Treasury Inspector General for Tax Administration, Cloud Services Were Implemented Without Key Security Controls, Placing Taxpayer Data at Risk (No. 2022-20-052) (Sept. 27, 2022):
To facilitate and guide its cloud security implementation efforts, the IRS developed its Cloud Security Reference Architecture in September 2019 and the Cybersecurity Cloud Operations Framework in November 2019. The IRS issued its updated Cloud Strategy and Cloud Security Internal Revenue Manual in March 2021 and September 2021, respectively.
By the end of Calendar Year 2020, the IRS had fully implemented 56 cloud services, 12 of which contained taxpayer data. The IRS deployed these cloud services without fully implemented security controls for protecting the data. ... [T]he IRS continued to accelerate cloud adoption without ensuring that important security controls designed to protect taxpayer data were in place in the cloud environment. ...
Control weaknesses over cloud computing services can pose a substantial risk to taxpayer records currently residing on these services. The potential harm includes breach and unauthorized access and disclosure of taxpayer information.