10.2.11. Basic Physical Security Concepts

(1) Developing and implementing basic physical security concepts is essential to the safeguarding of IRS personnel, tax data, and other IRS assets. These concepts effectively keep our facilities safe and secure, by maintaining authoritative ISC, Treasury and IRS physical security standards.

(2) This IRM consolidates and revises all basic physical security concepts policy and standards identified in IRM 10.2, Physical Security Program.

(3) This IRM further solidifies the responsibilities of stakeholders in implementing these policies and concepts.

(1) 40 United States Code (USC) § 1315

(2) Executive Order (EO) 12977

(3) Executive Order (EO) 13286

(4) National Infrastructure Protection Plan (NIPP)

(5) ISC Risk Management Process (RMP)

(6) Treasury Directive Publication (TDP) 15-71

(7) National Institute of Standards and Technology (NIST) SP 800-53

(1) The Chief, FMSS is responsible for oversight of basic physical security concepts policy and guidance.

(2) FMSS AD, Security Policy is responsible for oversight of the planning, developing, implementing, evaluating, and controlling basic physical security concepts policy and guidance.

(3) FMSS Territory Managers (TM) are responsible to ensure Security Section Chiefs (SSC) follow IRS policy and provide oversight in the implementation and enforcement of the basic physical security concepts.

(4) FMSS SSC are responsible for implementing and enforcing basic physical security concepts within their assigned territory, following IRS and ISC security policy and ISC standards.

(5) All IRS managers are responsible for informing all employees within their span of control of the importance of following established security practices at their facility.

(6) All employees and contractors are responsible for complying with established physical security practices and procedures.

(1) Program Reports: The authoritative data sources for monitoring the basic physical security concepts will be:

1. Federal Protective Service (FPS) Facility Security Assessments (FSA)

2. IRS Facility Security Assessment Addendum (FSAA)

3. Security Information Management System (SIMS) Monthly FMSS Operations Deliverables Report

4. Space Time and Resources (STAR) tool for physical security countermeasure funding and tracking

5. Situation Awareness Management Center (SAMC) Incident Reports

(2) Program Effectiveness: Facility Security Assessment Program quarterly reviews of physical security threats, vulnerabilities and risk, consists of:

1. Compliance with ISC standards, as validated in the FSA reports.

2. Compliance with Treasury and IRS requirements, as validated in the FSAA reports.

3. Timely completion of required FSAA reports in accordance with ISC Standards based on the Facility Security Level (FSL) determination for the facility.

(1) Interpretation Words

(1) Interagency Security Committee (ISC) Risk Management Process (RMP)

(2) IRM 1.15, Records and Information Management

(3) IRM 1.4.6, Managers Security Handbook

(4) IRM 10.2.5, Identification Media

(5) IRM 10.2.9, Occupant Emergency Planning

(6) IRM 10.2.12, Security Guard and Explosive Detector Dog Services

(7) IRM 10.2.14, Methods of Providing Protection

(8) IRM 10.2.15, Minimum Protection Standards (MPS)

(9) IRM 10.2.18, Physical Access Control (PAC)

(10) IRM 10.23.2, Personnel Security

(11) IRM 6.800.2, Employee Benefits, IRS Telework Program

(12) Treasury Directive Publication (TDP) 15-71

(13) National Institute of Standards and Technology (NIST) SP 800-53

(1) The FSC, is a committee consisting of representatives of all federal tenants in the facility, the security organization (for example: FPS for General Services Administration (GSA) owned and operated facilities). An IRS FMSS physical security representative must provide consultation to the IRS representative on the FSC established for each building.

(2) The FSC is responsible for addressing the facility-specific security issues outlined in the FSA and approving the implementation of security countermeasures and practices recommended by the security organization. The implementation may be a combination of operational, procedural and/or physical security measures based on the Facility Security Level (FSL) determination, and the Level of Protection (LOP) that are deemed appropriate and achievable.

(3) As outlined in the ISC FSC standards, if a single federal tenant occupies a facility, they have the option to use this standard or other internal procedure to determine what security countermeasures are implemented, how funding is provided and what risk is accepted.

