oversight

Improvements Are Needed to More ******2****** ***2*** the Virtual Host Infrastructure Platform

Published by the Office of the Treasury Inspector General for Tax Administration on 2021-06-03.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

  TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION




              Improvements Are Needed to More ******2******
               ***2*** the Virtual Host Infrastructure Platform


                                                      June 3, 2021

                                         Report Number: 2021-20-024




This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined
                             to be restricted from public release has been redacted from this document.                1

                                  TIGTACommunications@tigta.treas.gov | www.treasury.gov/tigta
                      HIGHLIGHTS: Improvements Are Needed to More *****2*****
                          *****2***** the Virtual Host Infrastructure Platform
Final Audit Report issued on June 3, 2021                                         Report Number 2021-20-024

 Why TIGTA Did This Audit              What TIGTA Found
 Server virtualization is now an       The IRS is performing security scans of the virtual host infrastructure
 established standard for              platform. However, TIGTA reviewed vulnerability scan reports from
 enterprise information technology     an old and new application spanning several months in
 infrastructure in data centers and    Calendar Year 2020 and found that the IRS did not ********2*********
 cloud services as it provides         ************************************2***********************************
 better utilization of hardware        ************************************2***********************************
 resources, reduces physical space     ************************************2*****************. TIGTA reviewed
 required, and reduces power           reports from August through November 2020 and found that **2**
 consumption and administrative        ************************************2***********************************
 overhead.                             ************************************2***********************************
                                       ************************************2***********************************
 This audit was initiated to
                                       ************************************2***********************************
 determine whether the IRS virtual
                                       ************2***********. However, they are managing patch
 host infrastructure platform is
                                       compliance on ****2**** servers using a virtualization application. In
 effectively managed and secured.
                                       addition, **************************2***********************************
 Impact on Taxpayers                   ************************************2***********************************
                                       ************************************2***********************.
 The virtual host infrastructure
 platform of *********2***********     The IRS inventory system does not accurately reflect all of the virtual
 ****2**** servers provides the        host infrastructure platform servers. For example, **2** virtual host
 virtualization infrastructure         servers were uncategorized and incorrectly recorded. In addition,
 running ***********2************      TIGTA identified clerical errors and servers that were classified as
 ***2*** virtual systems at the IRS.   administratively lost or had an uncertified status. In response to this
 Protecting critical assets and        finding, the Virtualization Branch team submitted documentation to
 infrastructure helps reduce the       classify three servers as administratively lost and updated the
 risk of internal and external         inventory system to correctly categorize *2* platform servers. Finally,
 attacks on IRS assets that could      the IRS did not provide evidence that it is following a standardized
 potentially expose taxpayer data      process for decommissioning platform servers.
 and information.
                                       What TIGTA Recommended
                                       The Chief Information Officer should ensure that critical and high-risk
                                       vulnerabilities are *****************2***********************************
                                       ************************************2***********************************
                                       ************************************2***********************************
                                       ************************************2***********************************
                                       ************************************2***********************************
                                       ************************************2***********************************
                                       ************************************2***********************************
                                       ************************************2***********************************
                                       ************************************2***********************************
                                       ************************************2***********************************
                                       ************************************2***********************************
                                       ********2******.
                                       The IRS agreed with our recommendations and plans to ******2*****
                                       ************************************2***********************************
                                       ************************************2***********************************
                                       ****2***.
                                         U.S. DEPARTMENT OF THE TREASURY
                                                  WASHINGTON, D.C. 20220



TREASURY INSPECTOR GENERAL
  FOR TAX ADMINISTRATION



                                              June 3, 2021


MEMORANDUM FOR: COMMISSIONER OF INTERNAL REVENUE



FROM:                        Michael E. McKenney
                             Deputy Inspector General for Audit

SUBJECT:                     Final Audit Report – Improvements Are Needed to More ****2****
                             **********2********** the Virtual Host Infrastructure Platform
                             (Audit # 202020003)

This report presents the results of our review to determine whether the virtual host
infrastructure platform is effectively managed and secured. This review is part of our Fiscal
Year 2021 Annual Audit Plan and addresses the major management and performance challenge
of Enhancing Security of Taxpayer Data and Protection of Internal Revenue Service Resources.
Management’s complete response to the draft report is included as Appendix III.
Copies of this report are also being sent to the Internal Revenue Service managers affected by
the report recommendations. If you have any questions, please contact me or Danny R.
Verneuille, Assistant Inspector General for Audit (Security and Information Technology Services).
                                              Improvements Are Needed to More ****2****
                                         *******2******* the Virtual Host Infrastructure Platform




