exclusions were added to the
existing policies, including exclusions for specific websites that were producing false-positives.
In August 2018, the DLP team deployed into production the DIM policy to detect and block
transmission of credit card numbers and magnetic strip data. In addition, since the DIM
component was deployed, the IRS has performed various activities to support the DLP solution
as a whole, such as periodically upgrading the DLP software to successive versions and making
upgrades to infrastructure.
The IRS has devoted resources to improving the DIM component since its deployment about
four years ago, but the DAR and DIU components are still not operational. We identified the
following factors that affected the SPIIDE Project’s ability to deploy the DAR and DIU
components of the DLP:
     •   Efforts focused primarily on the DIM component implementation
         According to the IRS, this was the primary cause of the overall project delay. The
         significant work required to deploy the DIM component and the post-implementation
         technical efforts encountered were key contributing factors delaying the timely
         deployment of the DAR and DIU components. After the DIM component was placed
         into production, the amount of work required to maintain and expand its capabilities was
         more than anticipated. When the amount of work to develop other capabilities such as
         Sensitive Image Recognition 12 was also considered, the IRS chose to reevaluate the
         overall focus of the project, which resulted in further delays to the DAR and DIU
         components.
         From May 2015 to November 2017, we found very little evidence where notable progress
         was made towards deployment of the other two components. Specifically, work related
         to the DAR and DIU components was sporadic and limited to various planning and


11
   TIGTA, Ref. No. 2014-20-087, While the Data Loss Prevention Solution Is Being Developed, Stronger Oversight
and Process Enhancements Are Needed for Timely Implementation Within Budget p. 3 (Sept. 2014).
12
   An add-on capability to the DLP software that enables detection of sensitive text embedded in images.
                                                                                                      Page 11
                            The First Phase of the Data Loss Prevention Solution
                             Is Working As Intended, but the Remaining Phases
                                       Continue to Experience Delays


         testing activities as well as hardware acquisition through the end of Calendar Year 2017,
         when our audit started. The level of activity related to DAR and DIU development
         increased after that time, but as of the end of Calendar Year 2018, both components were
         still not ready for deployment. The original project charter had an estimated date of
         December 31, 2014, for full deployment of the DLP solution. The new estimated date
         based on the information for DAR and DIU deployment in the latest draft Work
         Breakdown Structure 13 is June 2020. This document also included planned start dates of
         September 2017 and December 2017 for DIU/Sensitive Image Recognition development
         and DAR development, respectively.
         In November 2018, the IRS stated that additional changes were being made to the DLP
         implementation strategy, which would further affect the implementation dates for the
         DAR and DIU components. As of June 24, 2019, the IRS had not responded to our
         June 19, 2019, request for a DLP implementation strategy update.
     •   Project management documentation was not always prepared or updated
         Project documentation was not always prepared or updated as required after deployment
         of the DIM component, indicating inconsistent project management related to the DAR
         and DIU components. Documentation is an important part of project management, and
         various documents are required to be prepared and maintained during the course of the
         project. For example, Internal Revenue Manual 2.16.1, Enterprise Life Cycle, Enterprise
         Life Cycle Guidance, 14 lists specific documents required in order for projects to move
         through the stages of development. The project began in Calendar Year 2010, and we
         identified some required documentation that was approved in Calendar Year 2011, e.g.,
         the Project Charter and the Project Management Plan. 15
         However, after the DIM was placed into production in May 2015, some required
         documents were still in draft form or had not been updated as required. For example, the
         Project Management Plan was originally approved in August 2011; however, even
         though it is a key project planning document, the plan had not been updated as required
         since the original approval. While the project team did continue to develop the DIM
         component over time, the documentation issues observed after it was deployed showed
         that working on the DAR and DIU components was a not a priority until Calendar
         Year 2018, when the project focus was reevaluated.




