Publication 1075 (10-2015) TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES

 

• Safeguard alerts and technical assistance memorandums

• Recommendations on how to comply with Publication 1075 requirements

• Reporting requirement templates (e.g., Safeguard Security Report [SSR]) and guidance

• Instructions for reporting unauthorized accesses, disclosures, or data breaches

• Internal inspections report templates and instructions

• IRS disclosure awareness videos and resources

• Disclosure and physical security requirements documented in the Safeguard Disclosure Security Evaluation Matrix (SDSEM) template

• Computer security requirements documented in Safeguard Computer Security Evaluation Matrix (SCSEM) templates organized by technology or topic

 

• Safeguards Reports and Extension Requests

• 45 Day Notifications

• Publication 1075 Technical Inquiries

• FOIA Requests for Safeguard Reports

• Re-Disclosure Agreements

 

• Information, including the return, that IRS obtained from any source or developed through any means that relates to the potential liability of any person under the IRC for any tax, penalty, interest, fine, forfeiture, or other imposition or offense

• Information extracted from a return, including names of dependents or the location of business

• The taxpayer's name, address, and identification number

• Information collected by the IRS about any person's tax affairs, even if identifiers, such as name, address, and identification number are deleted

• Status of whether a return was filed, under examination, or subject to other investigation or processing, including collection activities

• Information contained on transcripts of accounts

 

• Name of a person with respect to whom a return is filed

• Taxpayer mailing address

• Taxpayer identification number

• E-mail addresses

• Telephone numbers

• Social Security Numbers

• Bank account numbers

• Date and place of birth

• Mother's maiden name

• Biometric data (e.g., height, weight, eye color, fingerprints)

• Any combination of the preceding

 

• Control File (.txt)

• Adobe (.pdf)

• Word Document (.doc or .docx)

• Excel Document (.xls or.xlsx)

• Zipped File (.zip)

 

• Any use of FTI that is in addition to what was described in the original Need and Use Justification Form

• Any new, previously unreported internal tax administration compilations that include FTI

• Changes to the listing of authorized employees (Attachment B to the Need and Use Justification Form)

 

i. Establish and follow a schedule for regularly reviewing those holdings to ensure that only FTI identified in the notice is collected and retained and

ii. Certify that the FTI continues to be necessary to accomplish the legally authorized purpose.

 

• Section 3.0,

Record Keeping Requirement

• Section 4.0, Secure Storage--IRC 6103(p)(4)(B)

• Section 5.0, Restricting Access--IRC 6103(p)(4)(C)

• Section 6.0, Other Safeguards--IRC 6103(p)(4)(D)

• Section 7.0, Reporting Requirements--6103(p)(4)(E)

• Section 8.0, Disposing of FTI--IRC 6103(p)(4)(F)

• Section 9.0, Computer System Security

 

1. Copies of notifications requesting termination of FTI disclosures. The agency must notify all agencies, from which it receives FTI (IRS, SSA, BFS, OCSE, CMS, etc.). Agency should terminate all agreements currently enforced such as the Basic and Implementing Agreement, Computer Matching Agreement, Memorandum of Understanding, etc. that authorize FTI disclosures.

2. Letter from Head of Agency certifying that FTI has been destroyed see Section 8.0 Disposal of FTI -- IRC  

Once reviewed, the Office of Safeguards will send an acknowledgement of the agency's termination of Safeguard reporting and on-site review obligations.

2.9.2 Archiving FTI Procedure for agencies terminating receipt of FTI but required by statute to retain FTI for designated periods

If FTI is required to be retained by statute for a designated period (e.g., 5 or 10 years), then agencies must:

 

• Insure that a currently authorized agency and/or contractor retains FTI in accordance with Publication 1075 Security standards.

• Provide copies of notifications as shown in (1) (Copies of notifications requesting termination of FTI) above.

• Submit an annual SSR each year during the retention period.

• Be subject to periodic Safeguard Reviews.

• Comply with section 2.9.1(2) (Letter from Head of Agency) above when the retention period is finished.

 

3.0 Record Keeping Requirement

3.1 General

Federal, state, and local agencies, bodies, commissions, and agents authorized under IRC 6103 to receive FTI are required by IRC 6103(p)(4)(A) to establish a permanent system of standardized records of requests made by or to them for disclosure of FTI. For additional guidance, see Exhibit 2, USC Title 26, IRC 6103(p)(4).

This record keeping must include internal requests among agency employees as well as requests outside of the agency. These records are required to track the movement of FTI. The records are to be maintained for five years or the agency's applicable records control schedule must be followed, whichever is longer. The IRS.gov website contains guidance, job aids, helpful tools, and frequently asked questions to assist agencies in meeting safeguard requirements; see http://www.irs.gov/uac/Safeguards-Program.

The agency must establish, maintain, and update at least annually, an inventory that contains a listing of all programs and information systems identified as collecting, using, maintaining, or sharing FTI and provide each update of the FTI inventory to the Chief Information Officer or information security official at least annually to support the establishment of information security requirements for all new or modified information systems containing FTI.

Records must be maintained in accordance with IRS audit log retention requirements for electronic and non-electronic files. For additional guidance, see Exhibit 9, Record Retention Schedules.

3.2 Electronic and Non-Electronic FTI Logs

The agency should establish a tracking system to identify and track the location of electronic and non-electronic FTI received from IRS. A log of FTI received from the IRS may include tracking elements, such as:

 

FTI should not be maintained on the log.

If the authority to make further disclosures is present (e.g., agents/contractors), information disclosed outside the agency must be recorded on a separate list that reflects to whom the disclosure was made, what was disclosed, and why and when it was disclosed. Agencies transmitting FTI from one mainframe computer to another, as in the case of the SSA sending FTI to state human services agencies, need only identify the bulk records transmitted. This identification will contain the approximate number of taxpayer records, the date of the transmissions, the best possible description of the records, and the name of the individual making/receiving the transmission.

Figure 1 -- Sample Electronic FTI Log

 ------------------------------------------------------------------

 

                   

Electronic Record Keeping Log

 

 ------------------------------------------------------------------

 

           

Control       Content (do

 

 Date       Number/File   not include   Recipient/Title   Number of

 

 Received   Name          FTI)          Location          Records

 

 ------------------------------------------------------------------

 

 ------------------------------------------------------------------

 

 ------------------------------------------------------------------

 

 

[Table Continued]

 

 ------------------------------------------------------

 

             

Electronic Record Keeping Log

 

 ------------------------------------------------------

 

 

Movement   Recipient/Title   Disposition   Disposition

 

 Date       Location          Date          Method

 

 ------------------------------------------------------

 

 ------------------------------------------------------

 

 ------------------------------------------------------

 

 

Figure 2 -- Sample Non-Electronic FTI Log

 -------------------------------------------------------------------

 

                 

Non-Electronic Record Keeping Log

 

 -------------------------------------------------------------------

 

 

Date        Date       Taxpayer   Tax       Type of      Reason for

 

 Requested   Received   Name       Year(s)   Information  Request

 

 -------------------------------------------------------------------

 

 -------------------------------------------------------------------

 

 -------------------------------------------------------------------

 

 

[Table Continued]

 

 ----------------------------------------------

 

       

Non-Electronic Record Keeping Log

 

 ----------------------------------------------

 

 

Exact      Who has   Disposition   Disposition

 

 Location   access?   Date          Method

 

 ----------------------------------------------

 

 ----------------------------------------------

 

 ----------------------------------------------

 

 

 

3.3 Converted Media

 

 

Conversion of FTI from paper to electronic media (scanning) or from electronic media to paper (print screens or printed reports) also requires tracking from creation to destruction of the converted FTI. All converted FTI must be tracked on logs containing the fields detailed in Section 3.2, depending upon the current form of the FTI, electronic or non-electronic.

3.4 Record Keeping of Disclosures to State Auditors

When disclosures are made by a state tax agency to state auditors, these requirements pertain only in instances where the auditors use FTI for further scrutiny and inclusion in their work papers. In instances where auditors read large volumes of records containing FTI, whether in paper or electronic format, the state tax agency need only identify bulk records examined. This identification will contain the approximate number of taxpayer records, the date of inspection, a description of the records, and the name of the individual(s) making the inspection. Record keeping log samples are provided in Section 3.2.

Disclosure of FTI to state auditors by child support enforcement and human services agencies is not authorized by statute. FTI in case files must be removed prior to access by the auditors.

4.0 Secure Storage--IRC 6103(p)(4)(B)

4.1 General

Security may be provided for a document, an item, or an area in a number of ways. These include but are not limited to locked containers of various types, vaults, locked rooms, locked rooms that have reinforced perimeters, locked buildings, guards, electronic security systems, fences, identification systems, and control measures.

How the required security is provided depends on the facility, the function of the activity, how the activity is organized, and what equipment is available. Proper planning and organization will enhance the security while balancing the costs.

The IRS has categorized federal tax and privacy information as moderate risk. The minimum protection standards (MPS) must be used as an aid in determining the method of safeguarding FTI. These controls are intended to protect FTI in paper and electronic form.

4.2 Minimum Protection Standards

The MPS establish a uniform method of physically protecting data and systems as well as non-electronic forms of FTI. This method contains minimum standards that will be applied on a case-by-case basis. Because local factors may require additional security measures, management must analyze local circumstances to determine location, container, and other physical security needs at individual facilities. The MPS have been designed to provide management with a basic framework of minimum security requirements.

The objective of these standards is to prevent unauthorized access to FTI. MPS thus requires two barriers. Example barriers under the concept of MPS are outlined in the following table. Each topic represents one barrier and should be used as a starting point to identify two barriers of MPS to protect FTI.

Table 2 -- Minimum Protection Standards

 ----------------------------------------------------------------------

 

 

Secured

        The perimeter is enclosed by slab-to-slab walls

 

 

Perimeter

      constructed of durable materials and supplemented by

 

                periodic inspection. Any lesser-type partition must be

 

                supplemented by electronic intrusion detection and fire

 

                detection systems. All doors entering the space must be

 

                locked in accordance with Locking Systems for Secured

 

                Areas. In the case of a fence/gate, the fence must have

 

                intrusion detection devices or be continually guarded,

 

                and the gate must be either guarded or locked with

 

                intrusion alarms.

 

 ----------------------------------------------------------------------

 

 

Security Room

  A security room is a room that has been constructed to

 

                resist forced entry. The entire room must be enclosed

 

                by slab-to-slab walls constructed of approved materials

 

                (e.g., masonry brick, concrete) and supplemented by

 

                periodic inspection, and entrance must be limited to

 

                specifically authorized personnel. Door hinge pins must

 

                be non-removable or installed on the inside of the

 

                room.

 

 ----------------------------------------------------------------------

 

 

Badged

         During business hours, if authorized personnel serve as

 

 

Employee

       the second barrier between FTI and unauthorized

 

                individuals, the authorized personnel must wear picture

 

                identification badges or credentials. The badge must be

 

                clearly displayed and worn above the waist.

 

 ----------------------------------------------------------------------

 

 

Security

       A security container is a storage device (e.g., turtle

 

 

Container

      case, safe/vault) with a resistance to forced

 

                penetration, with a security lock with controlled

 

                access to keys or combinations.

 

 ----------------------------------------------------------------------

 

 

The MPS or "two barrier" rule applies to FTI, beginning at the FTI itself and extending outward to individuals without a need-to-know. The MPS provides the capability to deter, delay, or detect surreptitious entry. Protected information must be containerized in areas where other than authorized employees may have access after-hours.

Using a common situation as an example, often an agency desires or requires that security personnel or custodial service workers or landlords for non-government-owned facilities have access to locked buildings and rooms. This may be permitted as long as there is a second barrier to prevent access to FTI. A security guard, custodial services worker, or landlord may have access to a locked building or a locked room if FTI is in a locked security container. If FTI is in a locked room but not in a locked security container, the guard, janitor, or landlord may have a key to the building but not the room.

Additional controls have been integrated into this document that map to National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 4 guidance. These are identified in Section 9.3, NIST SP 800-53 Control Requirements. Per NIST guidelines, policies and procedures must be developed, documented, and disseminated, as necessary, to facilitate implementing physical and environmental protection controls.

For additional guidance, see Section 9.3.11.3, Physical Access Control (PE-3).

4.3 Restricted Area Access

Care must be taken to deny unauthorized access to areas containing FTI during duty and non-duty hours. This can be accomplished by creating restricted areas, security rooms, or locked rooms. Additionally, FTI in any form (computer printout, photocopies, tapes, notes) must be protected during non-duty hours. This can be done through a combination of methods, including secured or locked perimeter, secured area, or containerization.

A restricted area is an area where entry is limited to authorized personnel (individuals assigned to the area). All restricted areas either must meet secured area criteria or provisions must be made to store FTI in appropriate containers during non-duty hours. Using restricted areas is an effective method for eliminating unnecessary traffic through critical areas, thereby reducing the opportunity for unauthorized access or disclosure or theft of FTI. All of the following procedures must be implemented to qualify as a restricted area.

Restricted areas will be prominently posted and separated from non-restricted areas by physical barriers that control access. The number of entrances must be kept to a minimum and must have controlled access (e.g., electronic access control, key access, door monitor) to prevent unauthorized entry. The main entrance must be controlled by locating the desk of a responsible employee at the entrance to ensure that only authorized personnel with an official need may enter.

A restricted area visitor log will be maintained at a designated entrance to the restricted area, and all visitors (persons not assigned to the area) entering the area shall be directed to the designated entrance.

The visitor access log must require the visitor to provide the following information:

 

The visitor must sign, either electronically or physically, into the visitor access log.

The security personnel must validate the person's identify by examining government-issued identification (e.g., state driver's license or passport) and recording in the access log the type of identification validated. The security personnel must compare the name and signature entered in the access log with the name and signature of the government-issued identification. When leaving the area, the security personnel or escort must enter the visitor's time of departure.

Each restricted area access log must be closed out at the end of each month and reviewed by management.

Figure 3 -- Sample Visitor Access Log

 ---------------------------------------------------------

 

                   

Visitor Access Log

 

 ---------------------------------------------------------

 

       

Name & Org. of   Form of Identification   Purpose

 

 Date   Visitor          of Visitor               of Visit

 

 ---------------------------------------------------------

 

 ---------------------------------------------------------

 

 ---------------------------------------------------------

 

 

[Table Continued]

 

 ------------------------------------------------------

 

                 

Visitor Access Log

 

 ------------------------------------------------------

 

 

Name & Organization   Time of   Time of     Signature

 

 of Person Visited     Entry     Departure   of Visitor

 

 ------------------------------------------------------

 

 ------------------------------------------------------

 

 ------------------------------------------------------

 

 

For additional guidance on visitor access requirements, see Section 9.3.11.7,

Visitor Access Records

(

PE-8).

4.3.1 Use of Authorized Access List

To facilitate the entry of employees who have a frequent and continuing need to enter a restricted area, but who are not assigned to the area, an Authorized Access List (AAL) can be maintained so long as MPSs are enforced (see Section 4.2, Minimum Protection Standards).

Agency Employees: The AAL must contain the following:

 

The AAL for agency employees must be updated at least annually or when employee access changes.

Vendors and Non-Agency Personnel: The AAL must contain the following information:

 

Vendors, contractors, and non-agency personnel AAL must be updated monthly.

If there is any doubt of the identity of the individual, the security monitor must verify the identity of the vendor/contractor individual against the AAL prior to allowing entry into the restricted area.

For additional guidance, see Section 9.3.11.2, Physical Access Authorizations (PE-2). Also, see Section 9.3.11.8, Delivery and Removal (PE-16), for guidance on controlling information system component entering and exiting the restricted area.

4.3.2 Controlling Access to Areas Containing FTI

Management or the designee shall maintain an authorized list of all personnel who have access to information system areas, where these systems contain FTI. This shall not apply to those areas within the facility officially designated as publicly accessible.

The site shall issue appropriate authorization credentials. The agency shall issue authorization credentials, including badges, identification cards, or smart cards. In addition, a list shall be maintained that identifies those individuals who have authorized access to any systems where FTI is housed. Access authorizations and records maintained in electronic form are acceptable.

Each agency shall control physical access to the information system devices that display FTI information or where FTI is processed to prevent unauthorized individuals from observing the display output. For additional information, see Section 9.3.11.5, Access Control for Output Devices (PE-5).

The agency or designee shall monitor physical access to the information system where FTI is stored to detect and respond to physical security incidents. For additional information, see Section 9.3.11.6, Monitoring Physical Access (PE-6).

For all areas that process FTI, the agency shall position information system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access. For additional guidance, see Section 9.3.11.10, Location of Information System Components (PE-18).

Whenever cleaning and maintenance personnel are working in restricted areas containing FTI, the cleaning and maintenance activities must be performed in the presence of an authorized employee.

Allowing an individual to "piggyback" or "tailgate" into a restricted locations should be prohibited and documented in agency policy. The agency must ensure that all individuals entering an area containing FTI do not bypass access controls or allow unauthorized entry of other individuals. Unauthorized access should be challenged by authorized individuals (e.g., those with access to FTI). Security personnel must be notified of unauthorized piggyback/tailgate attempts.

4.3.3 Control and Safeguarding Keys and Combinations

All containers, rooms, buildings, and facilities containing FTI must be locked when not in actual use.

Access to a locked area, room, or container can be controlled only if the key or combination is controlled. Compromising a combination or losing a key negates the security provided by that lock. Combinations to locks must be changed when an employee who knows the combination retires, terminates employment, transfers to another position or at least annually.

Combinations must be given only to those who have a need to have access to the area, room, or container and must never be written on a sticky-note, calendar pad, or any other item (even though it is carried on one's person or hidden from view). An envelope containing the combination must be secured in a container with the same or a higher security classification as the highest classification of the material authorized for storage in the container or area the lock secures.

Keys must be issued only to individuals having a need to access an area, room, or container. Inventory records must be maintained on keys and must account for the total keys available and keys issued. The inventory must account for master keys and key duplicates. A periodic reconciliation must be done on all key records. The number of keys or persons with knowledge of the combination to a secured area will be kept to a minimum. Keys and combinations will be given only to those individuals who have a frequent need to access the area.

4.3.4 Locking Systems for Secured Areas

The number of keys or persons with knowledge of the combination to a secured area will be kept to a minimum. Keys and combinations will be given only to those individuals who have a frequent need to access the area.

Access control systems (e.g., badge readers, smart cards, biometrics) that provide the capability to audit access control attempts must maintain audit records with successful and failed access attempts to secure areas containing FTI or systems that process FTI. Agency personnel must review access control logs on a monthly basis. The access control log must contain the following elements:

 

4.4 FTI in Transit

Handling FTI must be such that the documents do not become misplaced or available to unauthorized personnel.

Any time FTI is transported from one location to another, care must be taken to provide appropriate safeguards. When FTI is hand-carried by an individual in connection with a trip or in the course of daily activities, it must be kept with that individual and protected from unauthorized disclosures.

All paper and electronic FTI transported through the mail or courier/messenger service must be documented on a transmittal form and monitored to ensure that each shipment is properly and timely received and acknowledged. It must also be double-sealed; for example, one envelope within another envelope. The inner envelope must be marked "confidential" with some indication that only the designated official or delegate is authorized to open it. Using sealed boxes serves the same purpose as double-sealing and prevents anyone from viewing the contents thereof.

All shipments of paper FTI must be documented on a transmittal form and monitored to ensure that each shipment is properly and timely received and acknowledged.

All shipments of electronic FTI (including compact disk [CD], digital video disk [DVD], thumb drives, hard drives, tapes, and microfilm) must be documented on a transmittal form and monitored to ensure that each shipment is properly and timely received and acknowledged. All FTI transported through the mail or courier/messenger service must be double-sealed; that is, one envelope within another envelope. The inner envelope must be marked "confidential" with some indication that only the designated official or delegate is authorized to open it. Using sealed boxes serves the same purpose as double-sealing and prevents anyone from viewing the contents thereof.

4.5 Physical Security of Computers, Electronic, and Removable Media

Computers and electronic media that receive, process, store, or transmit FTI must be in a secure area with restricted access. In situations when requirements of a secure area with restricted access cannot be maintained, such as home work sites, remote terminals or other office work sites, the equipment must receive the highest level of protection practical, including full disk encryption. All computers and mobile devices that contain FTI and are resident in an alternate work site must employ encryption mechanisms to ensure that this data may not be accessed, if the computer is lost or stolen (see OMB Memo M-06-16).

Basic security requirements must be met, such as keeping FTI locked up when not in use. When removable media contains FTI, it must be labeled as FTI.

All computers, electronic media, and removable media containing FTI, must be kept in a secured area under the immediate protection and control of an authorized employee or locked up. When not in use, the media must be promptly returned to a proper storage area/container.

Inventory records of electronic media must be maintained and reviewed semi-annually for control and accountability. Section 3.0, Record Keeping Requirement, contains additional information. For additional guidance on log retention requirements, see Exhibit 9, Record Retention Schedules.

For physical security protections of transmission medium (e.g., cabling), see Section 9.3.11.4, Access Control for Transmission Medium (PE-4).

4.6 Media Off-Site Storage Requirements

If the agency uses an off-site storage facility and the following conditions are met, the agency is not subject to additional safeguard requirements:

 

If the media is not encrypted and locked in a turtle case (e.g., open-shelf storage) or storage contractor maintains the key, the facility is subject to all safeguarding requirements (e.g., visitor access logs, internal inspections, contractor access restrictions, training)

4.7 Telework Locations

If the confidentiality of FTI can be adequately protected, telework sites, such as employee's homes or other non-traditional work sites, can be used. FTI remains subject to the same safeguard requirements and the highest level of attainable security. All of the requirements of Section 4.5, Physical Security of Computers, Electronic, and Removable Media, apply to telework locations.

The agency should conduct periodic inspections of alternative work sites during the year to ensure that safeguards are adequate. The results of each inspection shall be fully documented. IRS reserves the right to visit alternative work sites while conducting safeguard reviews. Changes in safeguard procedures must be described in detail by the agency in SSR. For additional information, see Section 7.2, Safeguard Security Report.

4.7.1 Equipment

The agency must retain ownership and control, for all hardware, software, and end-point equipment connecting to public communication networks, where these are resident at all alternate work sites.

Employees must have a specific room or area in a room that has the appropriate space and facilities for the type of work done. Employees also must have a way to communicate with their managers or other members of the agency in case security problems arise.

The agency must give employees locking file cabinets or desk drawers so that documents, disks, and tax returns may be properly secured when not in use. If agency furniture is not furnished to the employee, the agency must ensure that an adequate means of storage exists at the work site.

The agency must provide "locking hardware" to secure automated data processing equipment to large objects, such as desks or tables. Smaller, agency-owned equipment must be locked in a filing cabinet or desk drawer when not in use.

4.7.2 Storing Data

FTI may be stored on hard disks only if agency-approved security access control devices (hardware/software) have been installed; are receiving regularly scheduled maintenance, including upgrades; and are being used. Access control must include password security, an audit trail, encryption, virus detection, and data overwriting capabilities.

4.7.3 Other Safeguards

Only agency-approved security access control devices and agency-approved software will be used. Copies of illegal and non-approved software will not be used. Electronic media that is to be reused must have files overwritten or degaussed.