Table of Contents
Background .....................................................................................................................................Page   1


Results of Review .......................................................................................................................Page          1

            *********************2******************** ....................................................................Page 1
                         Recommendation 1: ...................................................................Page 3

            *********************2*********************** ..............................................................Page 3
                         Recommendation 2: ...................................................................Page 5

                         Recommendation 3: ...................................................................Page 6

            *********************2*********************** ..............................................................Page 6
                         Recommendations 4 and 5: .....................................................Page 7

            Server Inventories ****************2*************** .................................................Page 7
                         Recommendations 6 and 7: .....................................................Page 9


Appendices
            Appendix I – Detailed Objective, Scope, and Methodology ................................Page 10
            Appendix II – Outcome Measure ...................................................................................Page 12
            Appendix III – Management’s Response to the Draft Report .............................Page 13
            Appendix IV – Glossary of Terms ...................................................................................Page 19
            Appendix V – Abbreviations.............................................................................................Page.20
                                     Improvements Are Needed to More ****2****
                                *******2******* the Virtual Host Infrastructure Platform




Background
According to the National Institute of Standards and Technology, server virtualization1 is now an
established standard for enterprise information technology infrastructure in data centers and
cloud services as it provides better utilization of hardware resources, reduces physical space
required, and reduces power consumption and administrative overhead. 2 In Calendar Year 2007,
the Internal Revenue Service (IRS) concluded that its diverse and widely deployed server
infrastructure would benefit from a consolidation and virtualization project. As a result, the IRS
established the Virtualization Project Office to design and implement a virtual host infrastructure
environment. Previously, the IRS’s computing environment consisted of a combination of earlier
server consolidations resulting from organizational changes and lacked a single enterprise
standard. Collectively, this resulted in higher operational costs, reduced security, and systems
that were not flexible enough to support rapid rollout of new services. The IRS initiated the
Server Consolidation and Virtualization project in February 2007 and completed it in
December 2010.
**************************************************2**************************************************
**************************************************2**************************************************
***2*** 3 *****************************************2**************************************************
**************************************************2**************************************************
**************************************************2**********.



Results of Review

*************2************
**************************************************2**************************************************
**************************************************2*******************************. The IRM states
that vulnerabilities shall be prioritized for remediation based on risk (highest to lowest) using
the Common Vulnerability Scoring System scores provided by the scanning tools. Figure 1
shows vulnerability severity risk-level score ranges and their associated remediation time frames.




1
    See Appendix IV for a glossary of terms.
2
    National Institute of Standards and Technology, Special Publication 800-125A, Security Recommendations for
Server-based Hypervisor Platforms, (Revision 1, June 2018).
3
  *********************************************************2**************************************************************
****2****.
                                                                                                                    Page 1
                                    Improvements Are Needed to More ****2****
                               *******2******* the Virtual Host Infrastructure Platform

                 Figure 1: Common Vulnerability Scoring System Ranges and the
                  Associated Severity Risk Level and Remediation Time Frames

        Score Range             Vulnerability Severity Risk Level                  Remediation Time Frame

              0.0                               None                                           None
           0.1–3.9                               Low                                         180 Days
           4.0–6.9                            Medium                                         120 Days
           7.0–8.9                               High                           High-Value Assets = 60 Days
                                                                                All Other Systems = 90 Days
           9.0–10.0                            Critical                                       30 Days
    Source: IRM 10.8.1.

We initially reviewed vulnerability scan reports from January through May 2020 from the IRS’s
previous enterprise vulnerability scanning tool, which the IRS replaced during our audit. ***2***
**************************************************2**************************************************
**************************************************2**************************************************
***********************2***********************. In September 2020, we met with officials in the
Enterprise Operations and Cybersecurity functions to discuss the results of our analysis. During
the meeting, the IRS confirmed it implemented a new vulnerability scanning tool in August 2020
to replace the prior tool, which produced differing results. *******************2*******************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**********. In addition, we reviewed monthly
scanning reports from the new vulnerability scanning tool for September through
November 2020. ******************************2**************************************.
                    **********************2************************

                                                                       *****2*****               *****2*****
        *****2*****                    *****2*****
                                                                       *****2*****               *****2*****

                                                                       *****2*****               *****2*****
       *****2***** 4                   *****2*****
                                                                       *****2*****               *****2*****
                                                                       *****2*****               *****2*****
        *****2*****                    *****2*****
                                                                       *****2*****               *****2*****
                                                                       *****2*****
        *****2*****                    *****2*****                                               *****2*****
                                                                       *****2*****
                                                                       *****2*****               *****2*****
        *****2*****                    *****2*****
                                                                       *****2*****               *****2*****
     *************************2************************.



