As filing season and tax-law changes loom, the IRS stresses identity security
Connecting state and local government leaders
The IRS wants to help individuals securely access their tax data and simplify interactions with states and the tax preparation industry.
Michael Anthony, the Internal Revenue Service's director of identity and access management, believes his agency has two seasons: filing season and preparing for filing season. And robust identity access management is critical for both.
Anthony said the National Institute of Standards and Technology's digital identity guidelines will allow the IRS to “leap ahead” with levels of assurance by deploying features like a digital identity acceptance statement.
“As part of NIST SP 800-63-3, we want to ensure our digital identity risk assessment process is forward- and backward-compatible with our current capabilities," he said at a Jan. 31 Digital Government Institute event. “ We’re currently performing an analysis to understand where gaps between our current implementation and the new requirements may be, [and] we are going to continually assess and innovate since threat vectors and bad actors continue to evolve.”
The IRS has worked over the past few years to shore up its identity access strategy with internal and external partners. Anthony said his agency has worked directly with NIST on challenges and with the Social Security Administration to share best practices.
As the financial industry moves toward more business-to-business transactions, Anthony said the IRS will be looking for adequate resources to make sure it can maintain privacy for citizen data as well cybersecurity controls based on NIST’s digital identity guidelines.
“One of the IRS’s future state goals is to increase customer satisfaction through more cost-effective delivery channels such as online account access.” Anthony said. But challenges arise when dealing with individuals who might not have access to more sophisticated authentication tools.
“How do we digitally enable communities that may not have these devices?” Anthony asked. “We need to manage end-user expectations balancing security, privacy and accessibility. We urge industry to innovate in this space," with the new capabilities that NIST SP 800-63-3 allows, he said.
To spur innovation, Anthony told GCN, the IRS two years ago created an Information Sharing and Analysis Center. The goal is to bring the IRS, state governments and the tax industry together in a secure environment to "work through the challenges and issues related to privacy, data security, and sharing of information in a real-time, proactive nature."
To secure the transmission of tax information, IRS has worked with companies like Intuit and H&R Block to implement consistent controls across the entire ecosystem. Anthony said industry prefers to work with the IRS on implementing security controls rather than dealing with different requirements in 50 states.
“By working closely with the Federation of Tax Administrators, we have been able to coalesce around common security controls to better protect the tax ecosystem,” he said. “Rather than have 40-plus different security implementations, we have been able to reduce the level of effort required by our state and tax industry partners to comprehensively address cybersecurity.”
Tax season, which is now in full swing, inevitably squeezes the resources and attention that can be devoted to such efforts, and this year brings another complication. The number one priority for the IRS now, Anthony stressed, is implementing the tax changes created by the 2017 Tax Cuts and Jobs Act.
NEXT STORY: TSA explores facial recognition at LAX