13
   A deliverable-oriented grouping of project elements that organizes and defines the total scope of a project. This
project schedule is used to manage the tasks, task relationships, and resources needed to meet project goals.
14
   July 10, 2017.
15
   This document defines the project’s scope of work and its approach to managing all project activities. Its purpose
is to provide a framework for managing project activities and for completing the project successfully.
                                                                                                            Page 12
                       The First Phase of the Data Loss Prevention Solution
                        Is Working As Intended, but the Remaining Phases
                                  Continue to Experience Delays


   •   National Treasury Employees Union (NTEU) negotiations
       In certain circumstances, the IRS is required to negotiate and reach a formal agreement
       with the NTEU prior to certain actions being taken. The IRS negotiated with the NTEU
       in regards to the DLP solution, and a Memorandum of Understanding was approved in
       July 2014 that set out certain stipulations and limitations related to how the DLP DIM
       solution affected bargaining unit employees. In the prior TIGTA audit, these negotiations
       were reported as having adversely affected project time frames, with information from
       IRS management indicating that the negotiations had taken a year. In September 2015,
       the IRS and NTEU signed an addendum to the original Memorandum of Understanding
       pertaining to the DIM component only. During this audit, the IRS stated that a meeting
       was scheduled with the NTEU to negotiate a Memorandum of Understanding related to
       the implementation of the DAR and DIU components. IRS management has again cited
       the negotiations as the cause of delays with project implementation.

Further project delays to the DAR and DIU components could result in additional
inefficient use of resources
Executive Order 13589 (November 9, 2011), Promoting Efficient Spending, requires Federal
agencies to establish controls to ensure that they are not paying for unused or underutilized
information technology equipment, software, or services. In addition, IRS policy states that
information technology governance is a function of internal control within the IRS, and the
primary objective of governance is to ensure that assigned investment, program, and project
objectives are met; risks are managed; and expenditures are sound. Accordingly, IRS
management is directly responsible for ensuring that funds allocated to information technology
projects, such as the SPIIDE Project’s DLP program, are not being misused or wasted.
As part of the SPIIDE Project, the IRS originally contracted for the DLP solution software in
early Calendar Year 2011. At that time, the IRS purchased 110,000 licenses when its workforce
was about 104,000 employees (extra licenses were needed for contractors), and another
30,000 licenses for the Treasury Department to use, for a total of 140,000 licenses. However,
the IRS workforce subsequently decreased, and by Calendar Year 2015, the total number of
employees was substantially smaller (about 90,000). Recognizing this reduction, in Calendar
Year 2015, the Treasury Department took over the administration of the DLP license renewal
contract, including the DIM, DAR, and DIU components, and transitioned to a Departmentwide
contract for the same 140,000 licenses, all of which were then made available for use to all
Treasury Department bureaus.
The IRS remained the largest user of the licenses. Because of the Treasury Department’s
actions, the IRS stopped contracting directly for the DLP license renewals and began acquiring




                                                                                        Page 13
                            The First Phase of the Data Loss Prevention Solution
                             Is Working As Intended, but the Remaining Phases
                                       Continue to Experience Delays


them using an Interagency Agreement 16 with the Treasury Department under its Franchise Fund
Shared Services Program. 17
Figure 3 shows the full DLP cost based on the Treasury Department’s contract amounts for
Fiscal Years 2016 through 2019 and the associated amounts attributable to the DAR and DIU
components.
         Figure 3: DLP Contract Amounts for Fiscal Years 2016 Through 2019

                                                              Fiscal Year
                                           2016           2017            2018           2019            Total
 Treasury Department Cost
 for DLP (full agreed contract          $565,100        $625,900        $654,500       $692,700       $2,538,200
 price per fiscal year)
 DIM and Remote Assistance/
 Technical Support Portion              $211,000        $253,000        $277,900       $294,100       $1,036,000
 (per contract)
 DAR Portion (per contract)             $175,900        $161,900        $137,900       $146,000         $621,700

 DIU Portion (per contract)             $178,300        $211,000        $238,700       $252,600         $880,600

 Total Cost of DAR and DIU
                                        $354,200        $372,900        $376,600       $398,600       $1,502,300
 (per contract)

Source: TIGTA’s analysis of the DLP licenses. Some totals may not compute due to rounding.