4
  *********************************************************2**************************************************************
***********************************************************2**************************************************************
***********************************************************2**************************************************************
***********************************************************2************.
                                                                                                                   Page 2
                                  Improvements Are Needed to More ****2****
                             *******2******* the Virtual Host Infrastructure Platform

According to the IRS, ***************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2*********************************************.

Recommendation 1: The Chief Information Officer should ensure that ***********2*************
**************************************************2**************************************************
******2******.
         Management’s Response: The IRS agreed with this recommendation. The Associate
         Chief Information Officer, Enterprise Operations, will ensure that ***********2*************
         ******************************************2**************************************************
         ********************2*******************.


**************2**************
The National Institute of Standards and Technology provides security controls that are designed
to facilitate compliance with applicable Federal laws, Executive orders, directives, policies,
regulations, standards, and guidance. 5 Two such controls include risk assessment and
configuration management.
The National Institute of Standards and Technology 6 also states that the configuration of a
system and its components has a direct impact on the security posture of the system. How the
configurations are established and maintained requires a disciplined approach for providing
adequate security. Changes to the configuration of a system are often needed to stay up to
date with changing business functions and services and information security needs. However,
changes can adversely affect the previously established security posture; therefore, effective
configuration management is vital to the establishment and maintenance of security of
information and systems. The security-focused configuration management process is critical to
maintaining a secure state under normal operations, contingency recovery operations, and
reconstitution to normal operations.
In addition, the IRM provides guidance to:
    •    Protect the critical infrastructure and assets of the IRS against attacks that exploit them.
    •    Prevent unauthorized access to IRS assets.
    •    Enable computing environments that meet security requirements and support the
         business needs of the organization.7




5
  National Institute of Standards and Technology, Special Publication 800-53 Revision 4, Security and Privacy Controls
for Federal Information Systems and Organizations (Apr. 2013). Revision 5 of this publication was released in
September 2020. We assessed the Risk Assessment and Configuration Management controls required during our
audit fieldwork. Because we had completed the majority of our analysis by September 2020, we used the criteria
established in Revision 4.
6
  National Institute of Standards and Technology, Special Publication 800-128, Guide for Security-Focused
Configuration Management of Information Systems (Aug. 2011).
7
  IRM 10.8.15, Information Technology Security – General Platform Operating System Security Policy (Nov. 27, 2019).
                                                                                                             Page 3
                                      Improvements Are Needed to More ****2****
                                 *******2******* the Virtual Host Infrastructure Platform

Configuration compliance management for **************2*****************
The IRS implemented a new software configuration compliance scanning application in
April 2020 to replace the prior application that was outdated. On December 15, 2020, we met
with officials in the Cybersecurity and Enterprise Operations functions for a demonstration of the
new application. We observed that the new application scanned ***************2****************
**************************************************2**************************************************
**************************************************2*******************************. We reviewed
monthly configuration compliance reports from August through November 2020 *******2*******
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2*******************************. According to the
Cybersecurity function officials, a server is noncompliant if it has one high-risk issue or the
overall compliance score is below 90 percent. ***********************2****************************
******************2******************.
                    **********************2************************

              *****2*****                     *****2*****                             *****2*****

              *****2*****                          **2**                              *****2*****

              *****2*****                          **2**                              *****2*****

              *****2*****                          **2**                              *****2*****

              *****2*****                          **2**                              *****2*****
           *************************2************************.
According to the IRS, ***************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
*********2********.
In addition to our review of the monthly compliance reports, we reviewed the August 2020
Preliminary Security Assessment Report8 prepared by the Cybersecurity function that reported
an analysis of compliance scans *****************2**************. The Security Assessment Report
summarizes the risks associated with the vulnerabilities identified during the security assessment
activities that were performed on the system and provides IRS officials with a more holistic view
of risk regarding the system. *******************2**************************************************
**************************************************2*****************. 9 *************2****************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************

8
    IRS, Virtual Host Infrastructure Enterprise Container Platform (Aug. 26, 2020).
9
  *********************************************************2**************************************************************
***********************************************************2***********************************.
                                                                                                                    Page 4
                                    Improvements Are Needed to More ****2****
                               *******2******* the Virtual Host Infrastructure Platform

**************************************************2**************************************************
*************2************.

