The IRS does not have an enterprise-wide strategy to comply with the 2010 directive for agencies to migrate computing to the cloud, an IG report has said, noting that a working group formed in July 2016 to create such a strategy has not produced a finished product and there is no timeline for completion.

“Not having a documented enterprise-wide cloud strategy creates a significant risk that organizations outside of the IRS chief information officer and information technology organization may deploy systems and potentially expose federal tax information with no reasonable assurance that the systems meet applicable federal security guidelines. The IRS may also miss the opportunity to deliver public value by increasing operational efficiency and responding faster to constituent needs,” the report said.

It found that the IRS inventory of cloud systems is updated only manually, does not distinguish between deployed systems or systems in development and does not include system ownership or other informative details. Further, the IRS has not complied with OMB guidance that agencies use the federal risk and authorization management program to conduct risk assessments, perform security authorizations, and grant authorities to operate for cloud services, it said.

The IRS generally agreed with recommendations including that it prioritize and complete an enterprise-wide cloud strategy in alignment with federal guidance; and ensure that the process of managing the cloud inventory is formalized using automated methods and updated on a periodic and ongoing basis.