(1) Minimum security levels must be established for each facility. The FSL is based on the characteristics of each facility and the federal occupant. The initial FSL determination for newly leased or owned space will be made as soon as practical, after the Identification (ID) of a space requirement (including succeeding leases). Each facility will be designated Level I, II, III, IV, or V in accordance with the ISC Standards, and appropriate security measures must be implemented. Inherent risks associated with Taxpayer Assistance Center (TAC) locations accepting cash must be considered when making FSL determinations.

(2) The five factors quantified to determine the FSL are:

1. Mission criticality

2. Symbolism

3. Facility population

4. Facility size

5. Threat to tenant agencies

6. A sixth factor, "intangible" to allow the assessor to consider other factors unique to the agency or facility.

(3) To determine the FSL the ISC FSL Matrix should be utilized. The FSL matrix is comprised of five equally weighted security evaluation factors with corresponding points of 1, 2, 3, or 4 allocated for each factor.

(4) A Level V designation necessitates implementation of extensive security measures. IRS facilities identified as critical infrastructure and those housing critical infrastructure and key resources must be designated and protected as Level IV, at a minimum.

(5) The FSL determination will be established by FPS with input and coordination from the assigned FMSS SSC.

(1) Taking photographs within or recording images inside of the IRS is prohibited except when specifically authorized by the assigned FMSS Physical Security Section Chief. Taking photographs of external features of a facility or other property which provides information not accessible to the public must be reported to local FMSS Physical Security staff, the Treasury Inspector General for Tax Administration (TIGTA), and FPS. Photography means any physical or electronically recorded image, including still photographs, x-ray images, video or recordings.

(1) In compliance with ISC standards for non-military federal facilities, FPS has established minimum security standards and requirements for the protection of IRS facilities, personnel and information. These standards are based on possible threats and identified countermeasures that could minimize the impact of an occurrence. A periodic FSA is conducted by FPS, FMSS Physical Security staff and management officials with information on the effectiveness and appropriateness of existing standards and countermeasures, identified risks, security countermeasures recommendations, and guidance on how to best implement approved recommendations.

(2) Evaluation of the risk is the first step in determining the degree of security required for a facility. Security measures should be relative to the type of risks to which the facility and its contents are exposed, the probability that these risks will occur, and the impact that an occurrence would have on the IRS.

(3) As directed in the ISC standards, an FSA will be conducted by FPS at the following intervals, at a minimum: Level III, IV and V facilities, every three years; and Level I and II facilities, every five years. If the security posture has been enhanced by the addition of security countermeasures, those enhancements should be noted in the succeeding report based on recurring cycle. All facilities will follow the ISC and FPS recurring cycle for completing the subsequent FSA of every three or five years or more frequently, if circumstances warrant and/or when the following conditions have occurred:

1. Change in location

2. Major building renovation

3. Increase in significant incidents and/or

4. Change in the mission of the businesses located at the facility

(4) FMSS Physical Security staff will complete a FSAA at all locations where IRS employees are assigned. The FSAA will include Treasury and IRS specific requirements and any findings with cost estimates for the facility being assessed. The completed and signed FSAA will be given to the FPS inspector assigned to complete the associated FSA. The IRS FSAA will be incorporated into the final FPS FSA report. The FSA with FSAA must be performed within six months of occupying the facility or space. IRS will not conduct an FSA or complete an FSAA for Child Care Centers (CCC), credit unions or parking lots not within IRS controlled perimeter and/or facility access.

(5) FPS will conduct an FSA at CCC, credit unions or parking lots that are not within IRS controlled perimeter and/or facility access. No IRS FSAA is required for these types of facilities. and locations.

(1) The AMC is a self-inspection tool used to assess compliance with physical security criteria identified as non-compliant in past audits of the physical security program. The AMC will be completed by a local FMSS Physical Security Specialist (PSS).

(2) The AMC will be completed every fiscal year at the following large IRS facilities:

1. Campuses

2. Computing Centers

3. Main IR (1111 Constitution Ave)

4. New Carrollton Federal Building (NCFB)

(3) The AMC must be completed at least once every five years at other POD locations. The AMC may be completed in conjunction with the scheduled PSRA, other scheduled site visits or at the discretion of the local FMSS Physical SSC. The local SSC must review and approve the AMC and direct the completion of a Corrective Action Report (CAR), if deficiencies are found.