The agency must maintain a policy for the security of alternative work sites. The agency must coordinate with the managing host system(s) and any networks and maintain documentation on the test. Before implementation, the agency will certify that the security controls are adequate for security needs. Additionally, the agency will promulgate rules and procedures to ensure that employees do not leave computers unprotected at any time. These rules must address brief absences while employees are away from the computer.

The agency must provide specialized training in security, disclosure awareness, and ethics for all participating employees and managers. This training must cover situations that could occur as the result of an interruption of work by family, friends, or other sources.

5.0 Restricting Access -- IRC 6103(p)(4)(C)

5.1 General

Agencies are required by IRC 6103(p)(4)(C) to restrict access to FTI only to persons whose duties or responsibilities require access (see Exhibit 2, USC Title 26, IRC 6103(p)(4), and Exhibit 4, Sanctions for Unauthorized Disclosure). To assist with this requirement, FTI must be clearly labeled "Federal Tax Information" and handled in such a manner that it does not become misplaced or available to unauthorized personnel. Additionally, warning banners advising of safeguarding requirements must be used for computer screens (see Exhibit 8, Warning Banner Examples).

To understand the key terms of unauthorized disclosure, unauthorized access, and need-to-know, see Section 1.4, Key Definitions.

5.1.1 FTI Background Investigation Requirements

 

5.2 Commingling of FTI

Commingling of FTI refers to having FTI and non-FTI data residing on the same paper, electronic media, or data center.

It is recommended that FTI be kept separate from other information to the maximum extent possible to avoid inadvertent disclosures. Agencies should attempt to avoid maintaining FTI as part of their case files.

In situations where physical separation is impractical, the file must be clearly labeled to indicate that FTI is included, and the file must be safeguarded.

All FTI must be removed prior to releasing files to an individual or agency without authorized access to FTI.

5.2.1 Commingling of Electronic Media

If FTI is recorded on electronic media (e.g., tapes) with other data, it must be protected as if it were entirely FTI. Such commingling of data on electronic media must be avoided, if practicable. FTI only loses its character when it is verified by a third party and overwritten in the agency's records.

When data processing equipment is used to process or store FTI and the information is mixed with agency data, access must be controlled by:

 

Commingled data at multi-purpose facilities results in security risks that must be addressed. If the agency shares physical or computer facilities with other agencies, departments, or individuals not authorized to have FTI, strict controls--physical and systemic--must be maintained to prevent unauthorized disclosure of this information.

Examples of commingling include:

 

5.3 Access to FTI via State Tax Files or Through Other Agencies

Some state disclosure statutes and administrative procedures permit access to state tax files by other agencies, organizations, or employees not involved in tax matters. As a general rule, IRC 6103(d) does not permit access to FTI by such employees, agencies, or other organizations. The IRC clearly provides that FTI will be furnished to state tax agencies only for tax administration purposes and made available only to designated state tax personnel and legal representatives or to the state audit agency for an audit of the tax agency. Questions about whether particular state employees are entitled to have access FTI must be forwarded to the Disclosure Manager at the IRS Office that serves your location.^† Generally, the IRC does not permit state tax agencies to furnish FTI to other state agencies or to political subdivisions, such as cities or counties. State tax agencies may not furnish FTI to any other state or local agency, even where agreements have been made, informally or formally, for the reciprocal exchange of state tax information unless formally approved by the IRS. Also, non-government organizations, such as universities or public interest organizations performing research cannot have access to FTI.

^† Refer to http://www.irs.gov/uac/IRS-Disclosure-Offices for contact information.

Although state tax agencies are specifically addressed previously, the restrictions on data access and non-disclosure to another agency or third party applies to all agencies authorized to receive FTI. Generally, statutes that authorize disclosure of FTI do not authorize further disclosures by the recipient agency. Unless IRC 6103 provides for further disclosures by the agency, the agency cannot make such disclosures or otherwise grant access to FTI to either employees of another component of the agency not involved with administering the program for which the FTI was specifically received or to another state agency for any purpose.

Agencies and subdivisions within an agency may be authorized to obtain the same FTI for the different purposes, such as a state tax agency administering tax programs and a component human services agency administering benefit eligibility verification programs (IRC 6103(l)(6)). However, the IRC disclosure authority does not permit agencies or subdivisions of agencies to exchange or make subsequent disclosures of this information for another authorized purpose even within the agency.

In addition, unless specifically authorized by the IRC, agencies are not permitted to allow access to FTI to agents, representatives, or contractors.

FTI cannot be accessed by agency employees, agents, representatives, or contractors located offshore--outside of the United States territories, embassies or military installations. Further, FTI may not be received, processed, stored, transmitted, or disposed of by information technology (IT) systems located offshore.

The IRS has determined that 26 U.S.C. 6103(l)(21)(C) may allow the Marketplace to disclose FTI maintained in eligibility records to the HHS OIG to determine whether an eligibility determination or benefit amount with a particular case or household was accurate, provided that the Marketplace re-determine the eligibility of the applicant where the OIG finds that the Marketplace did not verify eligibility in accordance with Federal requirements. The Marketplace must also agree to review the sampled applicants as requested, and correct any questionable eligibility determinations.

5.4 Controls over Processing

The IRC does not permit state tax agencies to furnish FTI to other state agencies, tax or non-tax, or to political subdivisions, such as cities or counties, for any purpose, including tax administration, absent explicit written IRS authority granted under IRC 6103(p)(2)(B).

Processing of FTI, in an electronic media format, including removable media, microfilms, photo impressions, or other formats (including tape reformatting or reproduction or conversion to punch cards, digital images or hard copy printout) will be performed pursuant to one of the following procedures.

5.4.1 Agency-Owned and - Operated Facility

Processing under this method will take place in a manner that will protect the confidentiality of the information on the electronic media. All safeguards outlined in this publication also must be followed and will be subject to IRS safeguard reviews.

5.4.2 Contractor or Agency-Shared Facility - Consolidated Data Centers

Agency Shared Facilities:

Recipients of FTI are allowed to use a shared facility but only in a manner that does not allow access to FTI by employees, agents, representatives, or contractors of other agencies using the shared facility.

For purposes of applying sections 6103(l), (m), and (n), the term agent includes contractors.

Access restrictions pursuant to the IRC authority by which the FTI is received continue to apply; for example, because human services agencies administering benefit eligibility programs may not allow contractors, including consolidated data center contractors, access to any FTI.

The agency must include, as appropriate, the requirements specified in Exhibit 7, Safeguarding Contract Language, in accordance with IRC 6103(n).

The contractor or agency-shared computer facility is also subject to IRS safeguard reviews.

These requirements also apply to releasing electronic media to a private contractor or other agency office, even if the purpose is merely to erase the old media for reuse.

Consolidated Data Centers:

Agencies using consolidated data centers must implement appropriate controls to ensure the protection of FTI, including a service level agreement (SLA) between the agency authorized to receive FTI and the consolidated data center. The SLA must cover the following:

 

Generally, consolidated data centers are either operated by a separate state agency (e.g., Department of Information Services) or by a private contractor. If an agency is considering transitioning to either a state-owned or private vendor consolidated data center, the Office of Safeguards strongly suggests the agency submit a request for discussions with Safeguards as early as possible in the decision-making or implementation planning process. The purpose of these discussions is to ensure the agency remains in compliance with safeguarding requirements during the transition to the consolidated data center.

5.4.3 Review Availability of Contractor Facilities:

As a part of the agency review process, all affiliated contractors who receive, transmit, process and store FTI on behalf of the agency are subject to review.

The agency must include, as appropriate, requirements specified in Exhibit 7, Safeguarding Contract Language, in accordance with IRC 6103(n).

These requirements also apply to releasing electronic media to a private contractor or other agency office, even if the purpose is merely to erase the old media for reuse

Generally, consolidated data centers are either operated by a separate state agency (e.g., Department of Information Services) or by a private contractor. If an agency is considering transitioning to either a state-owned or private vendor consolidated data center, the Office of Safeguards strongly suggests the agency submit a request for discussions with Safeguards as early as possible in the decision-making or implementation planning process. The purpose of these discussions is to ensure the agency remains in compliance with safeguarding requirements during the transition to the consolidated data center

5.5 Child Support Agencies -- IRC 6103(l)(6), (l)(8), and (l)(10)

In general, no officer or employee of any state and local child support enforcement agency can make further disclosures of FTI.

However, limited information may be disclosed to agents or contractors of the agency for the purpose of, and to the extent necessary in, establishing and collecting child support obligations from and locating individuals owing such obligations.

The information that may be disclosed for this purpose to an agent or a contractor is limited to:

 

Tax refund offset payment information may not be disclosed by any federal, state, or local child support enforcement agency employee, representative, agent, or contractor into any court proceeding. To satisfy the re-disclosure prohibition, submit only payment date and payment amount for all payment sources (not just tax refund offset payments) into court proceedings.

Forms 1099 and W-2 information are not authorized by statute to be disclosed to contractors under the child support enforcement program (IRC 6103(I)(6).

5.6 Human Services Agencies -- IRC 6103(l)(7)

No officer or employee of any federal, state, or local agency administering certain programs under the Social Security Act, the Food Stamp Act of 1977, or Title 38, United States Code, or certain housing assistance programs is permitted to make further disclosures of FTI for any purpose. Human services agencies may not contract for services that involve the disclosure of FTI to contractors.

5.7 Deficit Reduction Agencies -- IRC 6103(l)(10)

Agencies receiving FTI from the Bureau of Fiscal Service related to tax refund offsets are prohibited from making further disclosures of the FTI received to another agency or to contractors.

5.8 Center for Medicare and Medicaid Services -- IRC 6103(l)(12)(C)

The Center for Medicare and Medicaid Services (CMS) is authorized under IRC 6103(i) for purposes of investigation and prosecution of non-tax federal crimes, or to apprise of or investigate terrorist incidents, are subject to safeguard requirements and review.

The Department of Justice must report in its SSR the number of FTI records provided and to which federal law enforcement agency the data was shared for the calendar year processing period.

5.12 Disclosures under IRC 6103(m)(2)

Disclosures to agents of a federal agency under IRC 6103(m)(2) are authorized for the purposes of locating individuals in collecting or compromising a federal claim against the taxpayer in accordance with Sections 3717, and 6.0 Other Safeguards--IRC 6103(p)(4)(D)

6.1 General

IRC 6103(p)(4)(D) requires that agencies receiving FTI to provide other safeguard measures, as appropriate, to ensure the confidentiality of the FTI. Agencies are required to provide a training program for their employees and contractors.

6.2 Training Requirements

Education and awareness are necessary to provide employees, contractors, and other persons with the information to protect FTI. There are multiple components to a successful training program. In this section, training requirements are consolidated to ensure agencies understand all of the requirements to comply with this publication.

Disclosure awareness training is described in detail within Section 6.3, Disclosure Awareness Training. Additional training requirements are located in various sections of the document and identified in the following table.

Table 3 -- Training Requirements

 --------------------------------------------------------------------

 

 

Training Component     Applicability                         Section

 

 --------------------------------------------------------------------

 

 Disclosure Awareness   • Unique to protection of FTI and     6.3

 

 Training                 prevention of unauthorized

 

                          disclosure

 

 ---------------------------------------------------------------------

 

 Security Awareness     • Provide basic security awareness    9.3.2.2

 

 Training                 training to information system

 

                          users

 

 ---------------------------------------------------------------------

 

 Role-Based Training    • Provides individualized training    9.3.2.3

 

                          to personnel based on assigned

 

                          security roles and

 

                          responsibilities

 

 ---------------------------------------------------------------------

 

 Contingency Training   • Provides individualized training    9.3.6.3

 

                          to personnel based on assigned

 

                          roles and responsibilities as they

 

                          relate to recovery of backup

 

                          copies of FTI

 

 ---------------------------------------------------------------------

 

 Incident Response      • Provides individuals with           9.3.8.2

 

 Training                 agency-specific procedures to       and

 

                          handle incidents                    10.0

 

                        • Provides individuals with

 

                          IRS-specific requirements

 

                          pertaining to incidents involving

 

                          FTI

 

 ---------------------------------------------------------------------

 

 

 

6.3 Disclosure Awareness Training

 

 

Employees and contractors must maintain their authorization to access FTI through annual training and recertification. Prior to granting an agency employee or contractor access to FTI, each employee or contractor must certify his or her understanding of the agency's security policy and procedures for safeguarding IRS information.

Disclosure awareness training stipulates that:

 

Additional security and information requirements can be expressed to appropriate personnel by using a variety of methods, such as but not limited to:

 

6.3.1 Disclosure Awareness Training Products

The following resources are available from the IRS to assist your agency in meeting the federal safeguard requirements for disclosure awareness and the protection of FTI. A variety of technical information, safeguard report examples, frequently asked questions, and other safeguard resources is available to you on the Office of Safeguards website. IRS Ordering Information: The following listed products can be ordered from the IRS Distribution Center by calling 800-TAX-FORM (829-3676). Be sure to identify yourself as a (state) government employee and please provide the publication number and quantity. Please note that all Notice 129 quantities are ordered by pad or roll count (100 pieces per, so 10 rolls = 1,000 labels). All products will be delivered to the agency address you provide and to the attention of the person you specify. Please do not call the tax help number (800-829-4933) but, if you experience an ordering problem, obtain the employee's name and ID number and send an email to SafeguardReports@irs.gov mailbox, so the Office of Safeguards can assist you.

Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies

 

Disclosure Awareness Video--Protecting FTI: A Message from the IRS

 

Protecting FTI, Pocket Guide for Government Employees

 

UNAX Don't Go There! Safeguards Disclosure Awareness Video (DVD or Video Streaming) 6.4 Internal Inspections

Another measure IRS requires is internal inspections by the recipient agency. The purpose is to ensure that adequate safeguard or security measures have been maintained. The agency must submit copies of these inspections to the IRS with the SSR (see Section 7.2, Safeguard Security Report). To provide an objective assessment, the inspection must be conducted by a function other than the using function.

To provide reasonable assurance that FTI is adequately safeguarded, the inspection must address the safeguard requirements the IRC and the IRS impose. The agency monitors and audits privacy controls and internal privacy policy to ensure effective implementation.

Agencies must establish a review cycle as follows:

 

The agency must complete a documented schedule (internal inspection plan), detailing the timing of all internal inspections in the current year and next two years (three-year cycle). The plan must be included as part of the SSR, as described in Section 7.2.

Inspection reports, including a record of corrective actions, must be retained by the agency for a minimum of five years from the date the inspection was completed. IRS personnel may review these reports during an on-site safeguard review. A summary of the agency's findings and the actions taken to correct any deficiencies must be included with the SSR submitted to the IRS.

Key areas that must be addressed include record keeping, secure storage, limited access, disposal, and computer security.

6.4.1 Record Keeping

Each agency and function within that agency shall maintain a log of all requests for FTI, including receipt and disposal of returns or return information. This includes any medium containing FTI, such as computer tapes, cartridges, CDs, or data received electronically.

6.4.2 Secure Storage

FTI (including tapes, cartridges, or other removable media) must be stored in a secure location, safe from unauthorized access.

6.4.3 Limited Access

Access to returns and return information (including tapes, cartridges, or other removable media) must be limited to only those employees, officers, and contractors who are authorized access by law or regulation and whose official duties require such access. The physical and systemic barriers to unauthorized access must be reviewed and reported. An assessment of facility security features must be included in the report.

6.4.4 Disposal

Upon completion of use, agencies must ensure that the FTI is destroyed or returned to the IRS or the SSA according to the guidelines contained in Section 8.0, Disposing of FTI--IRC 6103(p)(4)(F).

6.4.5 Computer Systems Security

The agency's review of the adequacy of its computer security provisions must provide reasonable assurance that access to FTI is limited to those personnel who have a needto-know. This need-to-know must be enforced electronically as well as physically (see Internal Inspection Template on the Office of Safeguards website and Section 9.3.1, Access Control, and other portions of Section 9.0, Computer System Security, as applicable).

The review of the computer facility must include the evaluation of computer security and physical security controls.

6.5 Plan of Action and Milestones

The agency must implement a process for ensuring that a Plan of Action and Milestones (POA&M) is developed and monitored. The POA&M must include the corrective actions identified during the internal inspections and will identify the actions the agency plans to take to resolve these findings.

The POA&M pertains to findings identified by the agency during the internal inspections process and any other internal or external audit.

The CAP covers findings identified by the Office of Safeguards during the on-site safeguard review. While these findings may be similar, their inclusion in either the POA&M or CAP is dependent upon how they were identified and who (the agency or the Office of Safeguards) is monitoring the finding resolution. Based upon deficiencies noted during the agency's inspection, list all deficiencies and corrective actions along with reasonable time frames for the remediation to occur (refer to Section 7.3, Corrective Action Plan).

7.0 Reporting Requirements--6103(p)(4)(E)

7.1 General

IRC 6103(p)(4)(E) requires agencies receiving FTI to report on procedures established and used for ensuring the confidentiality of FTI that is received, processed, stored, or transmitted to or from the agency. The major components consisting of reporting requirements include the SSR, CAP and 45-day notification requirements.

Submission of reports to the Office of Safeguards is considered certification from the agency head (or an officer in that agency, legally authorized to sign for the Head of agency). Indicating the report is accurate, up to date, and complies with the requirements set forth in IRC 6103(p)(4).

7.1.1 Report Submission Instructions

Correspondence, reports, and attachments should be sent electronically to the Office of Safeguards using Secure Data Transfer (SDT), if the agency participates in the SDT program. If the agency does not participate in SDT or SDT is otherwise not available, these transmissions should be sent "encrypted" via email to the SafeguardReports@irs.gov mailbox.

Please adhere to the following guidelines when submitting correspondence, reports, and attachments to the Office of Safeguards:

 

7.1.2 Encryption Requirements

The Office of Safeguards recommends that all required reports, when sent to the Office of Safeguards via email, be transmitted using IRS-approved encryption methods to protect sensitive information. Agencies are requested to adhere to the following guidelines to use encryption:

 

Refer to your specific file compression software user guide for instructions on how to compress and encrypt files. Known compatible products with IRS include but are not limited to WinZip and SecureZip.

Please remember, while the attachment is encrypted, the content of the email message will not be encrypted, so it is important that any sensitive information be contained in the attachment (encrypted document).

7.2 Safeguard Security Reports

Agencies executing data exchange agreements involving access to FTI and subject to safeguarding requirements must have an approved SSR prior to having access to FTI. The agency should submit the report for approval at least 90 days prior to the agency receiving FTI.

7.2.1 Initial SSR Submission Instructions - New Agency Responsibilities

In order to obtain IRS approval to receive FTI, a new Agency must have an approved SSR. To facilitate IRS approval, the agency is expected to:

 

Table NN - Evidentiary Requirements for SSR approval before release of FTI

 ----------------------------------------------------------------------

 

 

800-53   Control               Evidentiary Documents (Artifacts) for

 

 Control  Name                  Review

 

 ----------------------------------------------------------------------

 

 Section  Comingling and        • Screenshots of database schemas that

 

 5.2      Labeling                show electronic FTI labeling

 

                                • Sample output (report/notice) that

 

                                  shows how FTI is labeled

 

 ----------------------------------------------------------------------

 

 AC-6     Least Privilege       • FTI data flow diagram (physical and

 

                                  logical) to include all devices and

 

                                  inputs/outputs

 

                                • Access Control Policy & Procedures

 

 ----------------------------------------------------------------------

 

 AC-17    Remote Access         • Screenshot of authentication screens

 

                                • Document how multi-factor

 

                                  authentication is deployed for all

 

                                  remote network access to systems

 

                                  containing FTI and the tokens used

 

                                  for authentication

 

 ----------------------------------------------------------------------

 

 AC-20    Use of External       • Remote Access Policy & Procedures

 

          Information System

 

                                • Notice of Use for any

 

                                  non-agency-owned information systems;

 

                                  components; or devices to process,

 

                                  store, or transmit FTI, seeking IRS

 

                                  approval to meet 45-Day Notification

 

                                  Reporting Requirement

 

 ----------------------------------------------------------------------

 

 AU-2     Audit Events          • Audit and accountability policy and

 

                                  procedure for operating systems,

 

                                  databases and applications with FTI

 

                                • Log Monitoring Policy (recordkeeping)

 

 ----------------------------------------------------------------------

 

 AU-3     Content of Audit      • Sample audit logs for all

 

          Records                 technologies/components associated

 

                                  with FTI

 

 ----------------------------------------------------------------------

 

 AT-4     Security Training     • Training material (for users and

 

          Records                 system security personnel)

 

                                • Sample certification statement

 

 ----------------------------------------------------------------------

 

 CA-2     Security              • Independent Security Assessment

 

          Assessments             Report (SAR) or other report

 

                                  reflecting the results of security

 

                                  testing and mitigation for any high

 

                                  findings within the last year.

 

 ----------------------------------------------------------------------

 

 CA-6     Security              • Signed Authority to Operate (ATO) for

 

          Authorization           new systems (or DRAFT if ATO not yet

 

                                  granted)

 

                                • Documentation appointing the system

 

                                  Authorization Official

 

 ----------------------------------------------------------------------

 

 CM-8     Information System    • Complete listing of FTI inventory

 

          Component               (includes networking devices)

 

          Inventory               identifying: platform, operating

 

                                  system, and applicable software

 

 ----------------------------------------------------------------------

 

 IA-5     Authenticator         • Password & Authenticator Management

 

          Management              Policy & Procedures

 

                                • Screenshots of local security policy

 

                                  for password management

 

 ----------------------------------------------------------------------

 

 IR-6     Incident Reporting    • Incident Response Plan and Procedures

 

 ----------------------------------------------------------------------

 

 MP-6     Media Sanitization    • Media Sanitization Policy &

 

                                  Procedures

 

                                • Destruction log template

 

 ----------------------------------------------------------------------

 

 PE-3     Physical Access       • Physical Access Policy & Procedures

 

          Control

 

                                • Alternative Worksite Policy &

 

                                  Procedures

 

 ----------------------------------------------------------------------

 

 PE-8     Visitor Access        • Sample visitor access log

 

          Records

 

 ----------------------------------------------------------------------

 

 SA-9     External Information  • System & Services Acquisition Policy

 

          System Services         and/or Access Control Policy

 

 ----------------------------------------------------------------------

 

 SC-4     Information in        • System & Communication Policy &

 

          Shared Resources        Procedures

 

 ----------------------------------------------------------------------

 

 SC-7     Boundary Protection   • Network architecture and design

 

                                  documents and/or diagrams depicting

 

                                  FTI network segments or logical

 

                                  location of FTI system

 

 ----------------------------------------------------------------------

 

 SC-8     Transmission          • System & Communication Policy &

 

          Confidentiality and     Procedures

 

          Integrity

 

                                • Network design diagram and

 

                                  documentation with all FTI

 

                                  transmission protocols and encryption

 

                                  mechanisms identified

 

 ----------------------------------------------------------------------

 

 SI-2     Flaw Remediation      • Patch Management Policy & Procedure

 

 ----------------------------------------------------------------------

 

 SI-3     Malicious Code        • Malicious Code Protection Policy &

 

          Protection              Procedure

 

 ----------------------------------------------------------------------

 

 

If the agency does not submit all required evidentiary documentation, the evidence is inadequate to comply with Pub 1075, or the agency fails to conduct an independent security controls assessment, Safeguards reserves the right to conduct an on-site visit in order to approve the SSR before release of FTI. Safeguards will conduct a risk-based assessment to determine when to schedule a new agency's first on-site safeguard review after initial receipt of FTI.

