The Safeguards Program and staff are responsible for ensuring that federal, state and local agencies receiving federal tax information protect it as if the information remained in IRS’s hands.

These agencies and their contractors receiving federal tax information must protect the confidentiality of return information and are periodically reviewed by Safeguards personnel to ensure they meet the safeguarding requirements of IRC 6103(p)(4). These requirements include employee awareness programs, proper disposal, secure storage and computer security among others.

Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies and Entities (PDF), contains specific requirements for safeguarding federal tax information. The revisions to Publication 1075 became effective on December 14, 2007, and tighten controls to protect federal tax information.

Reporting Requirements
IRS’ revised Publication 1075 updates reporting requirements. Agencies must now use approved report templates and transmit reports electronically. The revised Publication 1075 requires submission of the Safeguard Activity Report (SAR) and the Safeguard Procedures Report (SPR) using approved templates developed by the Office of Safeguards. In addition, agencies must submit these reports electronically using the IRS approved encryption method of WinZip. Refer to e-mail Encryption Procedures Using the WinZip Utility.

Recommendations on how to become compliant with the new requirements
Given the significant changes in technical safeguards requirements found in Sections 4, 5 and 6, the IRS has some recommendations for agencies to become compliant with the new requirements.

Reporting Unauthorized Accesses, Disclosures or Data Breaches

Local, state and federal agencies receiving federal tax information must follow the revised provisions of Section 10 of Publication 1075 (PDF) upon discovering a possible improper inspection or disclosure of FTI, including breaches and security incidents. Agencies must contact Treasury Inspector General for Tax Administration immediately. Agencies are not to wait until after their own internal investigation as been conducted.

Contacting TIGTA is critical. It expedites the recovery of compromised dates and identifying potential criminal or administrative remedies by TIGTA and the IRS. The IRS’ Office of Safeguards relies upon TIGTA’s investigative report to determine compliance with Publication 1075 (PDF) requirements and coordination of any required notification of impacted taxpayers.

Internal Inspections Reports

Section 6.3 of Publication 1075, Tax Information Security guidelines for Federal, State and Local Agencies and Entities, requires that agencies receiving federal tax information (FTI) establish a review cycle for internal inspections of headquarters offices and all local/field offices that receive FTI. The Internal Inspections Report – Headquarters Office (PDF) and Internal Inspections Report – Field Office (PDF) are for these inspections.

In addition, these agencies must also include an internal inspection of IT operations, using the Internal Inspections Report – IT Operations (PDF). Internal inspections of contractors with access to FTI and any off-site storage facilities must also be completed. All scheduled and completed internal inspections should be provided to the IRS Office of Safeguards on the Internal Inspections Status Report (PDF).

Safeguards Technical Assistance by Topic

The IRS has recommendations and discussions on various Safeguards Program topics available for agencies to help stay in compliance. These documents may assist with preparation of reports, protecting federal tax information, and knowing the legalities of the Safeguards Program.

Auditing Controls of Federal Tax Information
Auditing controls are critical to successfully protecting federal tax information. Guidance is provided relative to the details to be captured and necessary monitoring of the events and transactions of the auditing logs.

Help for Completing the Required Safeguard Procedures Report.
An agency requesting Federal Tax Information (FTI) must submit a Safeguard Procedures Report (SPR) at least 45 days before the scheduled or requested receipt of FTI according to Section 2.0 of Publication 1075. In addition, a new SPR must be submitted whenever significant changes occur in an agency’s safeguard program or every six years. Two documents, Top Five Problems Agencies Encounter With SPR Processing and Helpful Hints-Preparing a Safeguards Procedures Report (SPR) are available to help agencies submit SPRs that contain clear and sufficient information in order to receive the requested FTI. Sample SPR is also available.

IRS Disclosure Awareness Video Now Available
IRS Disclosure Awareness training videos are now available for local, state and federal governmental agencies that receive federal tax information (FTI). The IRS Office of Safeguards created three videos to help explain several key concepts in protecting the confidentiality of FTI.

• Disclosure Awareness Training (Pub. 4711) (Video, Transcript)
• Disclosure Awareness Training for State Child Support Agencies (Pub. 4712) (Video, Transcript)
• Disclosure Awareness Training for State Human Services Agencies (Pub. 4713) (Video, Transcript)

• Managerial, Operational and Technical Policies
  IRS has guidance on creating Managerial, Operational and Technical Policies and integrating them with an organizational security policy and program.

• Media Sanitation Methods
  When confidential taxpayer information is no longer needed, CDs, DVDs, magnetic tapes, and other media need to be sanitized. Several factors need consideration when deciding the method for media sanitation. IRS and the National Institute of Standards & Technology have provided guidelines for choosing one of the four methods of sanitizing and ensuring the success of the disposed information.

• Meeting IRS Safeguards Audit Requirements
  Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies and Entities, provides very detailed audit requirements, but how these requirements cut across various IT layers e.g. Operating System, Database, and Application to provide end-to-end auditing might not be as apparent and straight forward. The IRS Office of Safeguards hopes to assist agencies in better understanding and implementing audit based requirements for Safeguards.

• Meeting Safeguard Requirements with Agency Internal Audits
  The IRS Office of Safeguards can provide guidance and clarification on how Agency Internal Audits can be helpful in meeting some of the Safeguarding requirements and also provide coverage for security evaluations on a continuous basis.

• Operational Security Policies and Procedures
  Several key operational security functions should be performed throughout the year to maintain confidentiality of FTI and compliance with Publication 1075. The IRS Office of Safeguards provides examples and resources to assist agencies in creating new operational security policies and procedures or to enhance their existing programs.