(4) The FMSS AMC Program Manager will review and update the AMC checklist content every fiscal year and reassess the AMC process and frequency of conducting reviews every two fiscal years.

(1) Security deficiencies identified in the AMC must be corrected. The local PSS will identify and document immediate and long-term corrective actions using the CAR. The local SSC and TM must review and approve CAR corrective actions. The CAR will be used to monitor and track all corrective actions until fully implemented.

(2) The local SSC, TM and FMSS AMC Program Manager will monitor the status of all corrective actions until fully implemented.

(1) The FSP provides summary information used to describe all significant Safeguards and Security programs at applicable sites and facilities occupied by IRS employees and contractors. The FSP will be completed for each IRS facility, including computing centers, campuses and critical POD. The FSP documents the implementation of Federal Information Security Management Act (FISMA) Physical Security and Environmental (PSE) Control as prescribed within the National Institute of Standards and Technology (NIST SP 800-53), TDP 15-71, and ISC criteria. Development and maintenance of the FSP is directed in TDP 15-71 Security Manual and the ISC standards.

(2) The intent of the FSP is to outline the protection plan in place at IRS occupied facilities and provide a snapshot of the actual security measures in effect for several security disciplines - physical, Information Technology (IT), environmental, media protection, etc. This requires coordination and cooperation of all business units responsible for each discipline. The description of how those programs are implemented should be contained in site and facility procedures, directives, supplemental orders or other authoritative documentation.

(3) In accordance with ISC standards, at a minimum, the FSP must be reviewed annually and revised as necessary. Documents must be marked as SBU and must identify the following:

1. Site/Facility ID

2. Threat Information

3. Roles and Responsibilities of FMSS Physical Security staff

4. Personnel Security (PERSEC)

5. PSE Protection Policy and Procedures

(1) Limiting Access - The basic principle of security within the IRS or anywhere, is to limit access to assets based upon need. When protecting information, for example, access to documents should be "limited" to those persons with a need to know the information. When the asset to be protected is a room, an area, a building, a computer, or other such property, access to that property should be restricted to those persons who, due to their official duties and/or responsibilities, have a need for such access.

(2) Controlling Access - Access will be controlled by implementing procedures to ensure ensuring that employees, contractors, and visitors entering IRS facilities are screened in accordance with ISC standards.

(3) Visitors are restricted from entering IRS space unless they have a justified business need approved by the local FMSS Physical Security office. Visitors and federal employees employed by other agencies must meet all access requirements as outlined in IRM 10.2.5, Identification Media, IRM 10.2.18, Physical Access Control (PAC) and IRM 10.23.2, Personnel Security, Contractor Investigations.

(1) Most of the methods of protection are designed for protection after normal duty hours or at any time the assets to be protected are not under the personal custody of authorized IRS employees.

(2) Because any single safeguard is often insufficient protection for any asset, the concept of layering of safeguards was developed provide security-in-depth. To facilitate understanding of security-in-depth, the following functions of safeguards are presented.

1. Deter - The psychological effect which a safeguard or a system of safeguards has upon the potential perpetrator or human originated threat is difficult to measure. One can determine the effectiveness of an alarm by the number of bona fide "catches" it makes, but we can only guess the effectiveness of a safeguard which is designed only or primarily to deter a human being. The best example of a pure deterrent is a sign which identifies a Limited Area. While it would be ideal to have effective security simply using such inexpensive means as signs or lights, it is not practical. A good security program will not rely solely upon safeguards which are only deterrents.