Refer to the SSR template on the Office of Safeguards website for additional guidance and instructions for completing the document.

7.2.2 Instructions for Agencies Requesting New FTI Data Streams

Following documents need to be on file or provided by the requesting agency for IRS to consider approving a new FTI data stream.

 

7.2.3 Annual SSR Update Submission Instructions

The agency must update and submit the SSR annually to encompass any changes that impact the protection of FTI. Example changes include but are not limited to:

 

The following information must be updated in the SSR to reflect updates or changes regarding the agency or regarding safeguarding procedures within the reporting period:

 

The annual SSR update must be submitted on the prior year SSR template that was returned to the agency. This will allow for a version control of the document, assurance that the agency addressed all outstanding items previously noted as well as reduce the need for recreating the entire document again.

7.2.4 SSR Update Submission Dates

The SSR submission and all associated attachments must be sent annually to identify changes to safeguarding procedures, including:

 

Table 4 -- SSR Due Dates

 ----------------------------------------------------------------------

 

                         

Reporting Period                SSR Due

 

 ----------------------------------------------------------------------

 

                           

Federal Agencies

 

 ----------------------------------------------------------------------

 

 All Federal Agencies     January 1 through December 31   January 31

 

 ----------------------------------------------------------------------

 

                 

All State Agencies and Territories

 

 ----------------------------------------------------------------------

 

 AK, AL, AR, AS, AZ, CA   February 1 through January 31   February 28

 

 ----------------------------------------------------------------------

 

 CNMI, CO, CT, DC, DE,    March 1 through February 28     March 31

 

 FL, GA

 

 ----------------------------------------------------------------------

 

 GU, HI, IA, ID, IL, IN,  April 1 through March 31        April 30

 

 KS

 

 ----------------------------------------------------------------------

 

 KY, LA, MA, MD, ME, MI   May 1 through April 30          May 30

 

 ----------------------------------------------------------------------

 

 MN, MO, MS, MT, NE       June 1 through May 31           June 30

 

 ----------------------------------------------------------------------

 

 NC, NH, NJ, NM, NV, NY   July 1 through June 30          July 31

 

 ----------------------------------------------------------------------

 

 ND, OH, OK, OR           August 1 through July 31        August 31

 

 ----------------------------------------------------------------------

 

 PA, PR, RI, SC, SD, TN   September 1 through August 31   September 30

 

 ----------------------------------------------------------------------

 

 TX, UT, VA, VI, VT, WA   October 1 through September 30  October 31

 

 ----------------------------------------------------------------------

 

 WI, WV, WY               November 1 through October 31   November 30

 

 ----------------------------------------------------------------------

 

 

Educational institutions receiving IRS addresses to locate debtors under IRC 6103(m)(4)(B) must send annual reports to the Department of Education as the federal oversight agency for this program.

When extenuating circumstances exist, agencies may request an Annual SSR extension in 30 day increments for a maximum of 60 days. Extension requests should be submitted not later than (NLT) 30 days prior to the scheduled SSR due date. Request for extensions will not be considered after the scheduled SSR due date. A request for a second extension must be accompanied by a draft SSR. Extension requests should be sent to the Office of Safeguards via Secure Data Transfer (SDT) or email to SafeguardReports@irs.gov, with the subject SSR extension request and reasons for the extension. All extension requests will be evaluated on a case by case basis. Safeguards will provide an email response, approving or disapproving the request within 5 work days after receipt of the request.

7.3 Corrective Action Plan

The CAP represents the corrective actions described in the SRR. The IRS will provide each agency an SRR along with a CAP upon completion of an on-site review. The agency must complete the CAP to report the status of corrective actions completed in addition to any unresolved or planned corrective actions.

7.3.1 CAP Submission Instructions and Submission Dates

The agency must submit the CAP semi-annually, as an attachment to the SSR and on the CAP due date, which is six months from the scheduled SSR due date.

The CAP due dates are provided in the following chart.

Table 5 -- CAP Due Dates

 -----------------------------------------------------------

 

                                 

CAP with SSR   CAP (only)

 

 -----------------------------------------------------------

 

                     

Federal Agencies

 

 -----------------------------------------------------------

 

 All Federal Agencies            January 31     July 31

 

 -----------------------------------------------------------

 

             

All State Agencies and Territories

 

 -----------------------------------------------------------

 

 AK, AL, AR, AS, AZ, CA          February 28    August 31

 

 -----------------------------------------------------------

 

 CNMI, CO, CT, DC, DE, FL, GA    March 31       September 30

 

 -----------------------------------------------------------

 

 GU, HI, IA, ID, IL, IN, KS      April 30       October 31

 

 -----------------------------------------------------------

 

 KY, LA, MA, MD, ME, MI          May 30         November 30

 

 -----------------------------------------------------------

 

 MN, MO, MS, MT, NE              June 30        December 31

 

 -----------------------------------------------------------

 

 NC, NH, NJ, NM, NV, NY          July 31        January 31

 

 -----------------------------------------------------------

 

 ND, OH, OK, OR                  August 31      February 28

 

 -----------------------------------------------------------

 

 PA, PR, RI, SC, SD, TN          September 30   March 31

 

 -----------------------------------------------------------

 

 TX, UT, VA, VI, VT, WA          October 31     April 30

 

 -----------------------------------------------------------

 

 WI, WV, WY                      November 30    May 30

 

 -----------------------------------------------------------

 

 

If the SRR was issued within 60 days from the upcoming CAP due date in the preceding chart, the agency's first CAP will be due on the next subsequent reporting date to allow the agency adequate time to document all corrective actions proposed and taken.

When extenuating circumstances exist, agencies may request an extension for no more than 30 days. Extension requests should be submitted not later than (NLT) 30 days prior to the scheduled CAP due date. Request for extensions will not be considered after the scheduled CAP due date. Extension requests should be sent to the Office of Safeguards via Secure Data Transfer (SDT) or email to SafeguardReports@irs.gov, with the subject CAP extension request and reasons for the extension. All extension requests will be evaluated on a case by case basis. Safeguards will provide an email response, approving or disapproving the request within 5 work days after receipt of the request.

The CAP must be returned/submitted using the version sent by the Office of Safeguards with the SSR. The template should not be altered. The Planned Implementation Dates fields should not include any text; only numeric value and entered in mm/dd/yyyy format.

7.4 45-Day Notification Reporting Requirements

IRC 6103 limits the usage of FTI to only those purposes explicitly defined. Due to the security implications, higher risk of unauthorized disclosure and potential for unauthorized use of FTI based on specific activities conducted, the Office of Safeguards requires advanced notification (45 days) prior to implementing certain operations or technology capabilities that require additional uses of the FTI.

In addition to the initial receipt of FTI (see Section 2.1), the following circumstances or technology implementations require the agency to submit notification to the Office of Safeguards via the Office of Safeguards mailbox, at a minimum of 45 days ahead of the planned implementation for the following activities that involve FTI:

 ----------------------------------------------------------------------

 

 

FTI in subject to               Advance approval required to proceed

 

 ----------------------------------------------------------------------

 

 

Cloud computing                 No

 

 ----------------------------------------------------------------------

 

 

Consolidated data center        No

 

 ----------------------------------------------------------------------

 

 

Disclosure to a contractor      No, and only applicable for agencies

 

                                 specifically authorized pursuant to

 

                                 IRC 6103 statute or regulation

 

 ----------------------------------------------------------------------

 

 

Re-disclosure by contractor to  Yes, by Safeguards and only applicable

 

 sub-contractor                  for agencies specifically authorized

 

                                 pursuant to IRC 6103 statute or

 

                                 regulation

 

 ----------------------------------------------------------------------

 

 

Data warehouse processing       No

 

 ----------------------------------------------------------------------

 

 

Non-agency-owned information    No

 

 systems

 

 ----------------------------------------------------------------------

 

 

Tax modeling for tax            Yes, by Disclosure

 

 administration

 

 ----------------------------------------------------------------------

 

 

Test environment                Yes, by Safeguards

 

 ----------------------------------------------------------------------

 

 

Virtualization of IT systems    No

 

 ----------------------------------------------------------------------

 

 

See additional details pertaining to each topic in the following sections. Contact the Office of Safeguards mailbox with any questions pertaining to the 45-day notification requirement.

7.4.1 Cloud Computing

Receiving, processing, storing, or transmitting FTI in a cloud environment requires prior approval by the Office of Safeguards. Refer to Section 9.4.1, Cloud Computing Environments, for guidance and details on 45-day notification requirements.

7.4.2 Consolidated Data Center

Agencies are required to notify the Office of Safeguards when moving IT operations to a consolidated data center. Refer to Section 5.4.2, Contractor- or Agency-Shared Facility--Consolidated Data Centers for additional information.

7.4.3 Contractor or Subcontractor Access

All agencies intending to re-disclose FTI to contractors must notify the IRS at least 45 days prior to the planned re-disclosure. Contractors consist of but are not limited to cloud computing providers, consolidated data centers, off-site storage facilities, shred companies, IT support, or tax modeling/revenue forecasting providers. The contractor notification requirement also applies in the circumstance where the contractor hires additional subcontractor services. Approval is required if the (prime) contractor hires additional subcontractor services in accordance with Exhibit 6, Contractor 45-Day Notification Procedures.

Notification is also required for contractors to perform statistical analysis, tax modeling, or revenue projections (see Section 2.4, State Tax Agency Limitations).

7.4.4 Data Warehouse Processing

When an agency implements a data warehouse containing FTI, the agency must provide written notification to the Office of Safeguards, identifying the security controls, including FTI identification and auditing, within the data warehouse. For additional data warehouse guidance, see Exhibit 10, Data Warehouse Security Requirements.

7.4.5 Non-Agency-Owned Information Systems

Under limited circumstances, the IRS may review requests for the use or access to FTI using a non-agency-owned information system (e.g., mobile devices, cloud environments, outsourced data centers). Notify the Office of Safeguards 45 days in advance of planned activities to use non-agency-owned information systems to receive, process, store, or transmit FTI.

7.4.6 Tax Modeling

The agency must notify the Office of Safeguards if planning to include FTI in statistical analysis, tax modeling, or revenue projections.

The Office of Safeguards will forward the notification to the IRS Statistics of Income for approval of the modeling methodology (see Section 2.4, State Tax Agency Limitations).

7.4.7 Live Data Testing

Agencies must submit a Data Testing Request (DTR) form to request approval to use live FTI in a testing environment. Refer to Section 9.4.6, Live Data Testing, for additional guidance on 45-day notification requirements.

7.4.8 Virtualization of IT Systems

When planning to receive, process, store, or transmit FTI in virtualized environments, agencies must submit a 45-Day Notification, as described in Section 9.4.14, Virtualization Environments.

8.0 Disposing of FTI--IRC 6103(p)(4)(F)

8.1 General

Users of FTI are required by IRC 6103(p)(4)(F) to take certain actions after using FTI to protect its confidentiality (see Exhibit 2, USC Title 26, IRC 6103(p)(4), and Exhibit 5, Civil Damages for Unauthorized Disclosure). Agency officials and employees either will return the information (including any copies made) to the office from which it was originally obtained or destroy the FTI. Agencies will include in their annual report (e.g., SSR) a description of the procedures implemented. See Section 7.0, Reporting Requirements--6103(p)(4)(E) for additional reporting requirements.

8.2 Returning IRS Information to the Source

Agencies electing to return IRS information must use a receipt process and ensure that the confidentiality is protected at all times during transport (see Section 4.4, FTI in Transit).

8.3 Destruction and Disposal

FTI furnished to the user and any paper material generated therefrom, such as copies, photo impressions, computer printouts, notes, and work papers, must be destroyed by burning or shredding. If a method other than burning or shredding is used, that method must make the FTI unreadable or unusable.

The following precautions must be observed when destroying FTI:

Table 6 -- FTI Destruction Methods

Burning

The material is to be burned in an incinerator that produces enough heat to burn the entire bundle, or the bundle must be separated to ensure that all pages are incinerated.

Shredding

To make reconstruction more difficult:

 

If shredding deviates from the 5/16-inch specification, FTI must be safeguarded until it reaches the stage where it is rendered unreadable through additional means, such as burning or pulping.

FTI furnished or stored in electronic format must be destroyed in the following manner:

 

Whenever physical media leaves the physical or systemic control of the agency for maintenance, exchange, or other servicing, any FTI on it must be destroyed by:

 

When using either method for destruction, every third piece of physical electronic media must be checked to ensure appropriate destruction of FTI.

Hand tearing, recycling, or burying information in a landfill are unacceptable methods of disposal.

8.4 Other Precautions

FTI must never be disclosed to an agency's agents or contractors during disposal unless authorized by the IRC. Destruction must be witnessed by an agency employee.

The Department of Justice, state tax agencies, and SSA may be exempted from the requirement of having agency personnel present during destruction by a contractor. If a contractor is used:

 

9.0 Computer System Security

9.1 General

This section details the computer security requirements agencies must meet to adequately protect FTI under their administrative control. While the Office of Safeguards has responsibility to ensure the protection of FTI, it is the responsibility of the agency to build in effective security controls into its own IT infrastructure to ensure that FTI is protected at all points where it is received, processed, stored, or transmitted. It will not be the intent of IRS to monitor each control identified but to provide these to the organization, identifying those controls required for the protection of moderate risk systems within the federal government.

All agency information systems used for receiving, processing, storing, or transmitting FTI must be hardened in accordance with the requirements in this publication. Agency information systems include the equipment, facilities, and people that collect, process, store, display, and disseminate information. This includes computers, hardware, software, and communications, as well as policies and procedures for their use.

Impact levels used in this document are described in Federal Information Processing Standards (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems. NIST publications are available at http://csrc.nist.gov/publications/PubsSPs.html

The computer security framework was primarily developed using guidelines specified in NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments, and NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. Only applicable NIST SP 800-53 controls are included in this publication as a baseline. Applicability was determined by selecting controls required to protect the confidentiality of FTI. Agencies are encouraged to review supplemental guidance provided within NIST SP 800-53.

Section 9.3, NIST SP 800-53 Control Requirements, provides the security control requirements that relate to protecting information systems that receive, process, store, or transmit FTI and are based on the moderate baseline security controls defined by NIST.

The Office of Safeguards has included NIST control enhancement requirements where appropriate to protect the confidentiality of FTI. Control enhancements are identified with a CE designator after the requirement is described.

9.2 Assessment Process

The Office of Safeguards will assess agency compliance with the computer security requirements identified in this publication as part of the on-site review process. Requirements are assessed as they related to NIST SP 800-53 security controls as outlined in this publication. To ensure a standardized computer security review process, the following techniques will be used to evaluate agency policies, procedures, and IT equipment that receive, process, store, or transmit FTI:

Table 7 -- IT Testing Techniques

 ----------------------------------------------------------------------

 

 

Automated Compliance and

    Computer Security Reviewers will use a

 

 

Vulnerability Assessment

    combination of compliance and

 

 

Testing

                     vulnerability assessment software tools to

 

                             validate the adequate protection of FTI.

 

                             These automated tools will be launched

 

                             from either IRS-issued flash drives or

 

                             laptop computers.

 

 ----------------------------------------------------------------------

 

 

SCSEM

                       Documents and tests hardening requirements

 

                             for specific technologies used to receive,

 

                             process, store, or transmit FTI. SCSEMs

 

                             can be downloaded from the Office of

 

                             Safeguards website.

 

 ----------------------------------------------------------------------

 

 

Agencies should be prepared for the Computer Security Reviewers to use the preceding resources as part of the on-site review. As necessary, agency management approval must be obtained prior to the on-site review, if agency policies and procedure contradict any of these methods of review.

9.3 NIST SP 800-53 Control Requirements

9.3.1 Access Control

9.3.1.1 Access Control Policy and Procedures (AC-1)

The agency must:

 

9.3.1.2 Account Management (AC-2)

The agency must:

The information system must automatically disable inactive accounts after 120 days of inactivity. (CE3)

9.3.1.3 Access Enforcement (AC-3)

The information system must enforce:

9.3.1.4 Information Flow Enforcement (AC-4)

The information system must enforce approved authorizations for controlling the flow of FTI within the system and between interconnected systems based on the technical safeguards in place to protect the FTI.

Additional requirements for protecting the flow of FTI can be found in:

 

9.3.1.5 Separation of Duties (AC-5)

The agency must:

9.3.1.6 Least Privilege (AC-6)

The agency must:

The information system must:

9.3.1.7 Unsuccessful Logon Attempts (AC-7)

The information system must:

Specific to mobile device requirements, the logon is to the mobile device, not to any one account on the device. Additional mobile device controls are addressed in Section

.3.1.14,

Access Control for Mobile Devices (AC-19),

and Section 9.4.8,

Mobile Devices.

9.3.1.8 System Use Notification (AC-8)

The information system must:

a. Before granting access to the system, display to users an IRS-approved warning banner that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:

 

1. The system contains U.S. Government information;

2. Users actions are monitored and audited;

3. Unauthorized use of the system is prohibited; and

4. Unauthorized use of the system is subject to criminal and civil sanctions.

The warning banner must be applied at the application, database, operating system, and network device levels for all systems that receive, process, store, or transmit FTI.

Retain the warning banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system.

For publicly accessible systems, the information system must:

a. Display the IRS-approved warning banner granting further access;

b. Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and

c. Include a description of the authorized uses of the system.

For sample warning banners approved by the Office of Safeguards, see Exhibit 8.

9.3.1.9 Session Lock (AC-11)

The information system must:

a. Prevent further access to the system by initiating a session lock after 15 minutes of inactivity or upon receiving a request from a user; and

b. Retain the session lock until the user reestablishes access using established identification and authentication procedures.

9.3.1.10 Session Termination (AC-12)

The information system must automatically terminate a user session after 15 minutes of inactivity.

This control addresses the termination of user-initiated logical sessions in contrast to SC-10 which addresses the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system.

9.3.1.11 Permitted Actions without Identification or Authentication (AC-14)

The agency must:

a. Identify specific user actions that can be performed on the information system without identification or authentication consistent with agency missions/business functions. FTI may not be disclosed to individuals on the information system without identification and authentication; and

b. Document and provide supporting rationale in the SSR for the information system the user actions not requiring identification or authentication.

Examples of access without identification and authentication would be instances in which the agency maintains a publicly accessible website for which no authentication is required.

9.3.1.12 Remote Access (AC-17)

The agency must:

a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed;

b. Authorize remote access to the information system prior to allowing such connections; and

c. Authorize and document the execution of privileged commands and access to security-relevant information via remote access for compelling operational needs only. (CE4)

The information system must:

a. Monitor and control remote access methods; (CE1)

b. Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions where FTI is transmitted over the remote connection; and (CE2)

c. Route all remote accesses through a limited number of managed network access control points. (CE3)

Remote access is defined as any access to an agency information system by a user communicating through an external network, for example, the Internet.

Any remote access where FTI is accessed over the remote connection must be performed using multi-factor authentication.

FTI cannot be accessed remotely by agency employees, agents, representatives, or contractors located offshore--outside of the United States territories, embassies, or military installations. Further, FTI may not be received, processed, stored, transmitted, or disposed of by IT systems located offshore.

9.3.1.13 Wireless Access (AC-18)

The agency must:

a. Establish usage restrictions, configuration/connection requirements, and implementation guidance for wireless access;

b. Authorize wireless access to the information system prior to allowing such connections; and

c. Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system. (SI-4, CE14)

The information system must protect wireless access to the system using authentication and encryption. (CE1)

Additional requirements for protecting FTI on wireless networks are provided in Section 9.4.18, Wireless Networks.

9.3.1.14 Access Control for Mobile Devices (AC-19)

A mobile device is a computing device that (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable, or removable data storage; and (iv) includes a self-contained power source.

The agency must:

a. Establish usage restrictions, configuration requirements, connection requirements, and implementation guidance for agency-controlled mobile devices;

b. Authorize the connection of mobile devices to agency information systems;

c. Employ encryption to protect the confidentiality and integrity of information on mobile devices (e.g., smartphones and laptop computers) (CE5); and

d. Purge/wipe information from mobile devices based on 10 consecutive, unsuccessful device logon attempts (e.g., personal digital assistants, smartphones and tablets). Laptop computers are excluded from this requirement (AC-7, CE2).

Additional requirements on protecting FTI accessed by mobile devices are provided in Section 9.4.8,

Mobile Devices.

9.3.1.15 Use of External Information Systems (AC-20)

Unless approved by the Office of Safeguards, the agency must prohibit:

a. Access to FTI from external information systems;

b. Use of agency-controlled portable storage devices (e.g., flash drives, external hard drives) containing FTI on external information systems; and (CE2)

c. Use of non-agency-owned information systems; system components; or devices to process, store, or transmit FTI; any non-agency-owned information system usage requires the agency to notify the Office of Safeguards 45 day s prior to implementation (see Section 7.4, 45-Day Notification Reporting Requirements). (CE3)

External information systems include any technology used to receive, process, transmit, or store FTI that is not owned and managed by the agency.

9.3.1.16 Information Sharing (AC-21)

The agency must restrict the sharing/re-disclosure of FTI to only those authorized in IRC 6103 and as approved by the Office of Safeguards.

9.3.1.17 Publicly Accessible Content (AC-22)

The agency must:

9.3.2 Awareness and Training

9.3.2.1 Security Awareness and Training Policy and Procedures (AT-1)

The agency must:

9.3.2.2 Security Awareness Training (AT-2)

The agency must:

This section is closely coupled with Section 6.3, Disclosure Awareness Training, which provides the requirement for general FTI disclosure awareness training; however, this control is focused on information security and operational security awareness.

Insider threat training should bring awareness of the potential for individuals (e.g., employees, contractors, former employees) to use insider knowledge of sensitive agency information (e.g., security practices, systems that hold sensitive data) to perform malicious actions, which could include the unauthorized access or re-disclosure of FTI.

9.3.2.3 Role-Based Security Training (AT-3)

The agency must provide role-based security training to personnel with assigned security roles and responsibilities:

9.3.2.4 Security Training Records (AT-4)

The agency must:

9.3.3 Audit and Accountability

9.3.3.1 Audit and Accountability Policy and Procedures (AU-1)

The agency must:

9.3.3.2 Audit Events (AU-2)

Security-relevant events must enable the detection of unauthorized access to FTI data. Auditing must be enabled to the greatest extent necessary to capture access, modification, deletion, and movement of FTI by each unique user.

The agency must:

Access to FTI must be audited at the operating system, software, and database levels. Software and platforms have differing audit capabilities. Each individual platform audit capabilities and requirements are maintained on the platform-specific Office of Safeguards SCSEM, which is available on the IRS Office of Safeguards website.