********************************2*************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************. 10
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************. 11 ****2****
**************************************************2**************************************************
**************************************************2********************************************.

The Chief Information Officer should:

Recommendation 2: Ensure that **************2*************************************************
***************************************************2***********************.
           Management’s Response: The IRS agreed with this recommendation. The Associate
           Chief Information Officer, Enterprise Operations, will ensure *************2***************
           ***********************2************************** using the new Continuous Diagnostics
           and Mitigation tool and ensure that *****************2******************. The Chief
           Information Officer found that, of the *************************2**************************
           ***************2**************** of known false positives identified incorrectly by the new
           scanning tool as vulnerabilities. This false positive situation is being addressed with the
           product supplier.
                    Office of Audit Comment: The IRS provided no documentation to support the
                    false positives described above. The Continuous Diagnostics and Mitigation

10
   In Calendar Year 2013, the Department of Homeland Security established the Continuous Diagnostics and
Mitigation Program as an implementation approach for continuously monitoring information systems. The program
is designed to facilitate automated security control assessment and continuous monitoring that is consistent with
established guidance by providing a robust, comprehensive set of monitoring tools, a continuous monitoring
dashboard, and implementation assistance.
11
     IRM 2.150.2, Configuration Management Process (Aug. 19, 2020).
                                                                                                          Page 5
                              Improvements Are Needed to More ****2****
                         *******2******* the Virtual Host Infrastructure Platform

               Program *************************2*************************************************
               ***********************************2*************************************************
               ***********************************2*************.

Recommendation 3: ***************************2*************************************************
***************************************************2*************************************************
*************2*************.
       Management’s Response: *************2*************************************************
       *******************************************2*************************************************
       *******************************************2*************************************************
       *******************************************2*************************************************
       *******************************************2***********.


******************2*****************
According to the IRS Enterprise Security Audit Trails Project Management Office, a Platform
Audit Plan is designed to assist the Enterprise Operations and Cybersecurity functions to achieve
the following:
   •   Understand which system events are associated with significant security risk
       (i.e., actionable events).
   •   Configure systems to monitor auditable events.
   •   Log events and capture an audit trail of relevant data.
   •   Deliver audit data to the enterprise solution for security information and event
       management.
   •   Respond to security incidents.
   •   Analyze and report on event trends.
A Platform Audit Plan helps ensure that systems meet auditing requirements in the IRM and
National Institute of Standards and Technology guidance. However, as of February 2021, the
Platform Audit Plan for the virtual host infrastructure platform had not been approved.

*****2*****
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**********2*********. The IRS created a Plan of Action and Milestones in May 2017 that stated
there was no evidence of review and analysis of information system audit records or reporting of
findings to IRS officials **********2**********. However, between August 2017 and April 2019,
there were several requests, including management escalations, from the Cybersecurity function
to the Virtual Host Infrastructure team asking for milestone updates. As a result of these
unanswered requests, the planned completion date for this Plan of Action and Milestones has
been delayed, with a new target completion date of June 15, 2021. *************2**************
**************************************************2**************************************************
                                                                                              Page 6
                               Improvements Are Needed to More ****2****
                          *******2******* the Virtual Host Infrastructure Platform

**************************************************2**********************. Protecting critical assets
and infrastructure helps reduce the risk of internal and external attacks on IRS assets.

The Chief Information Officer should:

Recommendation 4: Finalize, approve, and implement a Platform Audit Plan for the virtual
host infrastructure platform.
        Management’s Response: The IRS agreed with this recommendation and will address
        Recommendations 4 and 5 together in the response to Recommendation 5.

Recommendation 5: ***************************2*************************************************
***************************************************2********************************.
        Management’s Response: *************2*************************************************
        *******************************************2*************************************************
        *******************************************2*************************************************
        *******************************************2*************************************************
        *******************************************2*************************************************
        *******************************************2*************************************************
        *******************************************2*******************.


Server Inventories ***********2************
The IRM 12 documents a multistep process for information technology asset management that
includes maintaining an asset once it has been implemented. Managing inventory data includes
issuing the annual inventory certification plan, updating the repository (move/add/change
requests), managing anomalies (resolving discrepancies in the repository), and recommending
corrective actions. The Enterprise Operations function is responsible for annually certifying asset
records under their organizational control, including servers. The Enterprise Messaging and
Virtualization Branch (hereafter referred to as the Virtualization Branch team) is responsible for
submitting updates to key fields in the asset record for existing platform servers. The
Virtualization Branch team provided copies of change requests to add, update, and retire asset
records throughout this review. We found inventory discrepancies and server decommissioning
inconsistencies.

