A ‘sense of urgency’ as IRS legacy IT systems grow increasingly older

The Internal Revenue Service’s claims it needs more funding to address aging IT infrastructure, but lawmakers say before the tax agency can ask Congress to show them the money, it must first show appropriators a plan.

During a House Ways and Means subcommittee hearing on Wednesday, Rep. Vern Buchanan (R-Fla.) told IRS executives he wanted to see an Return on Investment (ROI) roadmap for modernizing the agency’s IT systems.

“I think that’s the concern a lot of us have just throwing more money at it,” Buchanan said. “The question is to have a plan, what is the return on that plan in terms of the technology dollars being spent. We should have a way of being able to get to those numbers, there’s got to be enormous savings,” Buchanan said. “I’m big on planning, personally, as a business guy, if you don’t have a vision you perish. We need to have a vision, a plan, the IRS in general but in terms of this space, before I’d be willing to commit any dollars because I’d like to see what the return on investment would be.”

Advertisement

IRS Chief Information Officer Gina Garza said the agency does have a roadmap, two in fact: a technology roadmap and a digital roadmap. Though she didn’t know if IRS had shared it, Garza said “it’s certainly something that we can do.”

“What we have is called a technology road map, and the technology road map was developed in concert with the Future State vision for the IRS. So as part of that document you will see the evolution and the migration of current state IT to future state IT,” Garza said. “A subset of that is the digital roadmap, which is what we have really focused and have prioritized right now. We want to be able to get out and provide services to tax payers.”

Garza said IRS is already following the technology road map as it develops an Enterprise Case Management (ECM) system to consolidate 63 legacy systems into a single commercial off-the-shelf platform.

But consolidating legacy systems isn’t the biggest problem the IRS faces, watchdogs warned, it’s the agency’s reliance on those systems that’s raising red flags.

David Powner, director of IT management issues for the Government Accountability Office, said IRS spends about $2.7 billion annually on IT, with about 70 percent of that going toward operational or legacy systems.

These systems are critical to collecting more than $3 trillion in taxes, Powner said, but they are also some of the federal government’s oldest systems, including the Individual Master File [IMF].

“Our main concern with the Individual Master File is we don’t see a solid plan with realistic costs and milestones to replace it,” Powner said. “Overall IRS maintains over 20 million lines of assembly code. These millions of lines of archaic software, and hardware, that is no longer supported become more difficult and costly to maintain each year, and poses significant cybersecurity risks. To IRS’ credit it keeps these old systems running during filing season, but relying on these antiquated systems for our nation’s primary source of revenue is highly risky, meaning that the chance of having a failure during the filing season is continually increasing.”

Asked by multiple subcommittee members — no minority members were present during the hearing — about the IMF’s status, Garza said it would take about five years, 50-60 full-time equivalent positions and the funding associated with that personnel, direct hiring authorities, and about $85 million each of those years, to replace the core components of the Individual Master File.

Garza explained the code for the IMF was written in the 1960s, but the hardware it runs on is modern.

“If the code was written that long ago, you must have folks on your payroll that are continually maintaining that, is that correct,” asked Rep. Tom Rice (R-S.C.).

Garza said the number of IRS personnel who know how to use the code is “dwindling,” and there is a sense of urgency to modernize those applications.

“That’s a heck of a sense of urgency,” Rice said.

Equifax breach

Subcommittee members also focused their questioning on the the Equifax breach, and the news the agency recently entered into a contract with the beleaguered credit reporting agency.

IRS Deputy Commissioner for Operations Support Jeffrey Tribiano, said IRS initially had two contracts with Equifax, one for credit monitoring, and another for electronic authentication.

The credit monitoring contract was recompeted and awarded to a new vendor, Tribiano said. The IrS also awarded the e-authentication contract  to a new vendor but in July  Equifax protested the decision.

“That’s under GAO right now for a decision about which way to go,” Tribiano said. “When we came down to Sept. 20, when the [current] Equifax contract expired, we had to either stop the service, which means millions of taxpayers would not be able to get their transcripts, including those in need of it like in the hurricane disaster areas, or do a bridge contract with Equifax until GAO decides on the protest and we move forward.”

Rep. Mike Bishop (R-Mich) asked how the breach impacted the agency as well as taxpayers.

“Can you give us some assurances after the Equifax breach that you’ve taken precautions, that there are steps that have been taken to address what could be one of the biggest breaches and identity thefts in the history of our country,” Bishop said. “Clearly there’s a gap there and we’ve got to do something to address it and I assume that the IRS has done something.”

Garza said IRS sent a team to Equifax to analyze the breach, and working with the Treasury Inspector General for Tax Administration went through the breach information before combing through each IRS application to determine whether anything was or could put the agency’s system at risk.

“The approach we’ve taken at IRS is to have multilayered defense mechanisms in our applications,” Garza said. “Based on that, we determined that we had other mitigating controls in place that would protect the taxpayer information.”

Garza said about 209,000 social security numbers were flagged as possibly being at a higher risk for foul play as a result of the breach, and so the agency is putting protections on those specific accounts.