9.3.3.3 Content of Audit Records (AU-3)

The information system must:

9.3.3.4 Audit Storage Capacity (AU-4)

The agency must allocate audit record storage capacity to retain audit records for the required audit retention period of seven years.

9.3.3.5 Response to Audit Processing Failures (AU-5)

The information system must:

9.3.3.6 Audit Review, Analysis, and Reporting (AU-6)

The agency must:

The Office of Safeguards recommends agencies identify events that may indicate a potential unauthorized access to FTI. This recommendation is not a requirement at this time, but agencies are encouraged to contact the Office of Safeguards with any questions regarding implementation strategies. Methods of detecting unauthorized access to FTI include matching audit trails to access attempts (successful or unsuccessful) across the following categories:

Table 8 -- Proactive Auditing Methods to Detect Unauthorized Access to FTI

 ----------------------------------------------------------------------

 

 

Do Not

        Create a Do Not Access list to identify high-profile

 

 

Access List

   individuals or companies whose records have a high

 

               probability of being accessed without proper

 

               authorization

 

 ----------------------------------------------------------------------

 

 

Time of Day

   Identify suspicious behavior by tracking FTI accesses

 

 

Access

        outside normal business hours

 

 ----------------------------------------------------------------------

 

 

Name

          Detect potential unauthorized access by monitoring name

 

 

Searches

      searches (especially searches on the same last name as

 

               the employee)

 

 ----------------------------------------------------------------------

 

 

Previous

      Identify employee accesses to Tax Identification Numbers

 

 

Accesses

      (TINs) that the employee has accessed in the past but

 

               currently does not have a case assignment or need to

 

               access

 

 ----------------------------------------------------------------------

 

 

Volume

        Monitor the volume of accesses a person performs and

 

               compare them to past case assignment levels

 

 ----------------------------------------------------------------------

 

 

Zip Code

      Determine whether an employee is accessing taxpayers

 

               whose address of record is geographically close to the

 

               employee's home or work location (i.e., same building,

 

               zip code, block)

 

 ----------------------------------------------------------------------

 

 

Restricted

    Monitor all TINs associated with past employees' tax

 

 

TIN

           returns (e.g., self, spouse, children, businesses).

 

 ----------------------------------------------------------------------

 

 

It is recommended the agency define a frequency in which the preceding categories are updated for an individual to ensure the information is kept current.

9.3.3.7 Audit Reduction and Report Generation (AU-7)

The information system must provide an audit reduction and report generation capability that:

9.3.3.8 Time Stamps (AU-8)

The information system must:

9.3.3.9 Protection of Audit Information (AU-9)

The information system must protect audit information and audit tools from unauthorized access, modification, and deletion.

The agency must authorize access to manage audit functionality only to designated security administrator(s) or staff other than the system and network administrator. System and network administrators must not have the ability to modify or delete audit log entries. (CE4)

9.3.3.10 Audit Record Retention (AU-11)

The agency must retain audit records for seven years to provide support for after-the-fact investigations of security incidents and to meet regulatory and agency information retention requirements.

9.3.3.11 Audit Generation (AU-12)

The information system must:

9.3.3.12 Cross-Agency Auditing (AU-16)

The agency must employ mechanisms for coordinating the access and protection of audit information among external organizations when audit information is transmitted across agency boundaries.

This requirement applies to outsourced data centers or cloud providers. The provider must be held accountable to protect and share audit information with the agency through the contract.

See Section 9.4.1, Cloud Computing Environments for additional cloud computing requirements, including language for cloud computing requirements. Also see Section 5.4, Controls over Processing for information pertaining to consolidated data centers.

9.3.4 Security Assessment and Authorization

9.3.4.1 Security Assessment and Authorization Policy and Procedures (CA-1)

The agency must:

9.3.4.2 Security Assessments (CA-2)

The agency must:

9.3.4.3 System Interconnections (CA-3)

The agency must:

9.3.4.4 Plan of Action and Milestones (CA-5)

The agency must:

The POA&M must comprise of an all-inclusive tool or document for the agency to track vulnerabilities identified by the self-assessments, internal inspections, external audits and any other vulnerabilities identified for information systems that receive, process, store, or transmit FTI.

Additional information is available in Section 6.5, Plan of Action and Milestones.

9.3.4.5 Security Authorization (CA-6)

The agency must:

9.3.4.6 Continuous Monitoring (CA-7)

The agency must develop a continuous monitoring strategy and implement a continuous monitoring program that includes:

9.3.5 Configuration Management

9.3.5.1 Configuration Management Policy and Procedures (CM-1)

The agency must:

9.3.5.2 Baseline Configuration (CM-2)

The agency must develop, document, and maintain under configuration control, a current baseline configuration of the information system.

The agency must review and update the baseline configuration of the information system: (CE1)

The Office of Safeguards recommends using SCSEMs provided on the Office of Safeguards website for developing an information system baseline configuration.

9.3.5.3 Configuration Change Control (CM-3)

The agency must:

9.3.5.4 Security Impact Analysis (CM-4)

The agency must analyze changes to the information system to determine potential security impacts prior to change implementation.

9.3.5.5 Access Restrictions for Change (CM-5)

The agency must define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system.

9.3.5.6 Configuration Settings (CM-6)

The agency must:

The authoritative source for platform checklists used by the Office of Safeguards is the NIST Checklist Program Repository (http://checklists.nist.gov). Office of Safeguards SCSEMs may include compliance requirements from one or more of the following security benchmarks: 9.3.5.7 Least Functionality (CM-7)

The agency must:

 

9.3.5.8 Information System Component Inventory (CM-8)

The agency must:

 

Additional requirements for maintaining a system component inventory are provided in Section 9.4.12,

System Component Inventory,

as well as NIST SP 800-70

Security Configuration Checklists Program for IT Products- Guidance for Checklists Users and Developers.

9.3.5.9 Configuration Management Plan (CM-9)

The agency must develop, document, and implement a configuration management plan for the information system that:

 

9.3.5.10 Software Usage Restrictions (CM-10)

The agency must:

 

The agency must establish restrictions on the use of open source software. Open source software must: (CE1)

 

9.3.5.11 User-Installed Software (CM-11)

The agency must:

 

9.3.6 Contingency Planning

All FTI that is transmitted to agencies is backed up and protected within IRS facilities. As such, the focus of contingency planning controls is on the protection of FTI stored in backup media or used at alternative facilities and not focused on the availability of data. Agencies must develop applicable contingencies for ensuring that FTI is available, based upon their individual risk-based approaches.

9.3.6.1 Contingency Planning Policy and Procedures (CP-1)

The agency must:

9.3.6.2 Contingency Plan (CP-2)

The agency must:

 

9.3.6.3 Contingency Training (CP-3)

The agency must provide contingency training to information system users consistent with assigned roles and responsibilities:

 

9.3.6.4 Contingency Plan Testing (CP-4)

The agency must:

 

9.3.6.5 Alternate Storage Site (CP-6)

The agency must:

 

9.3.6.6 Alternate Processing Site (CP-7)

The agency must:

 

9.3.6.7 Information System Backup (CP-9)

The agency must:

 

9.3.6.8 Information System Recovery and Reconstitution (CP-10)

The agency must provide for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.

9.3.7 Identification and Authentication

9.3.7.1 Identification and Authentication Policy and Procedures (IA-1)

The agency must:

9.3.7.2 Identification and Authentication (Organizational Users) (IA-2) 9.3.7.3 Device Identification and Authentication (IA-3)

The information system must uniquely identify and authenticate devices before establishing a connection.

9.3.7.4 Identifier Management (IA-4)

The agency must manage information system identifiers by:

 

9.3.7.5 Authenticator Management (IA-5)

The agency must manage information system authenticators by:

 

The information system must, for password-based authentication:

 

9.3.7.6 Authenticator Feedback (IA-6)

The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

9.3.7.7 Cryptographic Module Authentication (IA-7)

The information system must implement mechanisms for authentication to a cryptographic module that meets the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

Validation provides assurance that when agency implements cryptography to protect FTI, the encryption functions have been examined in detail and will operate as intended.

All electronic transmissions of FTI must be encrypted using FIPS 140-2 validated cryptographic modules. A product does not meet the FIPS 140-2 requirements by simply implementing an approved security function. Only modules tested and validated to FIPS 140-2 meet the applicability requirements for cryptographic modules to protect sensitive information. NIST maintains a list of validated cryptographic modules on its website http://csrc.nist.gov/

9.3.7.8 Identification and Authentication (Non-Organizational Users) (IA-8)

The information system must uniquely identify and authenticate non-agency users (or processes acting on behalf of non-agency users).

9.3.8 Incident Response

These incident response controls apply to both physical and information system security relative to the protection of FTI.

9.3.8.1 Incident Response Policy and Procedures (IR-1)

The agency must:

9.3.8.2 Incident Response Training (IR-2)

Agencies must train personnel with access to FTI, including contractors and consolidated data center employees if applicable, in their incident response roles on the information system and FTI. The agency must provide incident response training to information system users consistent with assigned roles and responsibilities:

 

9.3.8.3 Incident Response Testing (IR-3)

Agencies entrusted with FTI must test the incident response capability for the information system at least annually.

 

See Section 10.3,

Incident Response Procedures,

for specific instructions on incident response requirements where FTI is involved.

9.3.8.4 Incident Handling (IR-4)

The agency must:

 

9.3.8.5 Incident Monitoring (IR-5)

The agency must track and document all physical and information system security incidents potentially affecting the confidentiality of FTI.

9.3.8.6 Incident Reporting (IR-6)

The agency must:

 

Refer to Section 10.0,

Reporting Improper Inspections or Disclosures,

for more information on incident reporting requirements required by the Office of Safeguards.

9.3.8.7 Incident Response Assistance (IR-7)

The agency must provide an incident response support resource, integral to the agency incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

9.3.8.8 Incident Response Plan (IR-8)

The agency must:

 

9.3.8.9 Information Spillage Response (IR-9)

The agency must respond to information spills by:

 

9.3.9 Maintenance

9.3.9.1 System Maintenance Policy and Procedures (MA-1)

The agency must:

9.3.9.2 Controlled Maintenance (MA-2)

The agency must:

 

9.3.9.3 Maintenance Tools (MA-3)

The agency must approve, control, and monitor information system maintenance tools.

9.3.9.4 Non-Local Maintenance (MA-4)

The agency must:

 

9.3.9.5 Maintenance Personnel (MA-5)

The agency must:

 

9.3.10 Media Protection

Information system media is defined to include both digital and non-digital media.

9.3.10.1 Media Protection Policy and Procedures (MP-1)

The agency must:

9.3.10.2 Media Access (MP-2)

The agency must restrict access to digital and non-digital media containing FTI to authorized individuals.

9.3.10.3 Media Marking (MP-3)

The agency must label information system media containing FTI to indicate the distribution limitations and handling caveats.

The agency must label removable media (CDs, DVDs, diskettes, magnetic tapes, external hard drives and flash drives) and information system output containing FTI (reports, documents, data files, back-up tapes) indicating "Federal Tax Information". Notice 129-A and Notice 129-B IRS provided labels can be used for this purpose.

9.3.10.4 Media Storage (MP-4)

The agency must:

 

See Section 4.0,

Secure Storage--IRC 6103(p)(4)(B),

on additional secure storage requirements.

9.3.10.5 Media Transport (MP-5)

The agency must:

 

The information system must implement cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. (CE4)

See Section 4.4, FTI in Transit, for more information on transmittals and media transport requirements.

9.3.10.6 Media Sanitization (MP-6)

The agency must:

 

Agencies must review and approve media to be sanitized to ensure compliance with records-retention policies. Tracking/documenting actions include, for example, listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, specific files stored on the media, sanitization methods used, date and time of the sanitization actions, personnel who performed the sanitization, verification actions taken, personnel who performed the verification, and disposal action taken. Agencies verify that the sanitization of the media was effective prior to disposal (see Section 9.3.17.9,

Information Handling and Retention (SI-12)).

The agency must restrict the use of information system media (e.g., diskettes, magnetic tapes, external/removable hard drives, flash/thumb drives, CDs, DVDs) on information systems that receive, process, store, or transmit FTI using physical or automated controls.

Additional requirements for protecting FTI during media sanitization are provided in Section 9.3.10.6, Media Sanitization (MP-6); Section 9.4.7, Media Sanitization; and Exhibit 10, Data Warehouse Security Requirements.

9.3.11 Physical and Environmental Protection

9.3.11.1 Physical and Environmental Protection Policy and Procedures (PE-1)

The agency must:

9.3.11.2 Physical Access Authorizations (PE-2)

The agency must:

 

9.3.11.3 Physical Access Control (PE-3)

The agency must:

 

9.3.11.4 Access Control for Transmission Medium (PE-4)

The agency must control physical access within agency facilities.

9.3.11.5 Access Control for Output Devices (PE-5)

The agency must control physical access to information system output devices to prevent unauthorized individuals from obtaining the output.

Monitors, printers, copiers, scanners, fax machines, and audio devices are examples of information system output devices.

9.3.11.6 Monitoring Physical Access (PE-6)

The agency must:

 

9.3.11.7 Visitor Access Records (PE-8)

The agency must:

 

Also see Section 4.3,

Restricted Area Access,

for visitor access (AAL) requirements.

9.3.11.8 Delivery and Removal (PE-16)

The agency must authorize, monitor, and control information system components entering and exiting the facility and maintain records of those items.

9.3.11.9 Alternate Work Site (PE-17)

The agency must:

 

Alternate work sites may include, for example, government facilities or private residences of employees (see Section 4.7, Telework Locations, for additional requirements)

.

9.3.11.10 Location of Information System Components (PE-18)

The agency must position information system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access.

For additional guidance, see Section 4.3, Restricted Area Access, and Section 4.5, Physical Security of Computers, Electronic, and Removable Media.

9.3.12 Planning

9.3.12.1 Security Planning Policy and Procedures (PL-1)

The agency must:

9.3.12.2 System Security Plan (PL-2)

An approved and accurate SSR satisfies the requirements for the SSP (see Section 7.0, Reporting Requirements--6103(p)(4)(E)).

The agency must:

 

9.3.12.3 Rules of Behavior (PL-4)

The agency must:

 

9.3.13 Personnel Security See also Section 5.1.1 FTI Background Investigation Requirements

9.3.13.1 Personnel Security Policy and Procedures (PS-1)

The agency must:

9.3.13.2 Position Risk Designation (PS-2) See also Section 5.1.1 FTI Background Investigation Requirements

The agency must:

 

9.3.13.3 Personnel Screening (PS-3) See also Section 5.1.1 FTI Background Investigation Requirements

The agency must:

 

9.3.13.4 Termination (PS-4)

The agency, upon termination of individual employment must:

 

9.3.13.5 Personnel Transfer (PS-5)

The agency must:

 

9.3.13.6 Access Agreements (PS-6)

Before authorizing access to FTI, the agency must:

9.3.13.7 Third-Party Personnel Security (PS-7)

The agency must:

 

9.3.13.8 Personnel Sanctions (PS-8)

The agency must:

 

9.3.14 Risk Assessment

9.3.14.1 Risk Assessment Policy and Procedures (RA-1)

The agency must:

9.3.14.2 Risk Assessment (RA-3)

The agency must:

 

9.3.14.3 Vulnerability Scanning (RA-5)

The agency must:

 

9.3.15 System and Services Acquisition

9.3.15.1 System and Services Acquisition Policy and Procedures (SA-1)

The agency must:

9.3.15.2 Allocation of Resources (SA-2)

The agency must:

 

9.3.15.3 System Development Life Cycle (SA-3)

The agency must:

 

9.3.15.4 Acquisition Process (SA-4)

The agency must include the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and agency mission/business needs:

 

When applicable, the agency must require the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed. (CE1)

9.3.15.5 Information System Documentation (SA-5)

The agency must:

 

9.3.15.6 Security Engineering Principles (SA-8)

The agency must apply information system security engineering principles in the specification, design, development, implementation, and modification of the information system.

9.3.15.7 External Information System Services (SA-9)

The agency must:

 

Agencies must prohibit the use of non-agency-owned information systems, system components, or devices that receive, process, store, or transmit FTI unless explicitly approved by the Office of Safeguards. For notification requirements, refer to Section 7.4.5, Non-Agency-Owned Information Systems.

The contract for the acquisition must contain Exhibit 7 language, as appropriate (see Section 9.3.15.4, Acquisition Process (SA-4), and Exhibit 7, Safeguarding Contract Language).

9.3.15.8 Developer Configuration Management (SA-10)

The agency must require the developer of the information system, system component, or information system service to:

 

9.3.15.9 Developer Security Testing and Evaluation (SA-11)

The agency must require the developer of the information system, system component, or information system service to:

 

9.3.15.10 Unsupported System Components (SA-22)

The agency must replace information system components when support for the components is no longer available from the developer, vendor, or manufacturer.

9.3.16 System and Communications Protection

9.3.16.1 System and Communications Protection Policy and Procedures (SC-1)

The agency must:

9.3.16.2 Application Partitioning (SC-2)

The information system must separate user functionality (including user interface services) from information system management functionality.

9.3.16.3 Information in Shared Resources (SC-4)

The information system must prevent unauthorized and unintended information transfer via shared system resources.

9.3.16.4 Denial of Service Protection (SC-5)

The information system must protect against or limit the effects of denial of service attacks.

Refer to NIST SP 800-61 R2, Computer Security Incident Handling Guide, for additional information on denial of service.

9.3.16.5 Boundary Protection (SC-7)

The information system must:

 

Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within the security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks).

The agency must limit the number of external network connections to the information system. (CE3)

The agency must: (CE4)

 

The information system at managed interfaces must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). (CE5)

The information system must, in conjunction with a remote device, prevent the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. (CE7)

Additional requirements for protecting FTI on networks are provided in Section 9.4.10, Network Protections.

9.3.16.6 Transmission Confidentiality and Integrity (SC-8)

Information systems that receive, process, store, or transmit FTI, must:

 

If encryption is not used, to reduce the risk of unauthorized access to FTI, the agency must use physical means (e.g., by employing protected physical distribution systems) to ensure that FTI is not accessible to unauthorized users. The agency must ensure that all network infrastructure, access points, wiring, conduits, and cabling are within the control of authorized agency personnel. Network monitoring capabilities must be implemented to detect and monitor for suspicious network traffic. For physical security protections of transmission medium, see Section 9.3.11.4,

Access Control for Transmission Medium (PE-4)

.

This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, fax machines).

9.3.16.7 Network Disconnect (SC-10)

The information system must terminate the network connection associated with a communications session at the end of the session or after 30 minutes of inactivity.

This control addresses the termination of network connections that are associated with communications sessions (i.e., network disconnect) in contrast to user-initiated logical sessions in AC-12.

9.3.16.8 Cryptographic Key Establishment and Management (SC-12)

The agency must establish and manage cryptographic keys for required cryptography employed within the information system.

Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures.

9.3.16.9 Cryptographic Protection (SC-13)

The information system must implement cryptographic modules in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

9.3.16.10 Collaborative Computing Devices (SC-15)

The information system must:

 

Collaborative computing devices include, for example, networked white boards, cameras, and microphones. Explicit indication of use includes, for example, signals to users when collaborative computing devices are activated

9.3.16.11 Public Key Infrastructure Certificates (SC-17)

The agency must issue public key infrastructure certificates or obtain public key infrastructure certificates from an approved service provider.

9.3.16.12 Mobile Code (SC-18)

The agency must:

 

Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript, which are common installations on most end user workstations. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., tablet computers and smartphones).

9.3.16.13 Voice over Internet Protocol (SC-19)

The agency must:

 

Additional requirements for protecting FTI transmitted by VoIP systems are provided in Section 9.4.15,

VoIP Systems

.

9.3.16.14 Session Authenticity (SC-23)

The information system must protect the authenticity of communications sessions.

This control addresses communications protection at the session level versus the packet level (e.g., sessions in service-oriented architectures providing Web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted.

9.3.16.15 Protection of Information at Rest (SC-28)

The information system must protect the confidentiality and integrity of FTI at rest. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems.

Agencies may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms, file share scanning, and integrity protection. Agencies may also employ other security controls, including, for example, secure offline storage in lieu of online storage, when adequate protection of information at rest cannot otherwise be achieved or when continuously monitoring to identify malicious code at rest.

The confidentiality and integrity of information at rest shall be protected when located on a secondary (non-mobile) storage device (e.g., disk drive, tape drive) with cryptography mechanisms.

FTI stored on deployed user workstations, in non-volatile storage, shall be encrypted with FIPS-validated or National Security Agency (NSA)-approved encryption during storage (regardless of location) except when no approved encryption technology solution is available that addresses the specific technology.

Mobile devices do require encryption at rest (see Section 9.3.1.14, Access Control for Mobile Devices (AC-19), and Section 9.4.8, Mobile Devices.

9.3.17 System and Information Integrity

9.3.17.1 System and Information Integrity Policy and Procedures (SI-1)

The agency must:

9.3.17.2 Flaw Remediation (SI-2)

The agency must:

 

Security-relevant software updates include, for example, patches, service packs, hot fixes, and antivirus signatures.

9.3.17.3 Malicious Code Protection (SI-3)

Malicious code protection includes antivirus software and antimalware and intrusion detection systems.

The agency must:

 

The information system must automatically update malicious code protection mechanisms. (CE2)

Information system entry and exit points include, for example, firewalls, electronic mail servers, Web servers, proxy servers, remote access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files or hidden in files using steganography. Malicious code can be transported by different means, including, for example, Web accesses, electronic mail, electronic mail attachments, and portable storage devices.

9.3.17.4 Information System Monitoring (SI-4)

The agency must:

• Monitor the information system to detect:

• • Attacks and indicators of potential attacks; and

  • Unauthorized local, network, and remote connections.

• Identify unauthorized use of the information system;

• Deploy monitoring devices: (i) strategically within the information system to collect agency-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the agency;

• Protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;

• Heighten the level of information system monitoring activity whenever there is an indication of increased risk to agency operations and assets, individuals, other organizations, or the nation, based on law enforcement information, intelligence information, or other credible sources of information;

• Provide information system monitoring information to designated agency officials as needed;

• Analyze outbound communications traffic at the external boundary of the information system and selected interior points within the network (e.g., subnetworks, subsystems) to discover anomalies--anomalies within agency information systems include, for example, large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses;

• Employ automated mechanisms to alert security personnel of inappropriate or unusual activities with security implications; and (CE11)

• Implement host-based monitoring mechanisms (e.g., Host intrusion prevention system (HIPS)) on information systems that receive, process, store, or transmit FTI. (CE23)

 

The information system must:

• Monitor inbound and outbound communications traffic continuously for unusual or unauthorized activities or conditions; (CE4)

• Alert designated agency officials when indications of compromise or potential compromise occur--alerts may be generated from a variety of sources, including, for example, audit records or inputs from malicious code protection mechanisms; intrusion detection or prevention mechanisms; or boundary protection devices, such as firewalls, gateways, and routers and alerts can be transmitted, for example, telephonically, by electronic mail messages, or by text messaging; agency personnel on the notification list can include, for example, system administrators, mission/business owners, system owners, or information system security officers; and (CE5)

• Notify designated agency officials of detected suspicious events and take necessary actions to address suspicious events. (CE7)

 

Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system.

Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software).

Strategic locations for monitoring devices include, for example, selected perimeter locations and nearby server farms supporting critical applications, with such devices typically being employed at the managed interfaces.

9.3.17.5 Security Alerts, Advisories, and Directives (SI-5)

The agency must:

• Receive information system security alerts, advisories, and directives from designated external organizations on an ongoing basis;

• Generate internal security alerts, advisories, and directives as deemed necessary;

• Disseminate security alerts, advisories, and directives to designated agency officials; and

• Implement security directives in accordance with established time frames or notify the issuing agency of the degree of noncompliance.

 

9.3.17.6 Spam Protection (SI-8)

The agency must:

• Employ spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and

• Update spam protection mechanisms when new releases are available in accordance with agency configuration management policy and procedures.

 

9.3.17.7 Information Input Validation (SI-10)

The information system must check the validity of information inputs.

9.3.17.8 Error Handling (SI-11)

The information system must:

• Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and

• Reveal error messages only to designated agency officials.

 

9.3.17.9 Information Handling and Retention (SI-12)

The agency must handle and retain information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.

9.3.17.10 Memory Protection (SI-16)

The information system must implement safeguards to protect its memory from unauthorized code execution.

Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced, with hardware providing the greater strength of mechanism.

9.3.18 Program Management

9.3.18.1 Senior Information Security Officer (PM-2)

The agency must appoint a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain an agency-wide information security program.

The security officer described in this control is an agency official. This official is the senior information security officer. Agencies may also refer to this official as the senior information security officer or chief information security officer.

9.4 Additional Computer Security Requirements

9.4.1 Cloud Computing Environments

Background

As defined by NIST, "Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models."

While cloud computing offers many potential benefits, it is not without risk. The primary security concerns with cloud computing are:

• Data is not stored in an agency-managed data center;

• The agency must rely on the provider's security controls for protection;

• Data is not transferred securely between the cloud provider and service consumer;

• Interfaces to access FTI in a cloud environment, including authentication and authorization controls, may not be secured per customer requirements; and

• Data from multiple customers is potentially commingled in the cloud environment.

 

An agency's cloud implementation is a combination of a service model and a deployment model. Service models consist of Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). Deployment models consist of private, community, public, and hybrid clouds.

The risk to data varies in each of the four deployment models, with private cloud typically being the lowest risk model and public cloud being the highest risk model. Depending on the deployment model, compensating controls can be accepted in place of the mandatory requirements, but those compensating controls must provide the same level of protection as mandatory controls for safeguarding FTI.

The service and deployment model used in a cloud computing environment will determine the responsibility for security controls implementation between the agency and the cloud provider for the protection of FTI that is stored or processed in the cloud environment. The delineation of security control responsibility is heavily dependent on the service and deployment models of the solution the agency is adopting. For example, if the solution is an SaaS email solution, the agency may be responsible for a small subset of security control responsibilities. If the agency is deploying its own applications to a PaaS or IaaS solution, it will have greater responsibility for securing the application layer and potentially the platform and middleware.

Requirements

The following mandatory controls are applicable for all cloud service and deployment models. However, as stated earlier, depending on the deployment model, compensating controls can be accepted in place of the mandatory requirements provided that those compensating controls afford the same level of protection as mandatory controls for safeguarding FTI. Potential compensating controls will be evaluated by the Office of Safeguards, as part of the cloud computing notification (see first requirement).

To use a cloud computing model to receive, process, store, or transmit FTI, the agency must be in compliance with all requirements in this publication. The following mandatory requirements are in effect for introducing FTI to a cloud environment:

• Notification Requirement: The agency must notify the Office of Safeguards at least 45 days prior to transmitting FTI into a cloud environment.

• Data Isolation: Software, data, and services that receive, process, store, or transmit FTI must be isolated within the cloud environment so that other cloud customers sharing physical or virtual space cannot access other customer data or applications.

• SLA: The agency must establish security policies and procedures based on IRS Publication 1075 for how FTI is stored, handled, and accessed inside the cloud through a legally binding contract or SLA with its third-party cloud provider.

• Data Encryption in Transit: FTI must be encrypted in transit within the cloud environment. All mechanisms used to encrypt FTI must be FIPS 140-2 compliant, and operate using the FIPS 140-2 compliant module. This requirement must be included in the SLA.

• Data Encryption at Rest: FTI may need to be encrypted while at rest in the cloud, depending upon the security protocols inherent in the cloud. If the cloud environment cannot appropriately isolate FTI, encryption is a potential compensating control. All mechanisms used to encrypt FTI must be FIPS 140-2 compliant and operate using the FIPS 140-2 compliant module. This requirement must be included in the SLA, if applicable.

• Persistence of Data in Relieved Assets: Storage devices where FTI has resided must be securely sanitized or destroyed using methods acceptable by NSA and Central Security Service (CSS). This requirement must be included in the SLA.

• Risk Assessment: The agency must conduct an annual assessment of the security controls in place on all information systems used for receiving, processing, storing, or transmitting FTI. For the annual assessment immediately prior to implementation of the cloud environment and each annual risk assessment (or update to an existing risk assessment) thereafter, the agency must include the cloud environment. The Office of Safeguards will evaluate the risk assessment as part of the notification requirement in Requirement A.

• Security Control Implementation: Customer-defined security controls must be identified, documented, and implemented. The customer-defined security controls, as implemented, must comply with requirements in this publication.

 

Additional cloud computing security requirements are available on the Office of Safeguards website.

9.4.2 Data Warehouse

The concept of data warehousing consists of a collection of multi-dimensional integrated databases that are used to provide accessible information to clients or end users. The data can be manipulated through different categories or dimensions to facilitate analyzing data in relational databases. The result can provide the client or end user with an enterprise view or snapshot of the information.

Security requirements apply to data warehousing environments, as well as to typical networked environments.

Section 5.2 and Exhibit 10, Data Warehouse Security Requirements, provide unique requirements for this environment.

Additional data warehouse security requirements are available on the Office of Safeguards website.

9.4.3 Email Communications

If FTI is prohibited from inclusion within emails or email attachments, a policy must be written and distributed.

If FTI is allowed to be included within emails or email attachments, the agency must only transmit FTI to an authorized recipient and must adhere to the following requirements:

• Policies and procedures must be implemented to ensure FTI is properly protected and secured when being transmitted via email;

• Mail servers and clients must be securely configured according to the requirements within this publication to protect the confidentially of FTI transmitted in the email system;

• The network infrastructure must be securely configured according to the requirements within this publication to block unauthorized traffic, limit security vulnerabilities, and provide an additional security layer to an agency's mail servers and clients;

• Emails that contain FTI should be properly labeled (e.g., email subject contains "FTI") to ensure that the recipient is aware that the message content contains FTI;

• Audit logging must be implemented to properly track all email that contains FTI;

• Email transmissions that contain FTI must be encrypted using a FIPS 140-2 validated mechanism; and

• Malware protection must be implemented at one or more points within the email delivery process to protect against viruses, worms, and other forms of malware.

 

9.4.4 Fax Equipment

If FTI is prohibited from inclusion within fax communications, a policy must be written and distributed.

If FTI is allowed to be included within fax communications, the agency must only transmit FTI to an authorized recipient and must adhere to the following requirements:

• Have a trusted staff member at both the sending and receiving fax machines;

• Accurately maintain broadcast lists and other preset numbers of frequent recipients of FTI;

• Place fax machines in a secured area; and

• Include a cover sheet on fax transmissions that explicitly provides guidance to the recipient, which includes:

• • A notification of the sensitivity of the data and the need for protection; and

  • A notice to unintended recipients to telephone the sender--collect, if necessary--to report the disclosure and confirm destruction of the information.

 

9.4.5 Integrated Voice Response Systems

To use an Integrated Voice Response (IVR) system that provides FTI over the telephone to a customer, the agency must meet the following requirements:

• The LAN segment where the IVR system resides is firewalled to prevent direct access from the Internet to the IVR system;

• The operating system and associated software for each system within the architecture that receives, processes, stores, or transmits FTI to an external customer through the IVR is hardened in accordance with the requirements in this publication and is subject to frequent vulnerability testing;

• Independent security testing must be conducted on the IVR system prior to implementation; and

• Access to FTI via the IVR system requires a strong identity verification process. The authentication must use a minimum of two pieces of information although more than two are recommended to verify the identity. One of the authentication elements must be a shared secret only known to the parties involved and issued by the agency directly to the customer. Examples of shared secrets include a unique username, PIN number, password, or pass phrase issued by the agency to the customer through a secure mechanism. Case number does not meet the standard as a shared secret because that case number is likely shown on all documents the customer receives and does not provide assurance that it is only known to the parties involved in the communication.

 

Additional IVR security requirements are available on the Office of Safeguards website.

9.4.6 Live Data Testing

The use of live FTI in test environments should generally be avoided and is not authorized unless specifically approved by the Office of Safeguards through the submission of a Data Testing Request (DTR) form.

The IRS defines live data as primarily unmodified, non-sanitized data extracted from taxpayer files that identifies specific individual or corporate taxpayers and includes taxpayer information or tax return information. The use of live data in testing environments is limited to tax administration or other authorized IRS purposes and may be disclosed only to those individuals with a need-to-know.

Any systems within pre-production testing environments ideally will be configured according to requirements in this publication. However the Office of Safeguards understands most agencies may not be able to fully implement all Publication 1075 requirements in a test environment.

Agencies wishing to use live FTI data in pre-production must submit a DTR to the IRS Office of Safeguards for authority to use live data for testing, providing a detailed explanation of the safeguards in place to protect the data and the necessity for using live data during testing.

Need and Use Justification statements should be revised to cover this use of IRS data, if not already addressed. State taxing agencies should check their statements (agreements) to see if "testing purposes" is covered.

Testing efforts that use live FTI data primarily fall into two categories: one-time testing and ongoing testing.

An example of a one-time testing use of live FTI data would be for system testing that is done prior to a new system implementation and, once testing has validated that the data will work properly, the live FTI data is not required to continue to remain in the test environment. For one-time testing efforts, the Office of Safeguards requires the FTI to be deleted from systems and databases upon completion of testing efforts and that the hard drive of the test systems be cleared electronically prior to repurposing the system for other state agency testing efforts.

Duration for ongoing test activities will be agreed upon as part of the live data request process. Some examples of ongoing testing efforts include:

• Testing of extract, transform, load (ETL) process to validate federal data load to a database;

• Application testing of income modeling that requires data match between the entire population of state and federal returns, where building a set of dummy data is not feasible; and

• Testing audit selection queries that run against the entire population of federal returns to identify potential state non-filers, where building a set of dummy data that would correspond to actual state returns is not feasible.

 

9.4.7 Media Sanitization

The type of sanitization performed depends on whether or not the media:

• Is to be reused by the agency for continued use with FTI; or

• Will be leaving agency control.

 

If the media will be reused by the agency for the same purpose of storing FTI and will not be leaving organization control, then clearing is a sufficient method of sanitization. If the media will be reused and repurposed for a non-FTI function or will be leaving organization control (i.e., media being exchanged for warranty, cost rebate, or other purposes and where the specific media will not be returned to the agency), then purging should be selected as the sanitization method. If the media will not be reused at all, then destroying is the method for media sanitization.

The following media sanitization requirements are required:

• The requirements are applicable for media used in a "pre-production" or "test" environments.

• The technique for clearing, purging, and destroying media depends on the type of media being sanitized.

• A representative sampling of media must be tested after sanitization has been completed.

• Media sanitization should be witnessed or verified by an agency employee.

• Media sanitization requirements are the same, regardless of where the information system media is located. However, the party responsible for each step of the sanitization process may differ.

 

Additional media sanitization requirements are available on the Office of Safeguards website.

9.4.8 Mobile Devices

Background

Mobile devices provide several unique security and management challenges when used to access corporate resources, including sensitive data. Mobile devices can store vast amounts of data and, by default, security options are not enabled. This leaves the devices vulnerable to allowing an unauthorized person to gain access to the information stored on them or accessed through them. In addition, due to the portable nature of mobile devices, they are susceptible to loss or theft. Another challenge to maintaining security of mobile devices is effectively tracking mobile device inventory. Bring your own device (BYOD) presents additional security and privacy challenges, as it may not be possible to fully manage security of personally owned devices. These unique challenges highlight the need to increase the security posture of mobile devices to ensure the protection of FTI that may be stored on or accessed from a mobile device.

Requirements

To use FTI in a mobile device environment, including BYOD, the agency must meet the following mandatory requirements:

• Mobile device management controls must be in place that include security policies and procedures, inventory, and standardized security configurations for all devices;

• An annual risk assessment must be conducted of the security controls in place on all devices in the mobile environment used for receiving, processing, storing, or transmitting FTI;

• Protection mechanisms must be in place in case a mobile device is lost or stolen--all data stored on the device must be encrypted, including internal storage and removable media storage, such as Micro Secure Digital (SD) cards;

• All data communication with the agency's internal network must be encrypted using a cryptographic module that is FIPS 140-2 compliant;

• The agency must control end user ability to download only authorized applications to the device and must limit the accessibility to FTI by applications to only authorized applications;

• All mobile device management servers that receive, process, store, or transmit FTI must be hardened in accordance with requirements in this publication;

• A centralized mobile device management solution must be used to authenticate agency-issued and personally owned mobile devices prior to allowing access to the internal network;

• Security events must be logged for all mobile devices and the mobile device management server;

• The agency must disable wireless personal area networks that allow a mobile device to connect to a computer via Bluetooth or near field communication (NFC) for data synchronization and storage;

• Access to hardware, such as the digital camera, global positioning system (GPS), and universal serial bus (USB) interface, must be disabled to the extent possible; and

• Disposal of all mobile device component hardware follows media sanitization and disposal procedures (see Section 9.3.10.6, Media Sanitization (MP-6), and Section 9.4.7, Media Sanitization).

 

See Section 9.3.1.14,

Access Control for Mobile Devices (AC-19)

, and Section 9.4.8,

Mobile Devices.

Additional mobile device security requirements are also available on the Office of Safeguards website.

9.4.9 Multi-Functional Devices

To use FTI in a multi-functional device (MFD), the agency must meet the following requirements:

• The agency should have a current security policy in place for secure configuration and operation of the MFD;

• Least functionality controls that must be in place that include disabling all unneeded network protocols, services, and assigning a dedicated static IP address to the MFD;

• Strong security controls should be incorporated into the MFD's management and administration;

• MFD access enforcement controls must be configured correctly, including access controls for file shares, administrator and non-administrator privileges, and document retention functions;

• The MFD should be locked with a mechanism to prevent physical access to the hard disk;

• The MFD firmware should be up to date with the most current firmware available and should be currently supported by the vendor;

• The MFD and its print spoolers have auditing enabled, including auditing of user access and fax logs (if fax is enabled), and audit logs should be collected and reviewed by a security administrator;

• All FTI data in transit should be encrypted when moving across a WAN and within the LAN; and

• Disposal of all MFD hardware follows media sanitization and disposal procedure requirements (see Section 9.3.10.6, Media Sanitization (MP-6), and Section 9.4.7, Media Sanitization).

 

9.4.10 Network Protections

Agencies must implement boundary protection devices throughout their system architecture, including routers, firewalls, switches, and intrusion detection systems.

Any publicly accessible servers used in the receipt, process, transmission, or storage of FTI must be placed into an enclave.

Network address translation (NAT) must be implemented at the public traffic demarcation point on the network. If NAT is not implemented at the agency's boundary firewall or router, then it must be implemented on each firewall or router that protects network segments that contain infrastructure components which receive, process, store, or transmit FTI.

The agency's managed interfaces employing boundary protection must deny network traffic by default and allow network traffic by exception (e.g., deny all, permit by exception). All remote traffic must migrate through a managed interface. Firewalls shall be configured to prohibit any transmission control protocol (TCP) or user datagram protocol service or other protocol/service that is not explicitly permitted (i.e., deny by default).

Inbound services shall be prohibited, unless a valid business case can establish their necessity.

See Section 9.3.16.5, Boundary Protection (SC-7). Additional network protection requirements are available on the Office of Safeguards website.

9.4.11 Storage Area Networks

Background

A storage area network (SAN) is a network whose purpose is to transfer data among information systems and the storage elements in high speed. SANs achieve economy of scale by eliminating the need to manage storage from multiple vendors and platforms.

The typical components of a SAN can be broken down into the host layer, the fabric layer, and the storage layer that comprise the networking infrastructure, management devices that organize connection, storage devices/elements, and client computer systems. The storage layer, where FTI resides, comprises physical disk drives, disk arrays, tape libraries, and other storage media.

SAN components that are most vulnerable to attack include connection points between servers, management devices, and IP-based devices. The fundamental issues are that most SAN protocols do not require device authentication and that it is relatively simple to join the SAN fabric with a spoofing and session hijacking technique.

Requirements

To use FTI in a SAN environment, the agency must meet the following mandatory requirements:

• FTI must be segregated from other agency data within the SAN environment.

• Access controls must be implemented and strictly enforced for all SAN components to limit access to disks containing FTI to authorized users.

• Fibre channel devices must be configured to authenticate other devices with which they communicate in the SAN and authenticate administrator connections.

• FTI must be encrypted while in transit within the SAN environment. SAN management traffic must also be encrypted for SAN components.

• SAN components must be physically protected in accordance with the minimum protection standards for physical security described in Section 4.0, Secure Storage--IRC 6103(p)(4)(B).

• All components of the SAN that receive, process, store, or transmit FTI must be hardened in accordance with the requirements in this publication (see SAN SCSEM available on the Office of Safeguards website).

• SAN components must maintain an audit trail and review it on a regular basis to track access to FTI in the SAN environment.

 

Additional SAN security requirements are available on the Office of Safeguards website.

9.4.12 System Component Inventory

The agency must maintain a current inventory of information systems that receive, process, store, or transmit FTI in both production and pre-production environments. Updates to the inventory should be a critical step when implementing installations, removals, and updates to the information system. The inventory should accurately reflect and be consistent with the security domain of the current information system to enable the detection of unauthorized access to FTI within production and pre-production environments.

The IRS does not mandate the particular details or a specific format required to capture the inventory of systems with FTI. However, as part of the on-site safeguard review, the IRS will evaluate the agency's inventory to provide a level of assurance that the inventory is comprehensive of all systems that receive, process, store, or transmit FTI in production and pre-production environments.

Additional system component inventory guidance is available on the Office of Safeguards website.

9.4.13 Virtual Desktop Infrastructure

Background

A virtual desktop infrastructure (VDI) provides users access to enterprise resources, including a virtual desktop from locations both internal to and external to the agency's networks. In a VDI environment, a user can access FTI by connecting to a virtual workstation via a vendor-specific agent, connection client, or through an Internet browser from practically any mobile device with Internet access.

This requirement is applicable to VDI environments in which both agency-owned and non-agency-owned equipment may be used as the client for the virtual desktop. Additional security requirements apply to an agency that is approved by IRS to use non-agency-owned equipment to access FTI through a VDI environment. The agency must demonstrate that despite the operational location of the client, FTI remains subject to the safeguard requirements and the highest level of attainable security.

Requirements

To use VDI that provides FTI to a customer, the agency must meet the following mandatory requirements to lower the residual risk of the potential weaknesses identified in the previous section:

• VDI components should be segregated so that boundary protections can be implemented and access controls are granulized;

• An access control system must be specifically configured to address the complicated nature of the environment--ensure only authorized clients who conform to agency security policy are permitted access to the VDI;

• Configure the hypervisor, management consoles, and other VDI components using the secure configuration guidelines provided by the vendor;

• The least privilege principle must be strictly enforced in a virtualized environment;

• Configure the virtualized desktop to provide the functionalities only required for operations--non-essential functionality or components must be removed or prohibited;

• Users who access FTI remotely must use multi-factor authentication to validate their identities;

• Privileged and administrative functions must be recorded by the system--security events must be reviewed regularly by security personnel; and

• FTI must be transmitted securely using end-to-end encryption.

 

Additional VDI requirements are available on the Office of Safeguards website.

9.4.14 Virtualization Environments

Background

NIST SP 800-125 defines full virtualization as, "the simulation of the software and/or hardware upon which other software runs." This simulated environment is called a virtual machine (VM). There are many forms of virtualization, distinguished primarily by computing architecture layer.

Requirements

To use a virtual environment that receives, processes, stores, or transmits FTI, the agency must meet the following mandatory requirements:

• The agency must notify the Office of Safeguards 45 days prior to locating FTI in a virtual environment;

• When FTI is stored in a shared location, the agency must have policies in place to restrict access to FTI to authorized users;

• Programs that control the hypervisor should be secured and restricted to authorized administrators only;

• FTI data transmitted via hypervisor management communication systems on untrusted networks must be encrypted using FIPS-approved methods provided by either the virtualization solution or third-party solution, such as a VPN that encapsulates the management traffic;

• Separation between VMs must be enforced, and functions that allow one VM to share data with the hypervisor or another VM, such as clipboard sharing or shared disks, must be disabled;

• Virtualization providers must be able to monitor for threats and other activity that is occurring within the virtual environment--this includes being able to monitor the movement of FTI into and out of the virtual environment;

• The VMs and hypervisor/host operating system (OS) software for each system within the virtual environment that receives, processes, stores, or transmits FTI must be hardened in accordance with the requirements in this publication and be subject to frequent vulnerability testing;

• Special VM functions available to system administrators in a virtualized environment that can leverage the shared memory space in a virtual environment between the hypervisor and VM should be disabled;

• Virtual systems are configured to prevent FTI from being dumped outside of the VM when system errors occur;

• Vulnerability assessment must be performed on systems in a virtualized environment prior to system implementation; and

• Backups (virtual machine snapshot) must be properly secured and must be stored in a logical location where the backup is only accessible to those with a need-to-know.

 

Additional virtualization requirements are available on the Office of Safeguards website.

9.4.15 VoIP Systems

Background

VoIP is the transmission of voice over packet-switched networks. VoIP systems include a variety of components, such as call processors/call managers, gateways, routers, firewalls, and protocols. Data, in the form of a digitized voice conversation, is enclosed in a packet and transported via a data network to a voice gateway that converts voice calls between the IP network and the public switched telephone network. In FTI implementations, this means that telephone conversations between agency personnel and their taxpayer customers where FTI is discussed as part of the conversation are transmitted across the network as a data packet.

Requirements

To use a VoIP network that provides FTI to a customer, the agency must meet the following mandatory requirements:

• VoIP traffic that contains FTI should be segmented off from non-VoIP traffic through segmentation. If complete segmentation is not feasible, the agency must have compensating controls in place and properly applied that restrict access to VoIP traffic that contains FTI.

• When FTI is in transit across the network (either Internet or state agency's network), the VoIP traffic must be encrypted using a NIST-approved method operating in a NIST-approved mode.

• VoIP network hardware (servers, routers, switches, firewalls) must be physically protected in accordance with the minimum protection standards for physical security outlined in Section 4.0, Secure Storage--IRC 6103(p)(4)(B).