Physical inventory
The IRS inventory system does not accurately reflect all of the virtual host infrastructure platform
servers. *****************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************




12
  IRM 2.149.3, Information Technology Asset Management, Asset Management Hardware Procedures
(Sept. 18, 2018).
                                                                                               Page 7
                                     Improvements Are Needed to More ****2****
                                *******2******* the Virtual Host Infrastructure Platform

*********2******** 13 ****************************2**************************************************
**************************************************2******************************************.
In September 2020, we performed a physical inventory ********************2*********************
****2**** 14 **************************************2**************************************************
**************************************************2*****************************. 15
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
************************2**************************.
The Virtualization Branch team follows the User and Network Services Hardware Asset
Management User Guide 16 to manage its platform server inventory. However, ********2*********
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2*****************************************.

Management Actions
In response to this finding, the Virtualization Branch team performed the following actions:
        •   August 26, 2020, ************************2*************************************************
            **********2***********.
        •   September 21, 2020, submitted a change request to update the inventory system **2**
            *************************2**********************.
        •   October 20, 2020, prepared a **********2**************************************************
            **********2***********.
        •   December 15, 2020, submitted a new change request to update the inventory system *2*
            ******************************************2********************************************* as a
            result of the September 21, 2020, change request. ***************2********************
            ******************************************2**************************************************
            **********2**********.




13
  Uncertified assets are those that are still uncertified after two or more inventory cycles and any high-risk assets not
certified in the current inventory cycle.
14
     A judgmental sample is a nonprobability sample, the results of which cannot be used to project to the population.
15
   *********************************************************2**************************************************************
************************************************************2**************************************************************.
16
     IRS, Asset Management – User and Network Services Hardware Asset Management User Guide (Sept. 27, 2019).
                                                                                                                    Page 8
                                 Improvements Are Needed to More ****2****
                            *******2******* the Virtual Host Infrastructure Platform

Decommissioning
The IRM states that there are three required activities for disposing of information technology
assets: determine information technology assets at end of life, manage disposal activities, and
update the repository. The Enterprise Operations function’s ****2**** has a server retirement
checklist that contains 28 sequential steps to retire a server. *****************2*******************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
******2*****. 17 **********************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
**************************************************2**************************************************
*************************2************************.

The Chief Information Officer should:

Recommendation 6: Update the asset management guidance to **************2***************
*******************2********************.
        Management’s Response: The IRS agreed with this recommendation. The Associate
        Chief Information Officer, Enterprise Operations, will ensure that the IRS follows ****2****
        ****2***** established asset management process for inventory revision.
                 Office of Audit Comment: The IRS’s established inventory policy ******2*******
                 ***********************************2************************************************
                 ***********************************2************************************************
                 ***********************************2***.

Recommendation 7: Ensure that standard operating procedures are **************2************
****************************2*****************************.
        Management’s Response: The IRS agreed with this recommendation. The Associate
        Chief Information Officer, Enterprise Operations, will ensure that the IRS ********2*******
        *******************************************2*************************************************
        *******************************************2*****************************.




17
  IRS, Retirement, Excess, and Disposal of Enterprise Operations Information Technology Equipment Standard
Operating Procedures, (Oct. 2020).
                                                                                                          Page 9
                                     Improvements Are Needed to More ****2****
                                *******2******* the Virtual Host Infrastructure Platform


                                                                                                   Appendix I
                       Detailed Objective, Scope, and Methodology
Our overall objective was to determine whether the virtual host infrastructure platform is
effectively managed and secured. To accomplish our objective, we:
       •   Reviewed and analyzed multiple security vulnerability reports to identify critical and
           high-risk vulnerabilities and interviewed IRS employees to review and validate our
           analysis to determine whether security vulnerabilities were timely remediated according
           to guidance established by the IRM.
       •   Reviewed server security configuration policy compliance reports to identify high
           vulnerabilities and interviewed IRS employees regarding security policies and procedures
           to determine whether configuration vulnerabilities were remediated within agency
           security policies.
       •   Reviewed audit monitoring policies, the System Security Plan, and evidence of audit log
           existence to assess whether audit monitoring controls were effective to ensure secure
           operations and oversight of the platform in accordance with the National Institute of
           Standards and Technology and the IRM.
       •   Reviewed relevant IRMs and inventory reports and performed a physical inventory review
           to determine the completeness and accuracy of the virtual host infrastructure platform
           server inventory. We selected a judgmental sample 1 of ****************2*****************
           *******************************************2*************************************************
           *******************************************2*************************************************
           ************2*********.
       •   Reviewed relevant IRMs, server retirement checklists, standard operating procedures, and
           screen shots from the inventory system to evaluate the server decommissioning process.
           We selected a judgmental sample ***************2************** from the retired asset
           report and reviewed documentation to support checklist steps completion.

