Is the IRS finally going to pay down its tech debt? And move its infrastructure into the 2020s? Perhaps so, now that it has inked a deal with Cayosoft to replace its aging legacy solutions.
The sprawling agency, the bane of taxpayers and legislators alike, has relied on using tools from a legacy vendor to manage Microsoft platforms, users and identities, Cayoso pointed out. But those tools stuttered for a common reason — they weren’t designed to work in cloud and hybrid environments. That forced the agency to foot the bill for costly customization just to keep up and running and avoid blind spots. Hardly efficient or cost-effective and something that likely set the hair of the Doge tech bros on fire.
“The IRS has aspirations of more monitoring of financial transactions and cryptocurrency transactions, so it’s no surprise they are thinking about redoing their technology stack to make that feasible instead of throwing more people at the problems,” says John Bambenek, president of Bambenek Consulting.
The agency aims to punch up efficiency and modernize its Microsoft infrastructure management platform with hybrid capabilities more suited to 2025 and beyond and at the same time strengthen security.
“Switching away from old, patchwork tools is a big win for the IRS because it means fewer headaches, faster fixes and stronger protection for sensitive data,” says J Stephen Kowski, field CTO at SlashNext Email Security+.
Modern platforms built for today’s hybrid environments, he points out, “can spot threats quickly, recover from attacks or outages in minutes, and make day-to-day management much simpler.”
Cayosoft offers an agentless platform that it says will let the agency “meet strict recovery time objective (RTO) and recovery point objective (RPO) thresholds by restoring entire Active Directory forests in minutes and capturing near real-time identity changes across AD, Entra ID, and Microsoft 365.” It also features built-in zero-trust delegation, automated license provisioning and immutable, malware-tested backups. The IRS will use the setup to modernize its infrastructure, boost resilience, and lay the groundwork for innovation while meeting federal requirements.
Organizations are often hesitant to abandon legacy investments, but taking the leap can be the most cost-effective option. “While large organizations like the IRS have had huge investments to stand up systems to process the information at the scale they do, developments mean there are far cheaper ways of doing things and that difference in cost makes it worth developing entirely new systems,” says Bambenek.
It was probably long past time for the IRS to de-emphasize classic Active Directory for what Jason Soroko, senior fellow at Sectigo, calls “a single source of truth.” By doing so, the agency “is modernizing towards what has been called an identity fabric,” he says. “In practice, this means fewer privileged service accounts, smaller attack surfaces and a blueprint for other civilian agencies that still cling to the same vintage toolchains.”
Key in that “vintage toolchain” is Active Directory Certificate Services (ADCS), “which was optimized for a pure Microsoft stack world that no longer exists, and hopefully, government agencies and others view ADCS the same way and look towards more modern systems,” says Soroko.
“By replacing a monolithic AD mindset with a hybrid identity fabric, the IRS is signalling that federal compliance now values recoverability and least privilege design just as much as uptime,” he adds.
And Kowski believes the modernization will put the IRS on pace “with new security rules and avoid the risks that come with outdated tech.” And that’s essential to ensuring that “critical government systems stay safe, efficient, and ready for whatever comes next.”
It seems the IRS is about to become more efficient. That might not be what taxpayers want to hear. But it’s about time.