• Each system within the agency's network that transmits FTI to an external customer through the VoIP network is hardened in accordance with the requirements in this publication and is subject to frequent vulnerability testing.

• VoIP-ready firewalls must be used to filter VoIP traffic on the network.

• Security testing must be conducted on the VoIP system prior to implementation with FTI and annually thereafter.

• VoIP phones must be logically protected, and agencies must be able to track and audit all FTI-applicable conversations and access.

 

Additional VoIP guidance is available on the Office of Safeguards website.

9.4.16 Web-Based Systems

To use an external Web-based system or website, (web portal), that provides FTI over the Internet to a customer, the agency must meet the following requirements:

• The system architecture is configured as a three-tier architecture with physically separate systems that provide layered security of the FTI, and access to the database through the application is limited;

• Each system within the architecture that receives, processes, stores, or transmits FTI to an external customer through the Web-based system or website is hardened in accordance with the requirements in this publication and is subject to frequent vulnerability testing; and

• Access to FTI via the Web-based system or website requires a strong identity verification process. The authentication must use a minimum of two pieces of information although more than two is recommended to verify the identity. One of the authentication elements must be a shared secret only known to the parties involved and issued by the agency directly to the customer. Examples of shared secrets include a unique username, PIN number, password, or pass phrase issued by the agency to the customer through a secure mechanism. Case number does not meet the standard as a shared secret because that case number is likely shown on all documents the customer receives and does not provide assurance that it is only known to the parties involved in the communication.

 

9.4.17 Web Browser

Background

The core functions of the Web browser include retrieving information over a network connection (Internet or private network), presenting the information to the users, and sending the information back to the source for a complete transaction. With an increasing amount of information being delivered to the end user via the Web browser, client-side exploits are a growing concern. Web browsers are at the frontline of information security. Most importantly, the default configuration of a Web browser does not provide adequate security. These requirements apply when FTI is accessed through a Web browser.

Requirements

To access FTI using a Web browser, the agency must meet the following mandatory requirements:

• Private browsing must be enabled on the Web browser and configured to delete temporary files and cookies upon exiting the session;

• Install vendor-specified security patches and hot fixes regularly for the Web browser, add-ons, and Java;

• Security enhancements, such as pop-up blocker and content filtering, must be enabled on the Web browser;

• Configure the designated Web browser in accordance to the principle of least functionality and disable items, such as third-party add-ons;

• Deploy a Web gateway to inspect Web traffic and protect the user workstation from direct exposure to the Internet;

• FTI transmission within the agency's internal network must be encrypted using a cryptographic module that is FIPS 140-2 validated;

• Determine the business use of Java and approve the use of Java if is required for core business functions.

 

Additional Web browser security guidance is available on the Office of Safeguards website.

9.4.18 Wireless Networks

Background

A wireless environment is one in which a user can connect to a LAN without physically connecting a device(s) through a wired Ethernet connection. A wireless local area network (WLAN) uses radio waves to broadcast network connectivity to anyone who is within a limited receiving range, such as an office building. WLANs are usually implemented as extensions to existing wired LANs using wireless switches or access points to deliver connectivity to wireless clients, such as laptops or mobile devices. Because of the broadcast and radio nature of wireless technology, ensuring confidentiality is significantly more difficult in a wireless network than a wired network. These requirements address the security requirements for 802.11 wireless networks that are to be used to receive, process, store, or transmit FTI. This includes wireless networks located at the agency's office or data center from where FTI is received, processed, stored, or transmitted; however, these requirements do not cover the use of public or personal wireless networks for remote access to FTI through publicly available or personally owned wireless networks.

Requirements

To use FTI in an 802.11 WLAN, the agency must meet the following mandatory requirements:

• The agency should have WLAN management controls that include security policies and procedures, a complete inventory of all wireless network components, and standardized security configurations for all components.

• WLAN hardware (access points, servers, routers, switches, firewalls) must be physically protected in accordance with the minimum protection standards for physical security outlined in Section 4.0, Secure Storage--IRC 6103(p)(4)(B).

• Each system within the agency's network that transmits FTI through the WLAN is hardened in accordance with the requirements in this publication.

• The WLAN is architected to provide logical separation between WLANs with different security profiles and from the wired LAN.

• WLAN infrastructure that receives, processes, stores, or transmits FTI must comply with the Institute of Electrical and Electronic Engineers 802.11i wireless security standard and perform mutual authentication for all access to FTI via 802.1X and extensible authentication protocol.

• Vulnerability scanning should be conducted as part of periodic technical security assessments for the organization's WLAN.

• Wireless intrusion detection is deployed to monitor for unauthorized access, and security event logging is enabled on WLAN components in accordance with Section 9.3.3, Audit and Accountability.

• Disposal of all WLAN hardware follows media sanitization and disposal procedures in Section 9.3.10.6, Media Sanitization (MP-6), and Section 9.4.7, Media Sanitization.

 

Additional wireless network security requirements are in Section 9.3.1.13,

Wireless Access (AC-18),

and available on the Office of Safeguards website.

10.0 Reporting Improper Inspections or Disclosures

10.1 General

Upon discovering a possible improper inspection or disclosure of FTI, including breaches and security incidents, by a federal employee, a state employee, or any other person, the individual making the observation or receiving information must contact the office of the appropriate special agent-in-charge, TIGTA immediately, but no later than 24 hours after identification of a possible issue involving FTI. Call the local TIGTA Field Division Office first.

Table 9 -- TIGTA Field Division Contact Information

 ----------------------------------------------------------------------

 

                   

Field Division

 

 Field Division     Service Locations       Telephone

 

 ----------------------------------------------------------------------

 

 

Atlanta

            Alabama, Florida,       404-338-7449

 

                    Georgia, North

 

                    Carolina, South

 

                    Carolina, Tennessee,

 

                    Mississippi, Puerto

 

                    Rico, and U.S. Virgin

 

                    Islands

 

 ----------------------------------------------------------------------

 

 

Mid-States

         Arkansas, Illinois,     713-209-3711

 

                    Indiana, Iowa,

 

                    Kentucky, Michigan,

 

                    Minnesota, North

 

                    Dakota, South Dakota,

 

                    Wisconsin, Northern

 

                    Ohio, Oklahoma, Texas,

 

                    Louisiana, Kansas,

 

                    Missouri, Nebraska

 

 ----------------------------------------------------------------------

 

 

Denver

             Alaska, Arizona,        801-620-7734

 

                    Colorado, Idaho,

 

                    Montana, Nevada, New

 

                    Mexico, Oregon, Utah,

 

                    Washington, and

 

                    Wyoming

 

 ----------------------------------------------------------------------

 

 

New York

           Connecticut, Maine,     917-408-5681

 

                    Massachusetts, New

 

                    Hampshire, New York,

 

                    Rhode Island, and

 

                    Vermont

 

 ----------------------------------------------------------------------

 

 

San Francisco

      California, Hawaii,     213-861-1003

 

                    Guam, American Samoa,

 

                    Commonwealth of

 

                    Northern Mariana

 

                    Islands, Trust

 

                    Territory of the

 

                    Pacific Islands

 

 ----------------------------------------------------------------------

 

 

Washington

         New Jersey, Delaware,   215-861-1003

 

                    Pennsylvania, West

 

                    Virginia, Virginia,

 

                    Maryland, and

 

                    Washington, D.C.,

 

                    Indiana, Kentucky,

 

                    Southern Ohio

 

 ----------------------------------------------------------------------

 

 

Electronic Crimes

  Any agency reporting a  240-613-5228

 

 

& Intelligence

     cyber incident such as  

cybercrimes@tigta.treas.gov

 

 

Division

           data breach may report

 

                    directly to this

 

                    division

 

 ----------------------------------------------------------------------

 

 

If unable to contact the local TIGTA Field Division, contact the National Office:

Hotline Number: 800-589-3718

Online: http://www.treasury.gov/tigta/

Mailing Address: Treasury Inspector General for Tax Administration Ben Franklin Station P.O. Box 589 Washington, DC 20044-0589

In conjunction with contacting TIGTA, the Office of Safeguards must be notified (see Section 10.2, Office of Safeguards Notification Process)

10.2 Office of Safeguards Notification Process

Concurrent to notifying TIGTA, the agency must notify the Office of Safeguards by email to Safeguards mailbox, safeguardreports@irs.gov. To notify the Office of Safeguards, the agency must document the specifics of the incident known at that time into a data incident report, including but not limited to:

• Name of agency and agency Point of Contact for resolving data incident with contact information

• Date and time of the incident

• Date and time the incident was discovered

• How the incident was discovered

• Description of the incident and the data involved, including specific data elements, if known

• Potential number of FTI records involved; if unknown, provide a range if possible

• Address where the incident occurred

• IT involved (e.g., laptop, server, mainframe)

• Do not include any FTI in the data Incident report

• Reports must be sent electronically and encrypted via IRS-approved encryption techniques. Use the term data incident report in the subject line of the email.

 

Even if all information is not available, immediate notification is the most important factor, not the completeness of the data incident report. Additional information must be provided to the Office of Safeguards as soon as it is available.

The agency will cooperate with TIGTA and Office of Safeguards investigators, providing data and access as needed to determine the facts and circumstances of the incident.

10.3 Incident Response Procedures

The agency must not wait to conduct an internal investigation to determine if FTI was involved in an unauthorized disclosure or data breach. If FTI may have been involved, the agency must contact TIGTA and the IRS immediately. The agency will cooperate with TIGTA and Office of Safeguards investigators, providing data and access as needed to determine the facts and circumstances of the incident.

Incident response policies and procedures required in Section 9.3.8, Incident Response, must be used when responding to an identified unauthorized disclosure or data breach incident.

The Office of Safeguards will coordinate with the agency regarding appropriate follow-up actions required to be taken by the agency to ensure continued protection of FTI. Once the incident has been addressed, the agency will conduct a post-incident review to ensure the incident response policies and procedures provide adequate guidance. Any identified deficiencies in the incident response policies and procedures should be resolved immediately. Additional training on any changes to the incident response policies and procedures should be provided to all employees, including contractors and consolidated data center employees, immediately.

10.4 Incident Response Notification to Impacted Individuals

Notification to impacted individuals regarding an unauthorized disclosure or data breach incident is based upon the agency's internal incident response policy because the FTI is within the agency's possession or control.

However, the agency must inform the Office of Safeguards of notification activities undertaken before release to the impacted individuals. In addition, the agency must inform the Office of Safeguards of any pending media releases, including sharing the text, prior to distribution.

10.5 FTI Suspension, Termination, and Administrative Review

The federal tax regulation 26 CFR 301.6103(p)(7)-1 establishes a process for the suspension or termination FTI and an administrative review if an authorized recipient has failed to safeguard returns or return information. For more information, refer to Exhibit 3, U.S.C Title 26, CFR 301.6103(p)(7)-1.

11.0 Disclosure to Other Persons

11.1 General

Disclosure of FTI is prohibited unless authorized by statute. Agencies having access to FTI are not allowed to make further disclosures of that information to their agents or to a contractor unless authorized by statute.

Agencies are encouraged to use specific language in their contractual agreements to avoid ambivalence or ambiguity. For additional guidance on appropriate language to be used in the contract, see Exhibit 6, Contractor 45-Day Notification Procedures.

Absent specific language in the IRC or where the IRC is silent in authorizing an agency to make further disclosures, the IRS position is that further disclosures are unauthorized.

11.2 Authorized Disclosures Precautions

When disclosure is authorized, the agency must take certain precautions prior to engaging a contractor, namely:

• Has the IRS been given sufficient prior notice before releasing information to a contractor?

• Has the agency been given reasonable assurance through an on-site visitation or received a report certifying that all security standards (physical and computer) have been addressed?

• Does the contract requiring the disclosure of FTI have the appropriate safeguard language? (see Exhibit 6, Contractor 45-Day Notification Procedures)

 

Agencies should fully report to the IRS in their SSRs all disclosures of FTI to contractors. Additional disclosures to contractors should be reported on the annual SSR.

Engaging a contractor who may have incidental or inadvertent access to FTI does not come under these requirements. Only those contractors whose work will involve disclosing FTI in performing their duties are required to address these issues.

11.3 Disclosing FTI to Contractors

The agency must notify the Office of Safeguards and obtain approval prior to re-disclosing FTI to contractors (see Section 7.0, Reporting Requirements--6103(p)(4)(E), and Section 7.4, 45-Day Notification Reporting Requirements, for additional information).

In addition to the notification, the agency must:

• Establish privacy roles and responsibilities for contractors and service providers;

• Include privacy requirements in contracts and other acquisition-related documents;

• Share FTI externally, only for the authorized purposes identified in the Privacy Act, or described in its notice(s), or in a manner compatible with those purposes;

• Where appropriate, enter into SLA, memoranda of understanding, memoranda of agreement, letters of intent, computer matching agreement, or similar agreement, with third parties that specifically describe the FTI covered and specifically enumerate the purposes for which the FTI may be used;

• Monitor, audit, and train its staff on the authorized uses and sharing of FTI with third parties and on the consequences of unauthorized use or sharing of FTI; and

• Evaluate any proposed new instances of sharing FTI with third parties to assess whether they are authorized and whether additional or new public notice is required.

 

11.4 Re-Disclosure Agreements

In rare circumstances, under the authority of IRC 6103(p)(2)(B), an agreement may be created to allow for re-disclosure of FTI. These agreements are negotiated and approved by the IRS Headquarters Office of Disclosure with concurrence of the Office of Safeguards.

Federal agencies authorized by statute to enter into re-disclosure agreements are required to provide a copy of the executed agreement to the Office of Safeguards within 30 days of execution. The electronic copy must be sent to the Office of Safeguards via SDT. If SDT is not available, the agreement may be emailed to the SafeguardReports@irs.gov mailbox.

12.0 Return Information in Statistical Reports

12.1 General

IRC 6103 authorizes the disclosure of FTI to specific federal agencies for use in statistical reports, tax administration purposes, and certain other purposes specified in IRC 6103(j). Statistical reports may only be released in a form that cannot be associated with, or otherwise identify, directly or indirectly, a particular taxpayer.

Agencies authorized to produce statistical reports must adhere to the following guidelines or an equivalent alternative that has been approved by the IRS:

• Access to FTI must be restricted to authorized personnel;

• No statistical tabulation may be released outside the agency with cells containing data from fewer than three returns;

• Statistical tabulations prepared for geographic areas below the state level may not be released with cells containing data from fewer than 10 returns; and

• Tabulations that would pertain to specifically identified taxpayers or that would tend to identify a particular taxpayer, either directly or indirectly, may not be released.

 

12.2 Making a Request under IRC 6103(j)

Federal agencies seeking statistical information from the IRS must make their requests under IRC 6103(j). The requests must be addressed to:

Director, Statistics of Income Division Internal Revenue Service, OS:P:S 1111 Constitution Avenue, NW Washington, D.C. 20224

12.3 State Tax Agency Statistical Analysis

State tax agencies must provide written notification and obtain IRS approval prior to performing tax modeling, revenue estimation, or other statistical activities involving FTI. The agency must demonstrate that the activity is required for tax administration purposes. The agency must adhere to the following process to submit a request:

• Contact the local IRS disclosure manager^‡ and complete a Need and Use Justification for Federal Tax Information Form.

 

^‡

Refer to

http://www.irs.gov/uac/IRS-Disclosure-Offices

for contact information.

• The completed and signed form must be returned to the IRS disclosure manager for review and approval. The Office of Safeguards will be notified by the IRS disclosure manager of the request and approval.

• Changes to the terms of the statistical analysis activities documented in the form must be submitted to the IRS Office of Safeguards as part of the annual SSR (see Section 2.4, State Tax Agency Limitations, and Section 7.2, Safeguard Security Report).

• Updates to the form should be made as requested by the IRS disclosure manager.

 

If the agency requires the use of a contractor to conduct tax modeling, revenue estimation, or other statistical activities, 45-day notification requirements apply (see Section 11.3, Disclosing FTI to Contractors).

12.4 Making a Request under IRC 6108

State agencies seeking statistical information from the IRS must make requests under IRC 6108 and submit the request to the mailing address specified in Section 12.2, Making a Request under IRC 6103(j). A charge will be assessed for this service.

Exhibit 1 USC Title 26, IRC 6103(a) and (b)

IRC SEC. 6103. CONFIDENTIALITY AND DISCLOSURE OF RETURNS AND RETURN INFORMATION.

• General rule Returns and return information shall be confidential, and except as authorized by this title--

• • no officer or employee of the United States,

  • no officer or employee of any State, any local law enforcement agency receiving information under subsection (i)(7)(A), any local child support enforcement agency, or any local agency administering a program listed in subsection (l)(7)(D) who has or had access to returns or return information under this section, and

  • no other person (or officer or employee thereof) who has or had access to returns or return information under subsection (e)(1)(D)(iii), paragraph (6), (12), (16), (19), (20) or

  • (21) of subsection (l), paragraph (2) or (4)(B) of subsection (m), or subsection (n), shall disclose any return or return information obtained by him in any manner in connection with his service as such an officer or an employee or otherwise or under the provisions of this section. For purposes of this subsection, the term "officer or employee" includes a former officer or employee.

• Definitions For purposes of this section--

• • Return The term "return" means any tax or information return, declaration of estimated tax, or claim for refund required by, or provided for or permitted under, the provisions of this title which is filed with the Secretary by, on behalf of, or with respect to any person, and any amendment or supplement thereto, including supporting schedules, attachments, or lists which are supplemental to, or part of, the return so filed.

  • Return information The term "return information" means--

   

  • a taxpayer's identity, the nature, source, or amount of his income, payments, receipts, deductions, exemptions, credits, assets, liabilities, net worth, tax liability, tax withheld, deficiencies, over assessments, or tax payments, whether the taxpayer's return was, is being, or will be examined or subject to other investigation or processing, or any other data, received by, recorded by, prepared by, furnished to, or collected by the Secretary with respect to a return or with respect to the determination of the existence, or possible existence, of liability (or the amount thereof) of any person under this title for any tax, penalty, interest, fine, forfeiture, or other imposition, or offense,

  • any part of any written determination or any background file document relating to such written determination (as such terms are defined in section 6110 (b)) which is not open to public inspection under section 6110,

  • any advance pricing agreement entered into by a taxpayer and the Secretary and any background information related to such agreement or any application for an advance pricing agreement, and

  • any agreement under section 7121, and any similar agreement, and any background information related to such an agreement or request for such an agreement, but such term does not include data in a form which cannot be associated with, or otherwise identify, directly or indirectly, a particular taxpayer. Nothing in the preceding sentence, or in any other provision of law, shall be construed to require the disclosure of standards used or to be used for the selection of returns for examination, or data used or to be used for determining such standards, if the Secretary determines that such disclosure will seriously impair assessment, collection, or enforcement under the internal revenue laws.

   

  • Taxpayer return information The term "taxpayer return information" means return information as defined in paragraph (2) which is filed with, or furnished to, the Secretary by or on behalf of the taxpayer to whom such return information relates.

  • Tax administration The term "tax administration"--

   

  • means--

   

  • the administration, management, conduct, direction, and supervision of the execution and application of the internal revenue laws or related statutes (or equivalent laws and statutes of a State) and tax conventions to which the United States is a party, and

  • the development and formulation of Federal tax policy relating to existing or proposed internal revenue laws, related statutes, and tax conventions, and

   

  • includes assessment, collection, enforcement, litigation, publication, and statistical gathering functions under such laws, statutes, or conventions.

   

  • State

   

  • In general The term "State" means--

   

  • any of the 50 States, the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, Guam, American Samoa, and the Commonwealth of the Northern Mariana Islands,

  • for purposes of subsections (a)(2), (b)(4), (d)(1), (h)(4), and (p), any municipality--

   

  • with a population in excess of 250,000 (as determined under the most recent decennial United States census data available),

  • which imposes a tax on income or wages, and

  • with which the Secretary (in his sole discretion) has entered into an agreement regarding disclosure, and

   

  • for purposes of subsections (a)(2), (b)(4), (d)(1), (h)(4), and (p), any governmental entity--

   

  • which is formed and operated by a qualified group of municipalities, and

  • with which the Secretary (in his sole discretion) has entered into an agreement regarding disclosure.

  • Regional income tax agencies For purposes of subparagraph (A)(iii)--

   

  • Qualified group of municipalities The term "qualified group of municipalities" means, with respect to any governmental entity, 2 or more municipalities--

   

  • each of which imposes a tax on income or wages,

  • each of which, under the authority of a State statute, administers the laws relating to the imposition of such taxes through such entity, and

  • which collectively have a population in excess of 250,000 (as determined under the most recent decennial United States census data available).

   

  • References to State law, etc. For purposes of applying subparagraph (A)(iii) to the subsections referred to in such subparagraph, any reference in such subsections to State law, proceedings, or tax returns shall be treated as references to the law, proceedings, or tax returns, as the case may be, of the municipalities which form and operate the governmental entity referred to in such subparagraph.

  • Disclosure to contractors and other agents Notwithstanding any other provision of this section, no return or return information shall be disclosed to any contractor or other agent of a governmental entity referred to in subparagraph (A)(iii) unless such entity, to the satisfaction of the Secretary--

   

  • has requirements in effect which require each such contractor or other agent which would have access to returns or return information to provide safeguards (within the meaning of subsection (p)(4)) to protect the confidentiality of such returns or return information,

  • agrees to conduct an on-site review every 3 years (or a mid-point review in the case of contracts or agreements of less than 3 years in duration) of each contractor or other agent to determine compliance with such requirements,

  • submits the findings of the most recent review conducted under sub-clause (II) to the Secretary as part of the report required by subsection (p)(4)(E), and

  • certifies to the Secretary for the most recent annual period that such contractor or other agent is in compliance with all such requirements. The certification required by sub-clause (IV) shall include the name and address of each contractor and other agent, a description of the contract or agreement with such contractor or other agent, and the duration of such contract or agreement. The requirements of this clause shall not apply to disclosures pursuant to subsection (n) for purposes of Federal tax administration and a rule similar to the rule of subsection (p)(8)(B) shall apply for purposes of this clause.

  • Taxpayer identity

 

The term "taxpayer identity" means the name of a person with respect to whom a return is filed, his mailing address, his taxpayer identifying number (as described in section

, or a combination thereof.

 

•

Inspection

 

The terms "inspected" and "inspection" mean any examination of a return or return information.

 

•

Disclosure

 

The term "disclosure" means providing return or return information known to any person.

 

•

Federal agency

 

The term "Federal agency" means an agency within the meaning of section 551 (1) of Title 5, United States Code.

 

•

Chief executive officer

 

The term "chief executive officer" means, with respect to any municipality, any elected official and the chief official (even if not elected) of such municipality

 

•

Terrorist incident, threat, or activity

 

The term "terrorist incident, threat, or activity" means an incident, threat, or activity involving an act of domestic terrorism (as defined in section 2331 (5) of Title 18, United States Code) or international terrorism (as defined in section 2331(1) of such title).