Performance of This Review
This review was performed during the period March 2020 through February 2021. We
performed work *****************************2************************ and worked closely with
the Enterprise Operations and Cybersecurity functions. We conducted this performance audit in
accordance with generally accepted government auditing standards. Those standards require
that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a
reasonable basis for our findings and conclusions based on our audit objective. We believe that
the evidence obtained provides a reasonable basis for our findings and conclusions based on
our audit objective.
Major contributors to the report were Danny Verneuille, Assistant Inspector General for Audit
(Security and Information Technology Services); Jena Whitley, Director; Mike Mohrman, Audit
Manager; Corey Brown, Lead Auditor; Jamillah Hughes, Auditor; Avery Dortch, Information

1
    A judgmental sample is a nonprobability sample, the results of which cannot be used to project to the population.
                                                                                                              Page 10
                             Improvements Are Needed to More ****2****
                        *******2******* the Virtual Host Infrastructure Platform

Technology Specialist; and Johnathan D. Elder, Information Technology Specialist (Data
Analytics).

Internal Controls Methodology
Internal controls relate to management’s plans, methods, and procedures used to meet their
mission, goals, and objectives. Internal controls include the processes and procedures for
planning, organizing, directing, and controlling program operations. They include the systems
for measuring, reporting, and monitoring program performance. We determined that the
following internal controls were relevant to our audit objective: National Institute of Standards
and Technology requirements and IRM policies and procedures for the management and
security of virtual host servers. We evaluated these controls by interviewing IRS employees,
reviewing data obtained from IRS systems, and analyzing relevant documentation provided by
the IRS.




                                                                                          Page 11
                              Improvements Are Needed to More ****2****
                         *******2******* the Virtual Host Infrastructure Platform


                                                                                    Appendix II
                                     Outcome Measure
This appendix presents detailed information on the measurable impact that our recommended
corrective action will have on tax administration. This benefit will be incorporated into our
Semiannual Report to Congress.

Type and Value of Outcome Measure:
   •   Reliability of Information – Actual; *****************************2************************
       *********2********* on the September 2020 official inventory report
       (see Recommendation 6).

Methodology Used to Measure the Reported Benefit:
We performed a site visit ***********************2************************************ and
judgmentally selected a sample of servers to trace back to the IRS inventory report. ***2***
**************************************************2**************************************************
*****************************2**************************. Upon further analysis, ********2********
**************************************************2*********************************.




                                                                                             Page 12
                    Improvements Are Needed to More ****2****
               *******2******* the Virtual Host Infrastructure Platform


                                                                                    Appendix III
      Management’s Response to the Draft Report
                             DEPARTMENT OF THE TREASURY
                              INTERNAL REVENUE SERVICE
                                WASHINGTON, D.C. 20224

CHIEF INFORMATION OFFICER



                                       April 13, 2021


MEMORANDUM FOR DEPUTY INSPECTOR GENERAL FOR AUDIT


FROM:                  Nancy A. Sieger /s/ Nancy A. Sieger
                       Chief Information Officer

SUBJECT:               Draft Audit Report – Improvements Are Needed to More
                       ****************2****************** the Virtual Host Infrastructure
                       Platform (Audit #202020003) (e-trak #2021-33208).


Thank you for the opportunity to review your draft audit report and to discuss draft
report observations with Enterprise Operations and the Cybersecurity organization. The
IRS is committed to ******************2******************** Virtual Host Infrastructure
Platform and the continued support, assistance, and guidance your team provides is
very valuable to us in this regard.

We appreciate the opportunity your team has given us to examine the host
infrastructure in order to produce a comprehensive corrective action plan ******2******
************2************. As the IRS looks to modernize its legacy systems and
infrastructure, maintaining the privacy and security of our data remains our top priority.

Even in the face of the myriad challenges presented by the pandemic and our
processing EIP1, EIP2 & EIP3, the Virtual Host Infrastructure Platform has responded
rapidly to any exposures and/or vulnerabilities, decreasing the possibility of
cyberattacks. This included migrating from unsupported to supported hardware to
support filing session 2020 and remediation of vulnerabilities. We have provided tools
and patching across the Enterprise that will identify and address further cyberattacks.