• Planning to Contract Could Require an IRS Contact
  Governmental agencies entrusted with FTI and holding the authority to re-disclose this information to contractors must follow the statutory/regulatory requirements with respect to safeguarding the FTI. The IRS must be properly notified at least 45 days prior to executing any agreement to disclose FTI to a contractor. If the specific procedures are not adhered to, an agency's continued access to FTI could be jeopardized.

• Policy and Procedures Involving a Contractor
  Clarification is provided on Publication 1075 Risk Assessment policy and procedures and the Safeguard Procedures Report (SPR): While a contractor can assist with implementing RA controls, it is important that the agency works closely with the contractor to ensure the policy being developed is aligned with the agency's overall mission and the requirements of Publication 1075. It is also important to address the five controls in the control family when creating Risk Assessment policy and procedures.

• Possible Computer Virus Technical Assistance
  It is extremely important that users be provided guidance on what to do if a virus infection occurs on their computer, because the users are the frontline, and improper handling of an infection could make a minor incident worse. Guidance is provided for handling potential computer virus incidents.

• Preventing Data Leakage Safeguards Technical Assistance
  Data leakage is becoming more common throughout industry and government, leading to the development of software and procedural techniques to detect and prevent such occurrences. Research and guidance on data leakage in the IRS Safeguards Program is available for agencies.

• Protecting Federal Tax Information: A Message From The IRS
  This video on disclosure awareness discusses what access to Federal Tax Information (FTI) is and how to guard it. It also covers how the disclosure of that information is protected by law.

• Protecting Federal Tax Information: A Pocket Guide for Government Employees (PDF)
  Publication 4761, Protecting Federal Tax Information: A Pocket Guide for Government Employees, is for federal, state and local agency employees who receive and use federal tax information (FTI). It provides basic disclosure concepts and warns of civil and criminal sanctions for misuse of FTI. It can be ordered by government agencies.

• Remote Access for Data Centers
  Clarification on the multi-factor authentication for remote access requirement when agencies are accessing servers located at their consolidated data center.

• Remote Access Requirement
  IRS Internal Revenue Manual defines Remote Access as Access by users (or information systems) communicating external to an information system security perimeter. Guidance is provided regarding the multi-factor authentication for remote access requirement when tax offices are accessing servers located at their consolidated data center.

• Safeguards Technical Assistance
  Agencies that have not gone through the revised Publication 1075 (Tax Information Security Guidelines for Federal, State and Local Agencies and Entities) based Safeguard review often have questions related to the Managerial, Operational and Technical (MOT) SCSEM (e.g. what is it based on, why is it needed, and how can we prep for it). By proactively addressing these types of questions in a technical assistance memo, the IRS Office of Safeguards aims to provide consistent and timely information to the agencies. It will also assist in preparation for the upcoming Safeguard review.

• STAX Audit Logs
  IRS Publication 1075 outlines the requirements and guidelines to ensure that FTI is properly audited. Guidance is provided on the handling and storage of STAX audit logs.

• Use of Collaborative Tools
  Agencies and businesses increasingly rely on digital forms of communication for computer-based real-time collaboration. These software applications provide virtual space, which enables participants to communicate via voice, video, chat, whiteboard, and can share user desktops, applications and documents. However, these types of collaborative tools are not suitable for transmitting FTI across encrypted tunnels.

• Virus Scanning Tools
  IRS Publication 1075, Section 5.6.16, requires any information system that stores, processes, or transmits FTI be protected against malicious code transported by electronic mail, electronic mail attachments, Internet accesses, removable media, or other common means. Guidance is provided for anti-virus prevention.

• Warning Banner Must be Used When Housing Federal Tax Information
  In accordance with Section 6.2 of Publication 1075, warning banners must be used during initial logon on computers housing federal tax information. The Office of Safeguards recommends text to fulfill this requirement.

Questions?

Please send questions to Safeguards program. Depending upon the volume and diversity of the questions, we will either answer you directly or add additional information to this site to address your question.

References/Related Topics

• e-mail Encryption Procedures Using the WinZip Utility
• Physical Disclosure Security Evaluation Matrix (SDSEM) Release v1.0 (PDF)
• Safeguard Computer Security Evaluation Matrix (SCSEM) Application Release 1.0 (PDF)
• Safeguard Computer Security Evaluation Matrix (SCSEM) CA-ACF2 Release IV (PDF)
• Safeguard Computer Security Evaluation Matrix (SCSEM) CA-Top Secret Release IV (PDF)
• Safeguard Computer Security Evaluation Matrix (SCSEM) Cisco IOS Release IV (PDF)
• Safeguard Computer Security Evaluation Matrix (SCSEM) GenTax Application v6.0 Release IV (PDF)
• Safeguard Computer Security Evaluation Matrix (SCSEM) IBM RACF Release IV (PDF)
• Safeguard Computer Security Evaluation Matrix (SCSEM) Management, Operational and Technical Controls Release IV (PDF)
• Data Warehouse MOT Addendum Safeguards Computer Security Evaluation Matrix (PDF)
• Safeguard Computer Security Evaluation Matrix (SCSEM) UNIX and Linux Solaris, HP-UX, AIX, Red Hat Linux, SuSE Linux Release IV (PDF)
• Safeguard Computer Security Evaluation Matrix (SCSEM) Windows 2000, 2003, and NT Release IV (PDF)
• Safeguard Computer Security Evaluation Matrix(SCSEM) Wireless LAN Release IV (PDF)
• Safeguard Computer Security Evaluation Matrix (SCSEM) Management, Operational and Technical Controls (PDF)
• Safeguard Computer Security Evaluation Matrix (SCSEM) Management, Operational and Technical Controls Data Warehouse Appendix (PDF)