Exhibit 2 USC Title 26, IRC 6103(p)(4)

Any Federal agency described in subsection (h)(2), (h)(5), (i)(1), (2), (3), (5), or (7), (j)(1), (2), or (5), (k)(8), (l)(1), (2), (3), (5), (10), (11), (13), (14), or (17), or (o)(1), the General Accounting Office, the Congressional Budget Office, or any agency, body, or commission described in subsection (d), (i)(3)(B)(i) or (7)(A)(ii), or (l)(6), (7), (8), (9), (12), (15), or (16) or any other person described in subsection (l)(16), (17), (19), (20) or (21) shall, as a condition for receiving returns or return information--

• establish and maintain, to the satisfaction of the Secretary, a permanent system of standardized records with respect to any request, the reason for such request, and the date of such request made by or of it and any disclosure of return or return information made by or to it;

• establish and maintain, to the satisfaction of the Secretary, a secure area or place in which such returns or return information shall be stored;

• restrict, to the satisfaction of the Secretary, access to the returns or return information only to persons whose duties or responsibilities require access and to whom disclosure may be made under the provisions of this title;

• provide such other safeguards which the Secretary determines (and which he prescribes in regulations) to be necessary or appropriate to protect the confidentiality of the returns or return information;

• furnish a report to the Secretary, at such time and containing such information as the Secretary may prescribe, which describes the procedures established and utilized by such agency, body, or commission, the General Accounting Office, or the Congressional Budget Office for ensuring the confidentiality of returns and return information required by this paragraph; and

• upon completion of use of such returns or return information--

• • in the case of an agency, body, or commission described in subsection (d), (i)(3)(B)(i), or (l)(6), (7), (8), (9), or (16), or any other person described in subsection (l)(16), (17), (19), or (20) return to the Secretary such returns or return information (along with any copies made therefrom) or make such returns or return information undisclosable in any manner and furnish a written report to the Secretary describing such manner,

  • in the case of an agency described in subsections [5] (h)(2), (h)(5), (i)(1), (2), (3), (5) or (7), (j)(1), (2), or (5), (k)(8), (l)(1), (2), (3), (5), (10), (11), (12), (13), (14), (15), or (17), or (o)(1),[6] the General Accounting Office, or the Congressional Budget Office, either--

   

  • return to the Secretary such returns or return information (along with any copies made therefrom),

  • otherwise make such returns or return information undisclosable, or

  • to the extent not so returned or made undisclosable, ensure that the conditions of subparagraphs (A), (B), (C), (D), and (E) of this paragraph continue to be met with respect to such returns or return information, and

   

  • in the case of the Department of Health and Human Services for purposes of subsection (m)(6), destroy all such return information upon completion of its use in providing the notification for which the information was obtained, so as to make such information undisclosable; except that the conditions of subparagraphs (A), (B), (C), (D), and (E) shall cease to apply with respect to any return or return information if, and to the extent that, such return or return information is disclosed in the course of any judicial or administrative proceeding and made a part of the public record thereof. If the Secretary determines that any such agency, body, or commission, including an agency or any other person described in subsection (l)(16), (17), (19), or (20), or the General Accounting Office or the Congressional Budget Office has failed to, or does not, meet the requirements of this paragraph, he may, after any proceedings for review established under paragraph (7), take such actions as are necessary to ensure such requirements are met, including refusing to disclose returns or return information to such agency, body, or commission, including an agency or any other person described in subsection (l)(16), (17), (19), or (20), or the General Accounting Office or the Congressional Budget Office until he determines that such requirements have been or will be met. In the case of any agency which receives any mailing address under paragraph (2), (4), (6), or (7) of subsection (m) and which discloses any such mailing address to any agent or which receives any information under paragraph (6)(A), (12)(B), or (16) of subsection (l) and which discloses any such information to any agent, or any person including an agent described in subsection (l)(16), this paragraph shall apply to such agency and each such agent or other person (except that, in the case of an agent, or any person including an agent described in subsection (l)(16), any report to the Secretary or other action with respect to the Secretary shall be made or taken through such agency). For purposes of applying this paragraph in any case to which subsection (m)(6) applies, the term "return information" includes related blood donor records (as defined in section 1141(h)(2) of the Social Security Act).

 

Exhibit 3 USC Title 26, CFR 301.6103(p)(7)-1

USC Title 26, Section 6103(p)(4), requires external agencies and other authorized recipients of federal tax return and return information (FTI) to establish procedures to ensure the adequate protection of the FTI they receive. That provision of the United States Code also authorizes the IRS to take actions, including suspending or terminating FTI disclosures to any external agencies and other authorized recipients, if there is misuse, or if the safeguards in place are inadequate to protect the confidentiality of the information, or both.

Procedures for administrative review of a determination that an authorized recipient has failed to safeguard returns or return information:

• In general. Notwithstanding any section of the Internal Revenue Code (Code), the Internal Revenue Service (IRS) may terminate or suspend disclosure of returns and return information to any authorized recipient specified in section (p)(4) of section 6103, if the IRS determines that:

• • The authorized recipient has allowed an unauthorized inspection or disclosure of returns or return information and that the authorized recipient has not taken adequate corrective action to prevent the recurrence of an unauthorized inspection or disclosure; or

  • The authorized recipient does not satisfactorily maintain the safeguards prescribed by section 6103(p)(4), and has made no adequate plan to improve its system to maintain the safeguards satisfactorily.

• Notice of IRS's intention to terminate or suspend disclosure. Prior to terminating or suspending authorized disclosures, the IRS will notify the authorized recipient in writing of the IRS's preliminary determination and of the IRS's intention to discontinue disclosure of returns and return information to the authorized recipient. Upon so notifying the authorized recipient, the IRS, if it determines that tax administration otherwise would be seriously impaired, may suspend further disclosures of returns and return information to the authorized recipient pending a final determination by the Commissioner or a Deputy Commissioner described in paragraph (d)(2) of this section.

• Authorized recipient's right to appeal. An authorized recipient shall have 30 days from the date of receipt of a notice described in paragraph (b) of this section to appeal the preliminary determination described in paragraph (b) of this section. The appeal shall be made directly to the Commissioner.

• Procedures for administrative review.

• • To appeal a preliminary determination described in paragraph (b) of this section, the authorized recipient shall send a written request for a conference to: Commissioner of Internal Revenue (Attention: SE:S:CLD:GLD), 1111 Constitution Avenue, NW., Washington, DC 20224. The request must include a complete description of the authorized recipient's present system of safeguarding returns or return information received by the authorized recipient (and its authorized contractors or agents, if any). The request must state the reason or reasons the authorized recipient believes that such system or practice (including improvements, if any, to such system or practice expected to be made in the near future) is or will be adequate to safeguard returns or return information.

  • Within 45 days of the receipt of the request made in accordance with the provisions of paragraph (d)(1) of this section, the Commissioner or Deputy Commissioner personally shall hold a conference with representatives of the authorized recipient, after which the Commissioner or Deputy Commissioner shall make a final determination with respect to the appeal.

• Effective/applicability date. This section applies to all authorized recipients of returns and return information that are subject to the safeguard requirements set forth in section 6103(p)(4) on or after February 11, 2009.

 

Exhibit 4 Sanctions for Unauthorized Disclosure

IRC SEC. 7213 UNAUTHORIZED DISCLOSURE OF INFORMATION

• RETURNS AND RETURN INFORMATION

• • FEDERAL EMPLOYEES AND OTHER PERSONS -- It shall be unlawful for any officer or employee of the United States or any person described in section 6103(n) (or an officer or employee of any such person), or any former officer or employee, willfully to disclose to any person, except as authorized in this title, any return or return information [as defined in section 6103(b)]. Any violation of this paragraph shall be a felony punishable upon conviction by a fine in any amount not exceeding $5,000, or imprisonment of not more than 5 years, or both, together with the costs of prosecution, and if such offense is committed by any officer or employee of the United States, he shall, in addition to any other punishment, be dismissed from office or discharged from employment upon conviction for such offense.

  • STATE AND OTHER EMPLOYEES--It shall be unlawful for any person [not described in paragraph (1)] willfully to disclose to any person, except as authorized in this title, any return or return information [as defined in section 6103(b)] acquired by him or another person under subsection (d), (i)(3)(B)(i), (1)(6), (7), (8), (9), (10), (12), (15) or (16) or (m)(2), (4), (5), (6), or (7) of section 6103. Any violation of this paragraph shall be a felony punishable by a fine in any amount not exceeding $5,000, or imprisonment of not more than 5 years, or both, together with the cost of prosecution.

  • OTHER PERSONS -- It shall be unlawful for any person to whom any return or return information [as defined in section 6103(b)] is disclosed in an manner unauthorized by this title thereafter willfully to print or publish in any manner not provided by law any such return or return information. Any violation of this paragraph shall be a felony punishable by a fine in any amount not exceeding $5,000, or imprisonment of not more than 5 years, or both, together with the cost of prosecution.

  • SOLICITATION -- It shall be unlawful for any person willfully to offer any item of material value in exchange for any return or return information [as defined in 6103(b)] and to receive as a result of such solicitation any such return or return information. Any violation of this paragraph shall be a felony punishable by a fine in any amount not exceeding $5,000, or imprisonment of not more than 5 years, or both, together with the cost of prosecution.

  • SHAREHOLDERS -- It shall be unlawful for any person to whom return or return information [as defined in 6103(b)] is disclosed pursuant to the provisions of 6103(e)(1)(D)(iii) willfully to disclose such return or return information in any manner not provided by law. Any violation of this paragraph shall be a felony punishable by a fine in any amount not exceeding $5,000, or imprisonment of not more than 5 years, or both, together with the cost of prosecution.

 

IRC SEC. 7213A. UNAUTHORIZED INSPECTION OF RETURNS OR RETURN INFORMATION

• PROHIBITIONS

• • FEDERAL EMPLOYEES AND OTHER PERSONS -- It shall be unlawful for

   

  • any officer or employee of the United States, or

  • any person described in section 6103(n) or an officer willfully to inspect, except as authorized in this title, any return or return information.

   

  • STATE AND OTHER EMPLOYEES -- It shall be unlawful for any person [not described in paragraph (l)] willfully to inspect, except as authorized by this title, any return information acquired by such person or another person under a provision of section 6103 referred to in section 7213(a)(2).

• PENALTY

• • IN GENERAL -- Any violation of subsection (a) shall be punishable upon conviction by a fine in any amount not exceeding $1000, or imprisonment of not more than 1 year, or both, together with the costs of prosecution.

  • FEDERAL OFFICERS OR EMPLOYEES -- An officer or employee of the United States who is convicted of any violation of subsection (a) shall, in addition to any other punishment, be dismissed from office or discharged from employment.

• DEFINITIONS -- For purposes of this section, the terms "inspect" "return" and "return information" have respective meanings given such terms by section 6103(b).

 

Exhibit 5 Civil Damages for Unauthorized Disclosure

IRC SEC. 7431 CIVIL DAMAGES FOR UNAUTHORIZED INSPECTION OR DISCLOSURE OF RETURNS AND RETURN INFORMATION.

• In general

• • Inspection or Disclosure by employee of United States

 

If any officer or employee of the United States knowingly, or by reason of negligence, inspects or discloses any return or return information with respect to a taxpayer in violation of any provision of section

6103

, such taxpayer may bring a civil action for damages against the United States in a district court of the United States.

 

If any person who is not an officer or employee of the United States knowingly, or by reason of negligence, inspects or discloses any return or return information with respect to a taxpayer in violation of any provision of section

6103

or in violation of section

6104

(c), such taxpayer may bring a civil action for damages against such person in a district court of the United States.

• Exceptions

 

No liability shall arise under this section with respect to any inspection or disclosure-

•  

  • which results from good faith, but erroneous, interpretation of section 6103, or

  • which is requested by the taxpayer.

• Damages

 

In any action brought under subsection (a), upon a finding of liability on the part of the defendant, the defendant shall be liable to the plaintiff in an amount equal to the sum of --

•  

  • the greater of --

   

  • $1,000 for each act of unauthorized inspection or disclosure of a return or return information with respect to which such defendant is found liable, or

  • the sum of --

   

  • the actual damages sustained by the plaintiff as a result of such unauthorized inspection or disclosure, plus

  • in the case of a willful inspection or disclosure or an inspection or disclosure which is the result of gross negligence, punitive damages, plus

  • the cost of the action.

• Period for Bringing Action

 

Notwithstanding any other provision of law, an action to enforce any liability created under this section may be brought, without regard to the amount in controversy, at any time within 2 years after the date of discovery by the plaintiff of the unauthorized inspection or disclosure.

• Notification of Unlawful Inspection and Disclosure

 

If any person is criminally charged by indictment or information with inspection or disclosure of a taxpayer's return or return information in violation of --

•  

  • paragraph (1) or (2) of section 7213 (a),

  • section 7213A (a), or

  • subparagraph (B) of section

  Definitions

 

For purposes of this section, the terms "inspect", "inspection", "return" and "return information" have the respective meanings given such terms by section

6103

(b).

• Extension to information obtained under section 3406

 

For purposes of this section --

 

For purposes of subsection (b), the reference to section 6103 shall be treated as including a reference to section 6311 (e).

Exhibit 6 Contractor 45-Day Notification Procedures

Federal agencies, state tax agencies, and state child support enforcement agencies in the possession of FTI may use contractors, sometimes in limited circumstances.

• State tax authorities are authorized by statute to disclose information to contractors for the purpose of, and to the extent necessary in, administering state tax laws, pursuant to Treasury Regulation 6103(l)(7) (human services agencies) may not disclose FTI to contractors for any purpose.

 

Contractors consist of, but are not limited to, cloud computing providers, consolidated data centers, off-site storage facilities, shred companies, information technology support, or tax modeling or revenue forecasting providers.

Agencies must notify the IRS prior to executing any agreement to disclose FTI to a contractor, or at least 45 days prior to the disclosure of FTI, to ensure that appropriate contractual language is included and that contractors are held to safeguarding requirements. Further, any contractors authorized access to or possession of FTI must notify and secure the approval of the IRS prior to making any redisclosures to subcontractors. For additional information, see Section 7.4.3, Contractor or Subcontractor Access.

To provide agency notification of intent to enter into an agreement to make disclosures of FTI to a contractor, submit a letter in electronic format, on agency letterhead over the head of agency's signature, to SafeguardReports@irs.gov. Ensure that the letter contains the following specific information--

• Name, address, phone number, and email address of agency point of contact

• Name and address of contractor

• Contract number and date awarded

• Contract period covered (e.g., 2014-2017)

• Type of service covered by the contract

• Number of contracted workers

• Name and description of agency program that contractor will support

• Detailed description of FTI to be disclosed to contractor

• Description of work to be performed by contractor, including phased timing, how FTI will be accessed, and how tasks may change throughout the different phases

• Procedures for agency oversight on contractor access, storage, and destruction of FTI, disclosure awareness training, and incident reporting

• Location where work will be performed (contractor site or agency location) and how data will be secured if it is moved from the secure agency location

• Statement whether subcontractor(s) will have access to FTI

• Name(s) and address(es) of all subcontractor(s), if applicable

• Description of FTI to be disclosed to subcontractor(s)

• Description of work to be performed by subcontractor(s)

• Location(s) where work will be performed by subcontractor(s) and how data will be secured if it is moved from a secure agency location

• Certification that contractor personnel accessing FTI and contractor information systems containing FTI are all located within the United States or territories, given that FTI is not allowed offshore.

 

After receipt of an agency's request, the IRS will analyze the information provided to ensure that contractor access is authorized and consistent with all requirements. The IRS will send the agency an email acknowledgement of receipt of agency notification. A written response, along with a reminder of the requirements associated with the contract, is issued once the notification review process is complete. Agency disclosure personnel may wish to discuss local procedures with their procurement colleagues to ensure that they are part of the contract review process and that the appropriate contract language is included from the beginning of the contract.

If the 45-day notification pertains to the use of a contractor to conduct tax modeling, estimate revenue, or employ FTI for other statistical purposes, the agency must also submit a separate statement detailing the methodology and data to be used by the contractor. The Office of Safeguards will forward the methodology and data statement to the IRS Statistics of Income office for approval of the methodology (see Section 7.4.3). Templates can be located on the Office of Safeguards website.

If the 45-day notification is not possible, please contact the Safeguards mailbox at SafeguardReports@irs.gov for assistance.

Exhibit 7 Safeguarding Contract Language

CONTRACT LANGUAGE FOR GENERAL SERVICES

I. PERFORMANCE

In performance of this contract, the Contractor agrees to comply with and assume responsibility for compliance by his or her employees with the following requirements:

• All work will be performed under the supervision of the contractor or the contractor's responsible employees.

• The contractor and the contractor's employees with access to or who use FTI must meet the background check requirements defined in IRS Publication 1075.

• Any Federal tax returns or return information (hereafter referred to as returns or return information) made available shall be used only for the purpose of carrying out the provisions of this contract. Information contained in such material shall be treated as confidential and shall not be divulged or made known in any manner to any person except as may be necessary in the performance of this contract. Inspection by or disclosure to anyone other than an officer or employee of the contractor is prohibited.

• All returns and return information will be accounted for upon receipt and properly stored before, during, and after processing. In addition, all related output and products will be given the same level of protection as required for the source material.

• No work involving returns and return information furnished under this contract will be subcontracted without prior written approval of the IRS.

• The contractor will maintain a list of employees authorized access. Such list will be provided to the agency and, upon request, to the IRS reviewing office.

• The agency will have the right to void the contract if the contractor fails to provide the safeguards described above.

• (Include any additional safeguards that may be appropriate.)

 

II. CRIMINAL/CIVIL SANCTIONS

• Each officer or employee of any person to whom returns or return information is or may be disclosed shall be notified in writing by such person that returns or return information disclosed to such officer or employee can be used only for a purpose and to the extent authorized herein, and that further disclosure of any such returns or return information for a purpose or to an extent unauthorized herein constitutes a felony punishable upon conviction by a fine of as much as $5,000 or imprisonment for as long as five years, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized future disclosure of returns or return information may also result in an award of civil damages against the officer or employee in an amount not less than $1,000 with respect to each instance of unauthorized disclosure. These penalties are prescribed by IRCs 7213 and 7431 and set forth at 26 CFR 301.6103(n)-1.

• Each officer or employee of any person to whom returns or return information is or may be disclosed shall be notified in writing by such person that any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this contract. Information contained in such material shall be treated as confidential and shall not be divulged or made known in any manner to any person except as may be necessary in the performance of this contract. Inspection by or disclosure to anyone without an official need-to-know constitutes a criminal misdemeanor punishable upon conviction by a fine of as much as $1,000.00 or imprisonment for as long as 1 year, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized inspection or disclosure of returns or return information may also result in an award of civil damages against the officer or employee [United States for Federal employees] in an amount equal to the sum of the greater of $1,000.00 for each act of unauthorized inspection or disclosure with respect to which such defendant is found liable or the sum of the actual damages sustained by the plaintiff as a result of such unauthorized inspection or disclosure plus in the case of a willful inspection or disclosure which is the result of gross negligence, punitive damages, plus the costs of the action. The penalties are prescribed by IRCs 7213A and 7431.

• Additionally, it is incumbent upon the contractor to inform its officers and employees of the penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a. Specifically, 5 U.S.C. 552a(i)(1), which is made applicable to contractors by 5 U.S.C. 552a(m)(1), provides that any officer or employee of a contractor, who by virtue of his/her employment or official position, has possession of or access to agency records which contain individually identifiable information, the disclosure of which is prohibited by the Privacy Act or regulations established thereunder, and who knowing that disclosure of the specific material is so prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.

• Granting a contractor access to FTI must be preceded by certifying that each individual understands the agency's security policy and procedures for safeguarding IRS information. Contractors must maintain their authorization to access FTI through annual recertification. The initial certification and recertification must be documented and placed in the agency's files for review. As part of the certification and at least annually afterwards, contractors must be advised of the provisions of IRCs 7431, 7213, and 7213A (see Exhibit 4, Sanctions for Unauthorized Disclosure, and Exhibit 5, Civil Damages for Unauthorized Disclosure). The training provided before the initial certification and annually thereafter must also cover the incident response policy and procedure for reporting unauthorized disclosures and data breaches. (See Section 10 ) For both the initial certification and the annual certification, the contractor must sign, either with ink or electronic signature, a confidentiality statement certifying their understanding of the security requirements.

 

III. INSPECTION

The IRS and the Agency, with 24 hour notice, shall have the right to send its inspectors into the offices and plants of the contractor to inspect facilities and operations performing any work with FTI under this contract for compliance with requirements defined in IRS Publication 1075. The IRS' right of inspection shall include the use of manual and/or automated scanning tools to perform compliance and vulnerability assessments of information technology (IT) assets that access, store, process or transmit FTI. On the basis of such inspection, corrective actions may be required in cases where the contractor is found to be noncompliant with contract safeguards.

CONTRACT LANGUAGE FOR TECHNOLOGY SERVICES

I. PERFORMANCE

In performance of this contract, the contractor agrees to comply with and assume responsibility for compliance by his or her employees with the following requirements:

• All work will be done under the supervision of the contractor or the contractor's employees.

• The contractor and the contractor's employees with access to or who use FTI must meet the background check requirements defined in IRS Publication 1075.

• Any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this contract. Information contained in such material will be treated as confidential and will not be divulged or made known in any manner to any person except as may be necessary in the performance of this contract. Disclosure to anyone other than an officer or employee of the contractor will be prohibited.

• All returns and return information will be accounted for upon receipt and properly stored before, during, and after processing. In addition, all related output will be given the same level of protection as required for the source material.

• The contractor certifies that the data processed during the performance of this contract will be completely purged from all data storage components of his or her computer facility, and no output will be retained by the contractor at the time the work is completed. If immediate purging of all data storage components is not possible, the contractor certifies that any IRS data remaining in any storage component will be safeguarded to prevent unauthorized disclosures.

• Any spoilage or any intermediate hard copy printout that may result during the processing of IRS data will be given to the agency or his or her designee. When this is not possible, the contractor will be responsible for the destruction of the spoilage or any intermediate hard copy printouts, and will provide the agency or his or her designee with a statement containing the date of destruction, description of material destroyed, and the method used.

• All computer systems receiving, processing, storing or transmitting FTI must meet the requirements defined in IRS Publication 1075. To meet functional and assurance requirements, the security features of the environment must provide for the managerial, operational, and technical controls. All security features must be available and activated to protect against unauthorized use of and access to Federal Tax Information.

• No work involving Federal Tax Information furnished under this contract will be subcontracted without prior written approval of the IRS.

• The contractor will maintain a list of employees authorized access. Such list will be provided to the agency and, upon request, to the IRS reviewing office.

• The agency will have the right to void the contract if the contractor fails to provide the safeguards described above.

• (Include any additional safeguards that may be appropriate.)

 

II. CRIMINAL/CIVIL SANCTIONS

• Each officer or employee of any person to whom returns or return information is or may be disclosed will be notified in writing by such person that returns or return information disclosed to such officer or employee can be used only for a purpose and to the extent authorized herein, and that further disclosure of any such returns or return information for a purpose or to an extent unauthorized herein constitutes a felony punishable upon conviction by a fine of as much as $5,000 or imprisonment for as long as 5 years, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized further disclosure of returns or return information may also result in an award of civil damages against the officer or employee in an amount not less than $1,000 with respect to each instance of unauthorized disclosure. These penalties are prescribed by IRCs 7213 and 7431 and set forth at 26 CFR 301.6103(n)-1.

