The US Government Accountability Office (GAO) is an independent agency established by Congress, responsible for conducting periodic audits of the federal government to ensure transparency and accountability. In January, the GAO performed an IT audit of the Internal Revenue Service (IRS), the most unloved U.S. government agency responsible for collecting taxes in the US. The IRS collected nearly $4 trillion in 2021 alone. The audit report uncovered obsolete software, outdated coding languages like COBOL, and systems dating back to 1959, some 64 years ago.
The report begins with this statement:
“The Internal Revenue Service’s (IRS) legacy IT environment includes applications, software, and hardware, which are outdated but still critical to day-to-day operations. Specifically, GAO’s analysis showed that about 33 percent of the applications, 23 percent of the software instances in use, and 8 percent of hardware assets were considered legacy. This includes applications ranging from 25 to 64 years in age, as well as software up to 15 versions behind the current version. As GAO has previously noted, and IRS has acknowledged, these legacy assets will continue to contribute to security risks, unmet mission needs, staffing issues, and increased costs.”
The GAO report specifically highlights increased security risks associated with legacy systems that have known security vulnerabilities. These vulnerabilities are either technically difficult or prohibitively expensive to address. The report also notes that some IRS technology vendors no longer provide support for their hardware or software, leaving security vulnerabilities unpatched and without any mitigation measures. In addition, the report refers to a $100 million budget allocation (from December 2018 to August 2026) for Vulnerability & Threat Management, aimed at enabling IRS cybersecurity professionals to protect taxpayer data and systems by monitoring endpoints and servers.
What is the oldest unpatched application do you have in your IT environment? Do you have a patch management strategy for that?
About Action1
Action1 provides a risk-based patch management solution for distributed work-from-anywhere organizations. Action1 helps to discover, prioritize, and remediate vulnerabilities in a single solution to prevent security breaches and ransomware attacks. It automates patching of third-party applications, patching of operating systems, drivers, and firmware, ensuring continuous patch compliance and remediation of security vulnerabilities before they are exploited.