We concur with the recommended measurable benefits on tax administration, as noted
in the March 12th memo and the draft report. In response to your recommendations, we
have attached our corrective action plan. We are committed to implementing the
corrective actions.

The IRS values the continued support and assistance provided by your office. Should
you have any questions, please contact me at (801) 388-6456, or a member of your




                                                                                             Page 13
     Improvements Are Needed to More ****2****
*******2******* the Virtual Host Infrastructure Platform




                                                           Page 14
                      Improvements Are Needed to More ****2****
                 *******2******* the Virtual Host Infrastructure Platform




                                                                                       Attachment

Draft Audit Report – Improvements Are Needed to More ****************2******************
the Virtual Host Infrastructure Platform (Audit # 202020003)

RECOMMENDATION 1
The IRS agrees with this recommendation. The Chief Information Officer will ensure that
*************************************************2**************************************************
*************************2***************************.

CORRECTIVE ACTION
ACIO, EOPs will ensure that ****************2**************************************************
*************************************************2**************************************************
The ACIO, EOPs found that *****************2*************************************************
*************************************************2**************************************************
*************************2*************************. The ACIO, EOPs ************2**************
*************************************************2**************************************************
*************************************************2**************************************************
*************************2***************************.

IMPLEMENTATION DATE
August 15, 2022

RESPONSIBLE OFFICIAL(S)
Associate Chief Information Officer, Enterprise Operations

CORRECTIVE ACTION MONITORING PLAN
IRS will monitor this corrective action as part of our internal management system of
controls.


RECOMMENDATION 2
The IRS agrees with this recommendation. Ensure that *****************2******************
*************************************************2*************************************************.

CORRECTIVE ACTION
The ACIO, EOPs will ensure ********************************2**********************************
********2******** using the new CDM tool and that *************2************************ The
Chief Information Officer found that of the ************************2***************************
*****************2***************** known false positives identified incorrectly by the new
scanning tool as vulnerabilities. This false positive situation is being addressed with the
product supplier.

IMPLEMENTATION DATE
November 15, 2023



                                                 1




                                                                                                       Page 15
                      Improvements Are Needed to More ****2****
                 *******2******* the Virtual Host Infrastructure Platform



                                                                                       Attachment

Draft Audit Report – Improvements Are Needed to More ****************2******************
the Virtual Host Infrastructure Platform (Audit # 202020003)
RESPONSIBLE OFFICIAL(S)
Associate Chief Information Officer, Enterprise Operations

CORRECTIVE ACTION MONITORING PLAN
IRS will monitor this corrective action as part of our internal management system of
controls.


RECOMMENDATION 3
IRS agrees with the recommendation. *******2************************************************
***************************************************2************************************************
***************************************************2****************.

CORRECTIVE ACTION 3a
The ACIO, Cybersecurity *********************2************************************************
**************************************************2***********************************************.

IMPLEMENTATION DATE
November 15, 2023

CORRECTIVE ACTION 3b
The ACIO, Cybersecurity ********************2**************************************************
*************************************************2**************************************************
****2****.

IMPLEMENTATION DATE
November 15, 2023

RESPONSIBLE OFFICIAL(S)
Associate Chief Information Officer, Cybersecurity

CORRECTIVE ACTION MONITORING PLAN
IRS will monitor this corrective action as part of our internal management system of
controls.


RECOMMENDATION 4
The IRS agrees with the recommendation for Platform Auditing ************2*************
****2**** and is addressing Recommendations 4 and 5 together in Corrective Action 5.
Finalize, approve, and implement a Platform Audit Plan for the virtual host infrastructure
platform.



                                                 2




                                                                                                       Page 16
                      Improvements Are Needed to More ****2****
                 *******2******* the Virtual Host Infrastructure Platform


                                                                                       Attachment

Draft Audit Report – Improvements Are Needed to More ****************2******************
the Virtual Host Infrastructure Platform (Audit # 202020003)
CORRECTIVE ACTION
The IRS will address Recommendations 4 and 5 together in Corrective Action 5.

IMPLEMENTATION DATE
June 15, 2022

RESPONSIBLE OFFICIAL(S)
Associate Chief Information Officer, Enterprise Operation

CORRECTIVE ACTION MONITORING PLAN
IRS will monitor this corrective action as part of our internal management system of
controls.


RECOMMENDATION 5
IRS agrees with this recommendation. *******2***********************************************
***************************************************2***********************************************
************2***********.