• Each officer or employee of any person to whom returns or return information is or may be disclosed shall be notified in writing by such person that any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this contract. Information contained in such material shall be treated as confidential and shall not be divulged or made known in any manner to any person except as may be necessary in the performance of the contract. Inspection by or disclosure to anyone without an official need-to-know constitutes a criminal misdemeanor punishable upon conviction by a fine of as much as $1,000 or imprisonment for as long as 1 year, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized inspection or disclosure of returns or return information may also result in an award of civil damages against the officer or employee [United States for Federal employees] in an amount equal to the sum of the greater of $1,000 for each act of unauthorized inspection or disclosure with respect to which such defendant is found liable or the sum of the actual damages sustained by the plaintiff as a result of such unauthorized inspection or disclosure plus in the case of a willful inspection or disclosure which is the result of gross negligence, punitive damages, plus the costs of the action. These penalties are prescribed by IRC 7213A and 7431.

• Additionally, it is incumbent upon the contractor to inform its officers and employees of the penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a. Specifically, 5 U.S.C. 552a(i)(1), which is made applicable to contractors by 5 U.S.C. 552a(m)(1), provides that any officer or employee of a contractor, who by virtue of his/her employment or official position, has possession of or access to agency records which contain individually identifiable information, the disclosure of which is prohibited by the Privacy Act or regulations established thereunder, and who knowing that disclosure of the specific material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.

• Granting a contractor access to FTI must be preceded by certifying that each individual understands the agency's security policy and procedures for safeguarding IRS information. Contractors must maintain their authorization to access FTI through annual recertification. The initial certification and recertification must be documented and placed in the agency's files for review. As part of the certification and at least annually afterwards, contractors must be advised of the provisions of IRCs 7431, 7213, and 7213A (see Exhibit 4, Sanctions for Unauthorized Disclosure, and Exhibit 5, Civil Damages for Unauthorized Disclosure). The training provided before the initial certification and annually thereafter must also cover the incident response policy and procedure for reporting unauthorized disclosures and data breaches. (See Section 10) For both the initial certification and the annual certification, the contractor must sign, either with ink or electronic signature, a confidentiality statement certifying their understanding of the security requirements.

 

III. INSPECTION

The IRS and the Agency, with 24 hour notice, shall have the right to send its inspectors into the offices and plants of the contractor to inspect facilities and operations performing any work with FTI under this contract for compliance with requirements defined in IRS Publication 1075. The IRS' right of inspection shall include the use of manual and/or automated scanning tools to perform compliance and vulnerability assessments of information technology (IT) assets that access, store, process or transmit FTI. On the basis of such inspection, corrective actions may be required in cases where the contractor is found to be noncompliant with contract safeguards.

Exhibit 8 Warning Banner Examples

A warning banner is required when access is provided to any information system that receives, processes, stores, or transmits FTI. The following elements, as explained in Section 1030, and may subject the individual to criminal and civil penalties pursuant to Title 26, United States Code, Sections 7213, 7213A (the Taxpayer Browsing Protection Act), and 7431. This system and equipment are subject to monitoring to ensure proper performance of applicable security features or procedures. Such monitoring may result in the acquisition, recording, and analysis of all data being communicated, transmitted, processed, or stored in this system by a user. If monitoring reveals possible evidence of criminal activity, such evidence may be provided to Law Enforcement Personnel.

ANYONE USING THIS SYSTEM EXPRESSLY CONSENTS TO SUCH MONITORING.

The following two banners are approved by the Department of Justice for systems that have limited space for the warning banner.

WARNING! BY ACCESSING AND USING THIS GOVERNMENT COMPUTER SYSTEM, YOU ARE CONSENTING TO SYSTEM MONITORING FOR LAW ENFORCEMENT AND OTHER PURPOSES. UNAUTHORIZED USE OF, OR ACCESS TO, THIS COMPUTER SYSTEM MAY SUBJECT YOU TO CRIMINAL PROSECUTION AND PENALTIES.

WARNING! THIS SYSTEM CONTAINS U.S. GOVERNMENT INFORMATION. BY ACCESSING AND USING THIS COMPUTER SYSTEM, YOU ARE CONSENTING TO SYSTEM MONITORING FOR LAW ENFORCEMENT AND OTHER PURPOSES. UNAUTHORIZED USE OF, OR ACCESS TO, THIS COMPUTER SYSTEM MAY SUBJECT YOU TO STATE AND FEDERAL CRIMINAL PROSECUTION AND PENALTIES AS WELL AS CIVIL PENALTIES.

Exhibit 9 Record Retention Schedules

The Office of Safeguards requires the retention of FTI logs only. FTI should be destroyed after use or according to the agency record retention schedule.

Table 10 -- Record Retention Schedules

 ----------------------------------------------------------------------

 

 

Document Type        Required Document Elements              Retention

 

                                                              Schedule

 

 ----------------------------------------------------------------------

 

 

Electronic and Non-

  • Taxpayer name                          5 years

 

 

Electronic FTI Logs

 

 

Section 3.2

          • Tax year(s)

 

                      • Type of information (e.g., revenue

 

                        agent reports, Form 1040, work

 

                        papers)

 

                      • Reason for request

 

                      • Date requested

 

                      • Date received

 

                      • Exact location of FTI

 

                      • Person(s) with access to the data,

 

                        and

 

                      • Date and method of disposition, if

 

                        disposed of

 

 ----------------------------------------------------------------------

 

 

Converted Media

      Requirements listed for FTI in its       5 years

 

 

Section 3.2

          current form (electronic or

 

                      non-electronic)

 

 ----------------------------------------------------------------------

 

 

State Auditor

        Approximate number of records, date of   5 years

 

 

Disclosures

          inspection, description of records,

 

 

Section 3.4

          name of individual making inspection

 

 ----------------------------------------------------------------------

 

 

Visitor Access Logs

  • Name and organization of visitor       5 years

 

 

Section 4.3.1

 

                      • Signature of visitor

 

                      • Form of identification

 

                      • Date of access

 

                      • Time of entry and departure

 

                      • Purpose of visit

 

                      • Name and organization of person

 

                        visited

 

 ----------------------------------------------------------------------

 

 

Disclosure

           Signed disclosure awareness              5 years

 

 

Awareness

            confidentiality statement that certify

 

 

Certification

        understanding of FTI security

 

 

Section 6.3

          requirements

 

 ----------------------------------------------------------------------

 

 

Internal

             Internal Inspections                     5 years

 

 

Inspections

 

 

Section 6.4

          • Record keeping

 

                      • Secure storage

 

                      • Disposal

 

                      • Limited access

 

                      • Computer systems security

 

                      • POA&M

 

 ----------------------------------------------------------------------

 

 

Audit Trail Logs

     See Section 9.3.3.2,                     7 years

 

 

Section 9.3.3.11

 

                      Audit Events (AU-2)

 

                      See Section 9.3.3.4

 

 ----------------------------------------------------------------------

 

 

Exhibit 10 Data Warehouse Security Requirements

When an agency implements a data warehouse, the agency must provide written notification to the Office of Safeguards, identifying the security controls, including FTI identification and auditing within the data warehouse. The written notification shall be sent using SDT or to the SafeguardReports@irs.gov mailbox at least 45 days before implementation. In addition, implementation of a data warehouse constitutes a significant change under Section 7.2, triggering the requirement for the submission of a new SSR.

Purpose

The purpose of this document is to provide an overview of data warehousing and data storage concepts and to define the security requirements necessary to protect these environments. Although some security controls may replicate those contained in this publication, such redundancy is necessary so that Exhibit 10 can be used as a stand-alone document. As a rule, all requirements contained within the main text of this publication also apply to any data warehousing environments used by federal, state, or local agencies, and these environments incorporate FTI. These requirements also apply to authorized representatives, agents, or contractors with access to FTI.

This document is intended to describe the controls that are specific to data warehousing-type environments. As the term data warehousing is used, the concepts are applied to all complex data environments, including data warehousing, data mining, and data marts.

Audience

This document is intended for federal, state, and local agencies, as well as authorized representatives, agents, or contractors with access to FTI. The document is to be used as a planning document and is intended to support the development and deployment of data warehousing architectures, as well as architectures of a similar environment, such as data marts.

Background

A data warehouse is a structure that is designed to distribute data from multiple arenas to the primary enterprise system. A data mart is a structure designed for access, which is used to facilitate client user support. A data warehouse receives, collects, extracts, transforms, transports, and loads data for a distribution to various data marts.

In the context of FTI within agencies, the data warehouse stores data sets, which contain specific taxpayer information as well as summary information and historical data.

A data warehouse is structured to separate analysis from transaction work and allows a large amount of data to be consolidated from several sources. The security controls remain constant with operational enterprises and are applicable to a data warehouse.

In a data warehouse, the scope of security changes with respect to the different dimensions of data management. Information enters a data warehouse through a staging area where it goes through a process of extraction, transformation, and loading. This process is referred to as ETL. In addition, a data warehouse is operated by query or a search engine tool. Through the use of end-to-end security, the data warehouse ensures the confidentiality, privacy, and integrity of FTI. The security of the data warehouse must include all aspects of the warehouse, including hardware, software, data transport, and data storage.

Data Warehousing Implications

FTI placed in a data warehouse environment may be used only for "tax administration" purposes or for other authorized purposes defined within this publication. As part of the data warehouse, FTI data must retain its identity as FTI to the data element level (i.e., it must be obvious that the IRS is the source of the data). Whenever calculations or data manipulations are performed that could commingle FTI with any other data, the access to FTI must be restricted to agency staff with a need-to-know and their contractors or agents as authorized by law. This requirement is defined in the primary publication but is reinforced here for clarification.

Security

Security controls for data warehousing concepts are derived from NIST SP 800-53, Recommended Security Controls for Federal Information Systems. These controls address the areas of management, operational, and technical controls.

When all controls are implemented and managed, these controls provide effective safeguards for the confidentiality, integrity reliability, and availability of the data. For this document, the defined controls have been mapped to the classes and families of the NIST SP 800-53 to allow technical personnel to easily review NIST controls and understand how these apply to security environments.

The next sections define specific and unique controls related to data warehousing environments. If no additional controls are required, the sections identify this fact.

Management Controls

The following section identifies high-level management controls that shall be used within a data warehousing environment.

Risk Assessment

The agency shall have a risk management program in place to ensure that each aspect of the data warehouse is assessed for risk. Any risk documents shall identify and document all vulnerabilities associated with the data warehousing environment.

Planning

Planning is crucial to the development of a new environment. A security plan shall be in place to address organizational policies, security testing, rules of behavior, contingency plans, architecture and network diagrams, and requirements for security reviews. Although such a security plan will provide planning guidelines, it does not replace requirements documents, which contain specific details and procedures for security operations.

Policies and procedures are required to define how activities and day-to-day procedures will occur. They contain the specific policies, relevant to all of the security disciplines covered in this document. Because they relate to data warehousing, any data warehousing documents can be integrated into overall security procedures. A section shall be dedicated to the data warehouses to define the controls specific to that environment.

The agency must develop policies and procedures to document all existing business processes. The agency must ensure that roles are identified for the organization and develop responsibilities for the roles.

Within the security planning and policies, the purpose or function of the warehouse shall be defined. The business process shall include a detailed definition of configurations and the functions of the hardware and software involved. In general, the planning shall define any unique issues related to data warehousing.

The agency must define how "legacy system data" will be brought into the data warehouse and how the legacy data that is FTI will be cleansed for the ETL transformation process.

The policy shall ensure that FTI will not be subject to public disclosure. Only authorized users with a demonstrated need-to-know can query FTI data within the data warehouse.

System and Services Acquisition

Acquisition security needs to be explored. Because FTI is used within data warehousing environments, it is important that the services and acquisitions have adequate security in place, including the capacity to block information to contractors in cases in which they are not authorized to access FTI.

Certification, Accreditation, and Security Assessments

Certification, accreditation, and security and risk assessments are accepted best practices used to ensure that appropriate levels of control exist, that they are being managed, and that they are compliant with all federal and state laws or statutes.

State and local agencies shall develop a process or policy to ensure that data warehousing security meets the baseline security requirements defined in the current revision of NIST SP 800-53. The process or policy must contain the methodology used by the state or local agency to inform management, define accountability, and address known security vulnerabilities. Risk assessments must follow the guidelines provided in NIST Publication 800-30, Risk Management Guide for Information Technology Systems.

Operational Controls

The following section identifies high-level operational controls that shall be used within a data warehousing environment.

Personnel Security See Section 5.1.1 FTI Background Investigation Requirements

Physical Security and Environmental Protection

There are no additional physical security controls for a data warehousing environment. However, the physical security requirements throughout this publication apply to the physical location that hosts the data warehouse hardware.

Contingency Planning

Online data resources shall be provided adequate tools for the backup, storage, restoration, and validation of data. Agencies will ensure that the data provided is reliable.

Both incremental and special purpose data backup procedures are required, combined with off-site storage protections and regular test-status restoration to validate disaster recovery and business process continuity. Standards and guidelines for these processes are bound by agency policy and are tested and verified. Although already addressed in this publication, the agency's contingency plan must be evaluated to ensure that all data resources are synchronized and restored to allow re-creation of the data to take place.

Configuration Management

The agency shall have a process and documentation to identify and analyze how FTI is used and how FTI is queried or targeted by end users. Parts of the system containing FTI shall be mapped to follow the flow of the query from a client through the authentication server to the release of the query from the database server. During the life cycle of the data warehouse, online and architectural adjustments and changes will occur. The agency shall document these changes and ensure that FTI always is secured from unauthorized access or disclosure.

Maintenance

There are no unique maintenance requirements for data warehousing environments.

System and Information Integrity

There are no unique system and information integrity requirements for data warehousing environments.

Media Protection

The agency shall have policy and procedures in place that describe the cleansing process at the staging area and how the ETL process cleanses the FTI when it is extracted, transformed, and loaded. In addition, the agency shall describe the process of object reuse once FTI is replaced from data sets. IRS requires that all FTI be removed by a random overwrite software program.

Incident Response

Intrusion-detection software shall be installed and maintained to monitor networks for any unauthorized attempt to access tax data. The agency's incident reporting policy and procedures must cover the data warehousing environment as well.

Awareness and Training

The agency shall have a disclosure awareness training program in place that includes how FTI security requirements are communicated to end users. Training shall be user-specific to ensure that all personnel receive appropriate training for a particular job, such as training required for administrators or auditors.

Technical Controls

The following section identifies high-level technical controls that shall be used within a data warehousing environment.

Identification and Authentication

The agency shall configure the Web services to be authenticated before access is granted to users via an authentication server. The Web portal and two-factor authentication requirements in Section 9.0 apply in a data warehouse environment.

Business roles and rules shall be imbedded at either the authentication level or application level. In either case, roles must be in place to ensure that only authorized personnel have access to FTI information.

Authentication shall be required both at the operating system level and at the application level, whenever the data warehousing environment is accessed.

Access Control

Access to systems shall be granted based upon the need to perform job functions. Agencies shall identify which application programs use FTI and how access to FTI is controlled. The access control to application programs relates to how file shares and directories apply file permissions to ensure that only authorized personnel have access to the areas that contain FTI.

The agency shall have security controls in place that include preventive measures to keep an attack from being a success. These security controls shall also include detective measures in place to let the IT staff know that an attack is occurring. If an interruption of service occurs, the agency shall have additional security controls in place that include recovery measures to restore operations.

Within the data warehouse, the agency shall protect FTI as sensitive data and be granted access to FTI for the aspects of its job responsibilities. The agency shall enforce effective access controls so that end users have access to programs with the least privilege needed to complete the job. The agency shall set up access controls in its data warehouse based on personnel clearances. Access controls in a data warehouse are classified in general as follows.

• General users

• Limited access users

• Unlimited access users.

 

FTI shall always fall into the limited access users category.

All FTI shall have an owner assigned to provide responsibility and accountability for its protection. Typically, this role is assigned to a management official such as an accrediting authority.

The agency shall configure control files and data sets to enable the data owner to analyze and review both authorized and unauthorized accesses.

The database servers that control FTI applications will copy the query request and load it to the remote database to run the application and transform its output to the client. Therefore, access controls must be implemented at the authentication server.

Web-enabled application software shall do the following:

• Prohibit generic meta-characters in input data

• Arrange to have all database queries constructed with parameterized stored procedures to prevent structured query language (SQL) injection

• Protect any variable used in scripts to prevent direct OS command attacks

• Arrange to have all comments removed for any code passed to the browser

• Prevent users from seeing any debugging information on the client

• Undergo a check before production deployment to ensure that all sample, test, and unused files have been removed from the production system.

 

Audit and Accountability

The agency shall ensure that audit reports are created and reviewed for data warehousing related access attempts.

A data warehouse must capture all changes made to data, including additions, modifications, or deletions by each unique user. If a query is submitted, the audit log must identify the actual query made, the originator of the query, and relevant time and stamp information. For example, if John Doe makes a query to determine the number of people that earn more than $50,000, the audit log would store the fact that John Doe made such a query and its content. The results of the query would not be as significant as the type of query made.

System and Communication Protection

Whenever FTI is located on both production and test environments, these environments are to be segregated. Such action is especially important in the development stages of the data warehouse.

All Internet transmissions are to be encrypted with the use of HTTPS protocol and secure sockets layer encryption based on a certificate that contains a key no less than 128 bits in length, or FIPS 140-2 compliant, whichever is stronger. This encryption will allow information to be protected between the server and the workstation. Data is at its highest risk during the ETL stages when it enters the warehouse. Encryption shall occur as soon as possible. All sessions shall be encrypted and provide end-to-end encryption (i.e., from workstation to point of data).

Web server(s) that receive online transactions shall be configured in a "demilitarized zone" to receive external transmissions but still have some measure of protection against unauthorized intrusion.

Application server(s) and database server(s) shall be configured behind the firewalls for optimal security against unauthorized intrusion. Only authenticated applications and users shall be allowed access to these servers.

Transaction data shall be "swept" from the Web server(s) at frequent intervals, consistent with good system performance, and removed to a secured server behind the firewalls to minimize the risk that these transactions could be destroyed or altered by intrusion.

Antivirus software shall be installed and maintained with current updates on all servers and clients that contain tax data.

For critical online resources, redundant systems shall be employed with automatic failover capability.

Exhibit 11 Media Sanitization Techniques

The technique for clearing, purging, and destroying media depends on the type of media to be sanitized.

Table 11 -- Media Sanitization Techniques

 ----------------------------------------------------------------------

 

 

Media Type       Clear           Purge                Destroy

 

 ----------------------------------------------------------------------

 

                           

Magnetic Disks

 

 ----------------------------------------------------------------------

 

 Floppy      

Overwrite

 media  

Degauss

 in a      •

Incinerate

 floppy

 

 disks       with             NSA/CSS-approved    disks and diskettes

 

             agency-approved  degausser           by burning them in a

 

             software and                         licensed incinerator

 

             validate the

 

             overwritten                        •

Shred

 

             data

 

 ----------------------------------------------------------------------

 

 ATA hard    

Overwrite

 media  •

Secure erase,

   •

Incinerate

 hard disk

 

 drives      with                                 drives by burning

 

             agency-approved  •

Degauss,

 or       them in a licensed

 

             and validated                        incinerator

 

             overwriting      •

Disassemble

 

             technologies/      and degauss     •

Shred

 

             methods/tools      the enclosed

 

                                platters        •

Pulverize

 

                                                •

Disintegrate

 

 ----------------------------------------------------------------------

 

 USB        

Overwrite

 media  •

Secure erase,

   •

Incinerate

 hard disk

 

 removable   with                                 drives by burning

 

 drives      agency-approved  •

Degauss

 with a    them in a licensed

 

             and validated      NSA/              incinerator

 

             overwriting        CSS-approved

 

             technologies/      degausser, or   •

Shred

 

             methods/tools      

disassemble

 

                                and degauss

     •

Pulverize

 

                                enclosed

 

                                platters with   •

Disintegrate

 

                                a NSA/

 

                                CSS-approved

 

                               

degausser

 

 ----------------------------------------------------------------------

 

 Zip drives  

Overwrite

 media    

Degauss

 with a  •

Incinerate

 disks and

 

             with               NSA/              diskettes by burning

 

             agency-approved    CSS-approved      the zip disks in a

 

             and validated      degausser         licensed incinerator

 

             overwriting

 

             technologies/                      •

Shred

 

             methods/tools

 

 ----------------------------------------------------------------------

 

 SCSI        

Overwrite

 media  •

Secure erase

    •

Incinerate

 hard disk

 

 drives      with                                 drives by burning

 

             agency-approved  •

Degauss

 with a    them in a licensed

 

             and validated      NSA/              incinerator

 

             overwriting        CSS-approved

 

             technologies/      degausser, or   •

Shred

 

             methods/tools

 

                              •

Disassemble

     •

Pulverize

 

                               

and degauss

 

                                the enclosed    •

Disintegrate

 

                                platters with

 

                                a NSA/

 

                                CSS-approved

 

                               

degausser

 

 ----------------------------------------------------------------------

 

                             

Magnetic Tape

 

 ----------------------------------------------------------------------

 

 Reel and    

Overwrite

 on a  

Degauss

 with a    •

Incinerate

 by burning

 

 cassette    system similar   NSA/                the tapes in a

 

             to the one       CSS-approved        licensed incinerator

 

             originally used  degausser

 

             to record the                      •

Shred

 

             data (e.g.,

 

             overwrite

 

             classified or

 

             sensitive VHS

 

             format video

 

             signals on a

 

             comparable VHS

 

             format

 

             recorder);

 

             overwrite all

 

             portions of the

 

             magnetic tape

 

             one time with

 

             known,

 

             nonsensitive

 

             signals

 

 ----------------------------------------------------------------------

 

                             

Optical Disks

 

 ----------------------------------------------------------------------

 

 CD/DVDs     N/A; see         N/A; see Destroy  Destroy in the

 

             Destroy method   method column     following order of

 

             column                             recommendations:

 

                                                • Remove the

 

                                                  information-bearing

 

                                                  layers of DVD media

 

                                                  with a commercial

 

                                                  optical disk grinding

 

                                                  device

 

                                                • Incinerate optical

 

                                                  disk media (reduce to

 

                                                  ash) with a licensed

 

                                                  facility

 

                                                • Use optical disk

 

                                                  media shredders or

 

                                                  disintegrator devices

 

                                                  to reduce to

 

                                                  particles that have a

 

                                                  nominal edge

 

                                                  dimension of five

 

                                                  millimeters and

 

                                                  surface area of 25

 

                                                  mm

^2.§

 

 ----------------------------------------------------------------------

 

 

^§

 This particle size is the one currently acceptable. Any disk media

 

 shredders obtained in future should reduce CDs and DVDs to a surface

 

 area of .25 mm.

 

 ======================================================================