2. Detect - Many safeguards will automatically provide detection of an unauthorized act. For example, a door may show signs of a forced entry. However, an alarm might give evidence of an attempted surreptitious or forced entry. Depending once again upon the value of the asset, the timing of detection is crucial. Perimeter alarms and alarm activated cameras will help achieve this goal. Such a goal will also require a response by internal security personnel, DHS/FPS guards, or local police which will monitor detection devices and respond to them as appropriate. The functions of assessing, identifying, and tracking can be accomplished by Closed Circuit Television (CCTV) systems or Video Surveillance System (VSS), alarm systems and entry control systems. The most important of these functions is assessment, since the nature of the unauthorized act (e.g. unauthorized access, theft, robbery, assault, etc.) will influence the nature of the response to that act. In some cases, we may only be able to respond to a threat as it is occurring. While the act has not been prevented, ID of the perpetrator enables the IRS to take appropriate action. The tracking function is most useful for the response force to focus on the current location of the problem or perpetrator.

3. Deny - The only real way to accomplish this function is to destroy an asset to prevent unauthorized personnel from obtaining it. Clearly, for the IRS, this only pertains to information on paper, microfilm, or magnetic media, etc. which is no longer needed, or which is a waste by-product of a tax administration function.

4. Delay - Ideally, the IRS should be able to deny access to its assets to separate them from human originated threats. But this is not practical since to perform its mission the IRS must allow access to its assets. The objective then is to limit access to authorized personnel at approved times for official reasons. At times when the assets are not in the personal custody of an authorized IRS employee, they should be protected by means which delay as long as practical access by unauthorized persons. Safeguards such as locks, containers and walls will withstand (depending on the type of lock, container, etc.) forced entry and surreptitious entry attempts for a given period. This time is, hopefully, enough to discourage most would-be thieves, saboteurs, etc. However, given enough determination and resources (i.e., time, tools, and money) all such safeguards can be breached. If the asset being protected merits more than a deterring and delaying effort, the next function we would add is detection.

5. Defend/Respond - Ideally, response to a threat in progress is to detect it and to take appropriate action soon enough to prevent it from causing any harm or loss. To achieve this ideal, the delaying safeguard, the detection devices, and the response force must be designed to ensure that the safeguard delays the perpetrator long enough for a detection device to alert the response force and long enough to allow the response force to arrive in time to intervene to prevent access or to prevent a perpetrator from leaving the area with stolen government property or information. An onsite contract security force should respond to a threat condition within five minutes and at other buildings (protected with central station alarm systems) within 15 minutes. If this is not possible, then compensating measures must be included in the protective system design to delay an adversary until an effective response can be executed.

(3) Exhibit 10.2.11-3, SAFEGUARDS and Their Related Protection Functions, shows the functions generally performed by certain security devices/techniques. No attempt is made to address the effectiveness of each, as this depends on the quality of the device selected monitoring activities and timely reactionary measures. Conversely, ID media, electronic access control systems, sign in and other audit trail procedures and task separation techniques are generally used during working hours to protect against a potential perpetrator with access.

(1) Each Designated Official (DO), in collaboration with the FMSS Physical Security Section will institute such internal controls beyond the minimum as are necessary to properly protect employees, assets, and preserve the confidentiality of the tax return and related documents.

(2) Control of the internal movement of personnel within a facility is necessary to ensure that only authorized IRS personnel are permitted in critical security areas. The ID card has been designed to assist management in maintaining this internal control. The need to maintain security always requires that only authorized visitors be permitted to enter the facility. Granting access to interested non-tax related individuals or groups for purposes of orienting them with operations are not authorized.

(1) The designation of Limited Area, formerly called Restricted Area, is a method of controlling the movement of individuals and eliminating unnecessary traffic through critical security areas, thereby reducing the opportunity for unauthorized disclosure or theft of tax information.

(2) A SmartID card containing the "R" indicator must always be worn by all personnel within each Limited Area as outlined in IRM 10.2.5, Identification Media.

(3) Admittance to a Limited Area is permitted only on a valid business need. Limited Areas include, but are not limited to:

1. Any space housing Continuity of Operations (COOP)

2. Computer Media Safe/Vault

3. Computer Room

4. Computer Room Command Center

5. Computer Tape/Media Storage Library

6. Consolidated Files

7. Intermediate Data Frame (IDF)

8. Master Data Frame (MDF)

9. Mail/Receipt Room

10. Micro/Mini Computer Room

11. Receipt and Control

12. Remittance Processing (RPS)

13. Returns Files

14. SAMC

    Note: For additional information on access control for a Limited Area, see IRM 10.2.18, Physical Access Control (PAC).

