With so much sensitive data to protect, IRS is focused on building an even more cyber-secure environment and is confident about the progress the agency has made and will continue to make toward zero-trust.
“What we’ve been focused on for many years has now come to light across government,” Cyber Operations Director Richard Therrien told the Government Technology & Services Coalition’s IRS Days 2022, stressing that the agency has “been in lockstep with OMB’s intent.”
The January Office of Management and Budget memorandum on moving the federal government toward zero-trust cybersecurity principles emphasized the Cybersecurity and Infrastructure Security Agency’s five pillars: identity, devices, networks, applications and workloads, and data.
As IRS has been moving in that zero-trust direction for many years, Therrien said, the focus is on continuing the journey under White House mandate and “enforcing that in IRS across all five pillars of the zero-trust architecture.”
“How do we take five zero-trust principles and apply them equally?” he asked.
FedRamp “does go a long way” in making sure that contracted services are more cyber-secure. Zero-trust is going to require IRS and contractors to have less discretionary access, and “I need solutions that help me do that across the cloud,” he said.
“It’s important for me to really have an integrated view across all those environments we have,” Therrien said. “…The need for more timely data has become a matter of increasing urgency and increasing expectation.”
Application of data sensitivity labels is a challenge, he said, as IRS doesn’t just deal with Microsoft Office documents but a mix of commercial off-the-shelf products and formats built by IRS. And the agency is a complex technology organization with decades and decades of technology footprint; Therrien said he is curious how industry partners may have an approach to tackling that.
All CISOs have been collaborating on how to best close security gaps at agencies, and CISA has become “more and more of an engaged agency” with IRS. “We are always looking at, if IRS is doing something, is this something that the department or other bureaus can benefit from,” he added.
Therrien said President Biden’s executive order on cybersecurity at federal agencies “was comprehensive” and he believes IRS is “on a good path to addressing that executive order.”
He noted that IRS has been “pushing two-factor” authentication into the agency “solidly for the last 10 years,” with “additional legacy applications converting to two-factor.”
“We can’t wait for any of those systems to migrate to a cloud-based solution,” he said. “We are applying two-factor to those older technologies regardless.”
Cybersecurity also integrates with broader security concerns within the agency such as insider threats and physical access control. “We have a partnership where we are able to collaborate on physical security incidents,” Therrien said.
Within the large community of IRS, cybersecurity is an extensive undertaking. “We try to cover all dimensions of user behavior,” the cyber director said. The agency has controls in place to make sure people aren’t taking their work home; printing out work documents on a personal printer, for example, is not allowed. Because of the sensitivity of the data involved, “the IRS setup is a lot more restrictive and less user-friendly than in some other companies,” he noted.
In collaborating with industry, Therrien said he is looking for solutions that can hit the ground running and take a faster route to capability. “I’m looking for velocity,” he said, and “automation enables the velocity we need.”
“Even when acquired, a product takes time to integrate into our environment,” he noted. “I really don’t have that kind of time. We can be in ‘buy vs. build’ option – I’m going to take the buy.”
Security Risk Management Director Frank Henderson highlighted the importance of automation “especially around the delivery of patches and those types of maintenance activities.”
When looking at risk analysis, he emphasized the importance of “data that allows us to respond more quickly to those exploitable parts of our infrastructure and our environments.”
CISA’s Continuous Diagnostics and Mitigation Program, Henderson noted, has “allowed us to be more intentional in our approach and more synchronized in our approach” to managing cyber threats.