# The Child Tax Credit Update Portal Was Successfully Deployed, but Security and Process Improvements Are Needed > **Audit** by Treasury Inspector General for Tax Administration · 2022-05-18 > *About: Internal Revenue Service* ## Report - **Title:** The Child Tax Credit Update Portal Was Successfully Deployed, but Security and Process Improvements Are Needed - **Submitting OIG:** Treasury Inspector General for Tax Administration - **Component agency:** Internal Revenue Service - **Type:** Audit - **Publication date:** 2022-05-18 ## Recommendations - **Rec 1** (Closed): Ensure that the ELC coaches comply with existing agency requirements related to the independent verification and validation of all ELC artifacts. - **Rec 1** (Closed): Ensure that the ELC coaches comply with existing agency requirements related to the independent verification and validation of all ELC artifacts. - **Rec 1** (Closed): Ensure that the ELC coaches comply with existing agency requirements related to the independent verification and validation of all ELC artifacts. - **Rec 10** (Closed): Prioritize remediation efforts on the two noncompliant SADI system servers that have weighted noncompliance scores of less than 90 percent. - **Rec 10** (Closed): Prioritize remediation efforts on the two noncompliant SADI system servers that have weighted noncompliance scores of less than 90 percent. - **Rec 10** (Closed): Prioritize remediation efforts on the two noncompliant SADI system servers that have weighted noncompliance scores of less than 90 percent. - **Rec 2** (Closed): Ensure that only authorized approving authorities provide status updates and grant final approval of ELC artifacts during required milestone reviews. - **Rec 2** (Closed): Ensure that only authorized approving authorities provide status updates and grant final approval of ELC artifacts during required milestone reviews. - **Rec 2** (Closed): Ensure that only authorized approving authorities provide status updates and grant final approval of ELC artifacts during required milestone reviews. - **Rec 3** (Closed): Establish a formal process, which includes routine updates, to identify primary and proxy approvers for all ELC artifacts. - **Rec 3** (Closed): Establish a formal process, which includes routine updates, to identify primary and proxy approvers for all ELC artifacts. - **Rec 3** (Closed): Establish a formal process, which includes routine updates, to identify primary and proxy approvers for all ELC artifacts. - **Rec 4** (Closed): The Chief Information Officer should ensure that systems supported by the CSPs have an approved IRS ATO prior to a system’s deployment. - **Rec 4** (Closed): The Chief Information Officer should ensure that systems supported by the CSPs have an approved IRS ATO prior to a system’s deployment. - **Rec 4** (Closed): The Chief Information Officer should ensure that systems supported by the CSPs have an approved IRS ATO prior to a system’s deployment. - **Rec 5** (Closed): The Chief Privacy Officer should establish a process that complies with Office of Management and Budget requirements regarding the selection, implementation, assessment, and continuous monitoring of privacy controls. - **Rec 6** (Closed): The Chief Privacy Officer should ensure that formal documentation is created that shows that all the privacy controls applicable to the SADI system are properly selected, implemented, and assessed. - **Rec 6** (Closed): The Chief Privacy Officer should ensure that formal documentation is created that shows that all the privacy controls applicable to the SADI system are properly selected, implemented, and assessed. - **Rec 6** (Closed): The Chief Privacy Officer should ensure that formal documentation is created that shows that all the privacy controls applicable to the SADI system are properly selected, implemented, and assessed. - **Rec 7** (Closed): The Chief Information Officer should ensure that the Cybersecurity function validates that all required NIST physical and environmental protection and media protection controls are implemented. - **Rec 7** (Closed): The Chief Information Officer should ensure that the Cybersecurity function validates that all required NIST physical and environmental protection and media protection controls are implemented. - **Rec 7** (Closed): The Chief Information Officer should ensure that the Cybersecurity function validates that all required NIST physical and environmental protection and media protection controls are implemented. - **Rec 8** (Closed): The Chief Information Officer should ensure that the IRS prioritizes completing the processes that will validate newly built servers being placed into the production environment meet minimum compliance requirements and initiate vulnerability scanning… - **Rec 8** (Closed): The Chief Information Officer should ensure that the IRS prioritizes completing the processes that will validate newly built servers being placed into the production environment meet minimum compliance requirements and initiate vulnerability scanning… - **Rec 8** (Closed): The Chief Information Officer should ensure that the IRS prioritizes completing the processes that will validate newly built servers being placed into the production environment meet minimum compliance requirements and initiate vulnerability scanning… - **Rec 9** (Closed): Ensure that all CTC Update Portal and SADI system associated POA&Ms (listed in Appendix II) are completed timely based on IRS-defined timelines and processes. ## Source - [oversight.gov report page](https://www.oversight.gov/reports/audit/child-tax-credit-update-portal-was-successfully-deployed-security-and-process) --- *AI Analytics · CC0 1.0*