CORRECTIVE ACTION
Audit Process Corrective Actions for Recommendations 4 and 5 are underway.
   •    ***************************************2**********************************************
        *********************2*******************.

***************************************************2***********************************************
***************************************************2***********************************************
***************************************************2***********************************************.

IMPLEMENTATION DATE
June 15, 2022

RESPONSIBLE OFFICIAL(S)
Associate Chief Information Officer, Enterprise Operations

CORRECTIVE ACTION MONITORING PLAN
IRS will monitor this corrective action as part of our internal management system of
controls.


RECOMMENDATION 6
The IRS agrees with this recommendation. Update the asset management guidance *2*
**********************************2********************************.


                                                 3




                                                                                                       Page 17
                      Improvements Are Needed to More ****2****
                 *******2******* the Virtual Host Infrastructure Platform



                                                                                       Attachment

Draft Audit Report – Improvements Are Needed to More *****************2******************
the Virtual Host Infrastructure Platform (Audit # 202020003)
CORRECTIVE ACTION
The ACIO, EOPs will ensure the IRS follows the **************2*************** established
asset management process for inventory revision.

IMPLEMENTATION DATE
September 15, 2022

RESPONSIBLE OFFICIAL(S)
Associate Chief Information Officer, Enterprise Operations

CORRECTIVE ACTION MONITORING PLAN
IRS will monitor this corrective action as part of our internal management system of
controls.

OUTCOME MEASURE – Appendix II

Type and Value of Outcome Measure: We concur

Reliability of Information – Potential; ****************************2*****************************
***************2************** on the September 2020 official inventory report (see
Recommendation 6).


RECOMMENDATION 7
The IRS agrees with this recommendation. Ensure standard operating procedures are
***************************************************2***********************************************.

CORRECTIVE ACTION
The ACIO, EOPs will ensure the IRS ***************************2*****************************
***************************************************2***********************************************
********************2********************.

IMPLEMENTATION DATE:
November 15, 2022

RESPONSIBLE OFFICIAL(S)
Associate Chief Information Officer, Enterprise Operations

CORRECTIVE ACTION MONITORING PLAN
IRS will monitor this corrective action as part of our internal management system of
controls.


                                                 4




                                                                                                       Page 18
                              Improvements Are Needed to More ****2****
                         *******2******* the Virtual Host Infrastructure Platform


                                                                                    Appendix IV
                                     Glossary of Terms

Term                       Definition

                           An approach to accomplishing data center consolidation that
Decommission               involves turning off servers that are not being used or are used
                           infrequently.
                           A general term for any method used by hackers to gain unauthorized
Exploit                    access to computers, the act itself of a hacking attack, or a hole in a
                           system’s security that opens a system to an attack.
                           Any hardware device that has the capability of permitting access to a
                           network via a user interface, specialized software, network address,
Host                       protocol stack, or any other means. Some examples include, but are
                           not limited to, computers, servers, personal electronic devices, thin
                           clients, and multifunctional devices.
                           **********************************2************************************
                           **********************************2************************************
                           **********************************2************************************
******2******
                           **********************************2************************************
                           **********************************2************************************
                           ****2****.
******2******              *****************2*****************.
                           The act of correcting a vulnerability or eliminating a threat through
Remediation                activities such as installing a patch, adjusting configuration settings,
                           or uninstalling a software application.
                           The simulation of the software and hardware upon which other
Virtualization
                           software runs.
                           Weakness in an information system, system security procedure,
Vulnerability              internal control, or implementation that could be exploited or
                           triggered by a threat source.
                           The process of proactively identifying vulnerabilities of an
                           information system in order to determine if and where a system can
                           be exploited or threatened. Employs software that seeks out security
Vulnerability Scanning
                           flaws based on a database of known flaws, tests systems for the
                           occurrence of these flaws, and generates a report of the findings that
                           an individual or an enterprise can use to tighten network security.




                                                                                            Page 19
                     Improvements Are Needed to More ****2****
                *******2******* the Virtual Host Infrastructure Platform


                                                                           Appendix V
                               Abbreviations

******2******       **************2**************
IRM                 Internal Revenue Manual
IRS                 Internal Revenue Service




                                                                                Page 20
             To report fraud, waste, or abuse,
                call our toll-free hotline at:
                         (800) 366-4484


                              By Web:
                      www.treasury.gov/tigta/


                             Or Write:
         Treasury Inspector General for Tax Administration
                            P.O. Box 589
                        Ben Franklin Station
                   Washington, D.C. 20044-0589




Information you provide is confidential, and you may remain anonymous.