ENCLOSURE ENCLOSURE 11. During our review, computer center personnel told us that such a device was on order for use in the center. 12. Computer center personnel told us that the center had dial-in communications. The issue here, however, is that any communications into the data center pose a risk and must be adequately controlled. 13. Without a wiring plan, as noted in weakness number 35, we cannot substantiate whether these communications cables are part of the Cyberfile computer center. 14. The response does not address the weakness. To meet IRS' security 15. The response asserts that other electronic filing systems will handle Cyberfile submissions if Cyberfile fails but does not explain how or when this will occur since the other systems cannot handle Cyberfile submissions now. 16. It is true that IRS conducted a Cyberfile risk assessment. Our point was that it was incomplete and inadequate. (511516) GAO/AIMD-96-85R Security Weaknesses at IRS' Cyberfile Data Center NNAV DEPARTMENT OF THE TREASURY October 10, 1996 The Honorable Ted Stevens Chairman, Committee on Governmental Affairs United States Senate Dear Mr. Chairman: In accordance with 31 U.S.C. section 720, I am writing you concerning actions by the Internal Revenue Service (IRS) in response to the recommendations contained in a report by the General Accounting Office (GAO) entitled Tax Systems Modernization: Cyberfile Project Was Poorly Planned and Managed (AIMD-96-140; August 26, 1996). The GAO report identified problems with the planning and management of the Cyberfile project which would have allowed taxpayers to file tax returns using their personal computers. The IRS agrees with GAO's overall assessment that the Cyberfile project, which was officially suspended in May 1996, was not administered properly. Before the end of the year, in response to GAO's recommendations in the Cyberfile report, Commissioner Richardson will be issuing a report to Congress which will document the agency's involvement in Cyberfile and the strategy that has been adopted to strengthen IRS' technical management capabilities. If you have any questions, please do not hesitate to contact me at 622-3720. Sincerely, Enclosure تخاب با Floyd L. Williams National Director for Legislative Affairs GAO Results in Brief United States General Accounting Office Accounting and Information B-271015 August 26, 1996 The Honorable Ted Stevens Governmental Affairs Dear Mr. Chairman: This report responds to your February 1996 request that we assess whether applicable procurement laws and regulations were adhered to in the acquisition of Cyberfile, an electronic filing system being developed for the Internal Revenue Service (IRS) by the Department of Commerce's National Technical Information Service (NTIS). Specifically, as agreed with your staff, we determined whether (1) IRS' decision to use NTIS to develop Cyberfile was based on sound analysis, (2) applicable procurement laws and regulations were followed in acquiring Cyberfile equipment and services, (3) Cyberfile obligations and costs were accounted for properly, and (4) equipment and services were acquired cost-effectively. This report contains recommendations to the Commissioner of the IRS and the Secretary of the Department of Commerce. Details of our scope and methodology are in appendix I. The Department of the Treasury, IRS, and Commerce commented on a draft of this report. Their comments are discussed in the "Agency Comments" section and are reprinted in appendixes II, III, and IV. IRS' selection of NTIS to develop Cyberfile was not based on sound analysis. IRS did not adequately analyze requirements, consider alternatives, or assess NTIS' capabilities to develop and operate an electronic filing system, even though the need for these critical prerequisites was brought to management's attention as early as July 1995. Instead, IRS selected NTIS because it was expedient and because NTIS promised IRS, without any objective support, that it could develop Cyberfile in less than 6 months and have it operating by February 1996. In order to meet these self-imposed time constraints, the project was hastily initiated. Development and acquisition were undisciplined, and Cyberfile was poorly managed and overseen. As a result, it was not 'The financial measure of resources consumed in accomplishing a specified purpose, such as performing a service, carrying out an activity, or completing a unit of work or a specified project. B-271015 delivered on time, and after advancing $17.1 million to NTIS, IRS has suspended Cyberfile's development and is reevaluating the project. IRS and NTIS did not follow all applicable procurement laws and regulations in developing Cyberfile. IRS cited the Brooks ADP Act (40 U.S.C. 759) for its authority to procure Cyberfile. However, IRS did not perform requirements and alternatives analyses as required by the Federal Information Resources Management Regulation which implemented the Brooks ADP Act. NTIS also violated applicable procurement laws and regulations in implementing Cyberfile. To obtain contractor services quickly, NTIS modified an existing sole source contract awarded through the Small Business Administration's (SBA) small and disadvantaged businesses program (referred to as the "Section 8(a)” program), providing $3.3 million for Cyberfile and increasing the total contract value to $4.3 million. NTIS did not submit this modification to SBA for review as required under the Section 8(a) program. Further, this modification circumvented SBA rules requiring that contracts over $3.0 million be competed among eligible Section 8(a) firms rather than being issued on a sole source basis. In addition, at the time of modification, the contractor was not an eligible 8(a) firm under SBA regulations, and had NTIS submitted the modification to SBA as required, responsible officials at SBA said they would have rejected it. Cyberfile obligations and costs were not accounted for properly. IRS (1) significantly understated the obligations related to the project and (2) improperly accounted for the $17.1 million advanced to NTIS. In addition, NTIS did not promptly and accurately account for Cyberfile obligations and costs. Specifically, significant financial transactions were not properly documented and obligations and costs were not recorded promptly and accurately. Finally, adequate financial and program management controls were not implemented to ensure that Cyberfile was acquired cost-effectively. As a result, excess costs were incurred. For example, the interagency agreement between IRS and NTIS was not structured to minimize costs, and Cyberfile costs continued to be incurred after the project was suspended. Specifically, the agreement allowed NTIS to assess a 10 percent management fee for (1) costs associated with NTIS' failure to follow preferred management practices, such as late payment penalties and (2) items which IRS could have readily obtained directly and provided to |