(1) A controlled area is not a Limited Area; however, it requires controlled entry access with one-part authentication (access card or manual combination). Only personnel assigned to work in that area and other personnel designated by the responsible business unit are authorized unescorted access into a controlled area. All visitors entering a controlled area must be escorted by personnel with authorized unescorted access into a controlled area.

(2) Controlled Areas include, but are not limited to:

1. Alarm Panel room/closet

2. Central Security Control Console (CSCC)

3. Other similar facilities designated for controlled access by the responsible business unit

   Note: For additional information on access for a Controlled Area, see IRM 10.2.18, Physical Access Control.

(1) The entire Remittance Processing area will adhere to Limited Area security criteria. Keys and lock combinations to cash drawers, cash boxes and the security containers will be strictly issued and controlled as outlined in IRM 10.2.14, Methods of Providing Protection.

(2) The remittance clerk will:

1. lock the cash drawers and remove the key when leaving the area.

2. empty the cash drawers and store cash boxes in an appropriate container at the end of each work day.

(1) Control of the internal movement of personnel is necessary to ensure that only authorized IRS personnel are permitted in critical areas. The personnel identification card has been designed to assist management in maintaining this internal control.

(2) The local FMSS Physical Security staff office, in accordance with FMSS Identity Credential & Access Management (ICAM) and other applicable Treasury and IRS policies will administer the personnel identification card program which will permit entry only to authorized personnel. This system is also designed to assist management in controlling movement within the facility.

(3) Requests for tours of the facility must should be made in writing and sent to the FMSS Physical SSC. The tour participants must be listed in the request and identities confirmed through the use of a photo ID at the onset of the tour. Tours of the facility (except the computer area) require the approval of the director of the facility.

(4) Tours of the computer area require approval of the Chief of IT Systems Operations Branch in addition to the FMSS Physical SSC and facility director. A senior official must conduct the tour.

(1) Incoming mail, not being distributed or processed, will be stored in a secured area or in locked containers when possible. Mail, incoming and outgoing, will not be left unattended in areas open to the public.

(1) In accordance with ISC guidelines and procedures, mail should be opened in centralized or officially designated mail opening areas. All designated mail rooms and mail opening areas must have Safe/Suspicious Mail Handling and Incident Reporting procedures posted for all mail opening employees and/or contractors to view. At a minimum, the following guidance and procedures will be posted within the mail opening area and employed when handling suspicious mail and packages.

(2) Features of a suspicious package or packages:

1. with soft spots or lopsided

2. wrapped with string

3. containing distorted handwriting

4. that have leaks, stains, powders, or protruding materials

5. containing no or excess postage

6. containing an odor

(3) Procedures to be followed when handling suspicious letters and packages:

1. Remain calm

2. Do not open the letter or package

3. Do not shake or empty contents of package

4. Do not carry the package to show it to others

5. Make a list of all persons who touched the package

6. Put the package on a stable surface

7. Do not touch your eyes, nose, or other body parts

8. Isolate the package and secure the room

9. Wash your hands with soap and water

(4) Reporting the incident:

1. Call first responders for your respective office (local guard service)

2. Report to your manager and call 911

3. Contact FPS at 1-877-4FPS-411

4. Contact TIGTA at 1-800-589-3718

5. Report to SAMC within 30 minutes of incident discovery

   Note: IRS personnel should in no way attempt to act as a first responder or make determinations as to the safety of a substance. Only qualified emergency first responders, i.e. Hazardous Materials (HAZMAT) are authorized to make decisions related to the safety of suspicious items

(5) Incidents may be reported to SAMC through any of the following methods:

1. SAMC Web-site link https://tscc.enterprise.irs.gov/irc/

2. Telephone: 202-317-6124 or 1-866-216-4809

3. Fax: 202-317-6129

4. E-mail at samc@irs.gov

(1) Computer rooms will be slab-to-slab and where possible should be located in a central building location away from the building exterior, parking garages or top floor locations. Computer rooms will be windowless and lockable with controlled access into the area. Computer rooms are secured Limited Areas.