The Treasury Department uses the Treasury Franchise Fund to assign and allocate shared costs to
the requesting bureaus. The Treasury Department then bills the bureaus monthly for their share
of the services. In Fiscal Year 2019, the Treasury Franchise Fund estimated that the overall DLP
cost was $692,700, and the IRS share was set at about 80 percent of that amount.
We obtained and analyzed the contract documents pertinent to the DLP solution software license
costs, which provided separate license information for the three individual components. We
limited our analysis to the costs incurred for the three components from Fiscal Years 2016
through 2019. We used the IRS’s Fiscal Year 2019 Treasury Franchise Fund share (i.e., about
80 percent) to determine the cost allocated to the IRS for each component for prior fiscal years.
The significant delays with the deployment of the DAR and DIU components of the DLP
solution resulted in the inability to use the capabilities associated with these two components.

16
   A written agreement entered into between two Federal agencies, or major organizational units within an agency,
that specifies the goods to be furnished or tasks to be accomplished by one agency (the service agency) in support of
the other (the requesting agency).
17
   The Shared Services Program with the Treasury Franchise Fund provides common administrative services that
benefit customers both within the Treasury Department and outside agencies.
                                                                                                           Page 14
                          The First Phase of the Data Loss Prevention Solution
                           Is Working As Intended, but the Remaining Phases
                                     Continue to Experience Delays


However, the IRS continued to pay for DLP license renewal costs for these two components per
the terms of the Interagency Agreement.
Figure 4 shows the total amount paid for unused software based on the total contract costs
associated with the DAR and DIU components and the cost allocation for the IRS per the
Interagency Agreement terms.
         Figure 4: Analysis of Amounts Paid for the DLP Components That
          Were Not Used by the IRS From Fiscal Years 2016 Through 2019

                                                     Fiscal Year
                                     2016        2017         2018        2019           Total
 Total of DAR and DIU
 Portions (per contract           $354,200      $372,900    $376,600    $398,600      $1,502,300
 from Figure 3)
 DAR Amount (IRS portion)         $140,800      $129,600    $110,400    $116,900        $497,700
 DIU Amount (IRS portion)         $142,700      $168,900    $191,100    $202,300        $705,000
 Total Amount Paid for
                                  $283,500      $298,500    $301,500    $319,200      $1,202,700
 Unused Software by IRS
Source: TIGTA’s analysis of the DLP licenses.

During this period, a cost of about $1.5 million was incurred by the Treasury Department for
license renewals associated with the DAR and DIU components. The IRS was responsible for
about 80 percent of this cost based on the terms of the Interagency Agreement with the Treasury
Department. Therefore, the IRS was responsible for paying approximately $1.2 million for
software that was not deployed into production, i.e., not in use, over a four-year period. We did
not include the costs incurred under these contracts for remote assistance/technical support for
the DLP solution that was allocated to the IRS.
When the IRS initially contracted for the DLP software in Fiscal Year 2011, all three
components were expected to be deployed by the end of Calendar Year 2014. By the time the
Treasury Department took over administration of the contract in February 2015, the original
projected release dates had elapsed and none of the three components had been deployed. From
that point, delays continued to affect the project, resulting in the DAR and DIU components not
being deployed as originally planned. The IRS estimates that both components will be
implemented by June 15, 2021.
To achieve the full functionality envisioned for the DLP solution, all three components must be
deployed into a production environment. Therefore, the delays related to the DAR and DIU
implementation are preventing full compliance with the OMB and other requirements and the
realization of the full project benefits, including the protection of PII and the efficient use of
resources.

