Until the IRS fully implements a comprehensive information security program, its facilities and computers -- as well as the information that is processed, stored and transmitted on its systems -- will be vulnerable, the report said.

The GAO recommends, in part, that the IRS enhance policies and procedures related to password and configuration settings to comply with federal guidelines, ensure that contractors with significant information security responsibilities are given specialized training, ensure that disaster recovery plans are complete and updated, and continue to enhance continuity capabilities by training non-IRS staff to restore operations.

In a letter to Gregory Wilshusen, the GAO's IT director, IRS Commissioner Mark Everson acknowledged that his agency needs a comprehensive security program and agreed to implement the five recommendations in the report.