The Internal Revenue Service doesn’t have a cloud technology strategy and didn’t adhere to federal government policy when it implemented a cloud service, according to a new report.
The report, from the Treasury Inspector General for Tax Administration, noted that in December 2010, the U.S. government’s chief information officer, Vivek Kundra, directed all federal agencies to move to a “cloud first” policy. However, nearly seven years later, the IRS still doesn’t have an enterprise-wide cloud strategy. Although the agency formed a working group in July 2016 to develop such a strategy, it’s incomplete.
Not having a documented enterprise-wide cloud strategy creates a significant risk that organizations outside of the IRS Chief Information Officer and Information Technology organization could deploy systems and potentially expose federal tax information, the report pointed out, and there’s no reasonable assurance the systems meet federal security guidelines. The IRS could also miss out on the opportunity to deliver public value by increasing operational efficiency and responding faster to the needs of taxpayers.
Instead, the IRS makes do by updating its inventory of cloud systems manually whenever Change Management Requests are submitted. But the inventory doesn’t distinguish between deployed systems and systems in development, nor does it include system ownership and other details.
The IRS also didn’t adhere to some other federal policies on cloud computing. It didn’t comply with guidance from the Office of Management and Budget that agencies use the Federal Risk and Authorization Management Program to conduct risk assessments, perform security authorizations, and grant Authorities to Operate for cloud services.