                                                                                           Page 15
                       The First Phase of the Data Loss Prevention Solution
                        Is Working As Intended, but the Remaining Phases
                                  Continue to Experience Delays


Recommendations
The Chief Information Officer should:
Recommendation 1: Deploy the DAR and DIU components of the DLP solution.
       Management’s Response: The IRS agreed with this recommendation. The
       Cybersecurity office will deploy the DAR and DIU components.
Recommendation 2: Ensure that project documents are prepared and maintained as required
for effective project management, which should help ensure the successful delivery of the final
two components of the DLP solution.
       Management’s Response: The IRS agreed with this recommendation. The SPIIDE
       Project team will ensure that project documents are consistently prepared and maintained
       during the deployment and delivery of the DAR and DIU components.
Recommendation 3: Ensure that any issues requiring negotiations with the NTEU related to
the SPIIDE Project are identified and negotiations started promptly to reduce potential adverse
impacts on project timelines.
       Management’s Response: The IRS agreed with this recommendation. The
       Memorandum of Understanding is currently in the process of concurrence signatures.
       The SPIIDE Project team will notify the NTEU of any issues as stipulated in the
       Memorandum of Understanding agreement regarding the production implementation of
       the DIU and DAR components.




                                                                                        Page 16
                               The First Phase of the Data Loss Prevention Solution
                                Is Working As Intended, but the Remaining Phases
                                          Continue to Experience Delays


                                                                                                     Appendix I

            Detailed Objective, Scope, and Methodology

The overall objective of this review was to evaluate whether the IRS has properly implemented
controls to prevent data loss, including data exfiltration of personal information. To accomplish
our objective, we:
I.         Determined the overall status of the DLP project, whether it was effectively managed to
           meet planned milestones and minimize project costs, and if the criteria used was in
           accordance with relevant guidance.
           A. Determined when the solution was to be fully implemented and the causes of any
              delays.
           B. Obtained and analyzed contracts and financial documents to determine if the IRS
              effectively utilized the DLP licenses allocated to it per the contract.
           C. Determined whether the DLP policies and procedures were in accordance with
              applicable criteria.
II.        Determined whether the current operational DLP component was effectively identifying
           and blocking the PII the IRS was trying to protect.
           A. Determined if the information protected by the DIM solution was consistent with the
              written scope of the project.
           B. Reviewed Government standards to determine what other types of PII could have
              been included in the DIM scope and determined if the IRS considered these items.
              We determined why some items were not included.
           C. Determined if the DIM component was functioning as intended to successfully
              identify and block relevant data, taking into account the intended IRS scope of data
              protection.
           D. Selected a judgmental sample 1 of 56 of the 1,561 potential incidents generated from
              May 1 through May 14, 2018, and determined if identified potential incidents were
              processed by following the correct procedures for routing and remediation.
Internal controls methodology
Internal controls relate to management’s plans, methods, and procedures used to meet their
mission, goals, and objectives. Internal controls include the processes and procedures for

1
    A judgmental sample is a nonprobability sample, the results of which cannot be used to project to the population.
                                                                                                             Page 17
                       The First Phase of the Data Loss Prevention Solution
                        Is Working As Intended, but the Remaining Phases
                                  Continue to Experience Delays


planning, organizing, directing, and controlling program operations. They include the systems
for measuring, reporting, and monitoring program performance. We determined that the
following internal controls were relevant to our audit objective: OMB memoranda, Internal
Revenue Manual sections, National Institute of Standards and Technology and Treasury
Department guidelines, and other procedures related to implementing the DLP solution to
monitor PII. We evaluated these controls by interviewing IRS management and staff and
reviewing relevant documentation from the National Institute of Standards and Technology, the
OMB, the Treasury Department, and the IRS. We also reviewed other relevant supporting
documentation, such as DLP incident reports and documents supporting the procurement of the
DLP solution.




                                                                                       Page 18
                      The First Phase of the Data Loss Prevention Solution
                       Is Working As Intended, but the Remaining Phases
                                 Continue to Experience Delays


                                                                              Appendix II

                 Major Contributors to This Report

Danny Verneuille, Assistant Inspector General for Audit (Security and Information Technology
Services)
Kent Sagara, Director
Jason McKnight, Acting Audit Manager
Ryan Perry, Acting Audit Manager
Steven Stephens, Lead Auditor
Midori Ohno, Senior Auditor
Linda Nethery, Information Technology Specialist




                                                                                      Page 19
                      The First Phase of the Data Loss Prevention Solution
                       Is Working As Intended, but the Remaining Phases
                                 Continue to Experience Delays


                                                                  Appendix III

                          Report Distribution List

Deputy Commissioner for Operations Support
Chief Information Officer
Deputy Chief Information Officer for Operations
Associate Chief Information Officer, Cybersecurity
Director, Cybersecurity Architecture and Implementation
Director, Cybersecurity Operations
Director, Enterprise Audit Management




                                                                         Page 20
                        The First Phase of the Data Loss Prevention Solution
                         Is Working As Intended, but the Remaining Phases
                                   Continue to Experience Delays


                                                                                 Appendix IV

                                Outcome Measure

This appendix presents detailed information on the measurable impact that our recommended
corrective actions will have on tax administration. This benefit will be incorporated into our
Semiannual Report to Congress.

Type and Value of Outcome Measure:
•   Inefficient Use of Resources – Potential; $1.2 million (see page 9).

Methodology Used to Measure the Reported Benefit:
The IRS pays for the use of the DLP software through an Interagency Agreement with the
Treasury Department, which contracts with the vendor for the software. The terms of the
Interagency Agreement dictate that the IRS is responsible for a percentage of the contract cost, as
determined by the Treasury Department. For Fiscal Year 2019, the Treasury Department set the
IRS’s share of the DLP cost at 80.06 percent.
From Fiscal Years 2016 through 2019, the Treasury Department paid $2,538,190 for the entire
DLP solution. Our analysis of the contracts found that $1,502,253 was attributed to the DIU and
the DAR components of the DLP solution. By applying the IRS’s share of the contract costs of
80.06 percent, we calculated that the IRS paid $1,202,704 for the DIU and the DAR components
not deployed into production during the four-year period.




                                                                                           Page 21
       The First Phase of the Data Loss Prevention Solution
        Is Working As Intended, but the Remaining Phases
                  Continue to Experience Delays


                                                    Appendix V

Management’s Response to the Draft Report




                                                          Page 22
The First Phase of the Data Loss Prevention Solution
 Is Working As Intended, but the Remaining Phases
           Continue to Experience Delays




                                                   Page 23
The First Phase of the Data Loss Prevention Solution
 Is Working As Intended, but the Remaining Phases
           Continue to Experience Delays




                                                   Page 24
The First Phase of the Data Loss Prevention Solution
 Is Working As Intended, but the Remaining Phases
           Continue to Experience Delays




                                                   Page 25
                        The First Phase of the Data Loss Prevention Solution
                         Is Working As Intended, but the Remaining Phases
                                   Continue to Experience Delays


                                                                                  Appendix VI

                      Office of Audit Comments on
                        Management’s Response

While IRS management agreed with all of the recommendations in the report, the IRS disagreed
that deployment delays for two DLP components resulted in an inefficient use of resources. In
its management response to the draft report, the IRS asserted that the significant price reduction
below the General Services Administration price for the DLP software, including all three
components, far surpassed the money spent on the DIU and DAR components that were not
implemented as expected.
Management’s Response: In 2015, the Treasury Department awarded a multi-year Firm Fixed
Price contract for DLP software based on the products and licensing requirements of all
bureaus. The terms of that contract contained extraordinary price reductions that afforded all
Treasury Department bureaus the ability to test and progress toward implementation of the full
suite of DLP software for 90 percent less than the General Services Administration price for
owning the single OLP DIM component that was effectively deployed by the IRS. Due to these
significant price reductions, the IRS’s holistic view of the Total Cost Ownership for the
acquisition reflects that the pricing structure and license sharing across all Treasury bureaus
was extremely advantageous to the government. The total savings exceeded nearly $10 million,
which far surpassed the $1.2 million for the four-year period noted in your report. In the light of
the total savings, our view is that the overall contractual cost avoidance and the planned
implementation of the DIU and DAR functions are not an inefficient use of resources.
       Office of Audit Comment: While the Department of the Treasury obtained the
       extraordinary price reductions for the DLP solution, the IRS inefficiently used its
       resources when it did not implement two components of the DLP solution and make full
       use of the purchased software capabilities. The IRS paid $1.2 million from Fiscal
       Years 2016 through 2019 for unused licenses for the DIU and DAR components of the
       DLP solution.




                                                                                           Page 26