10.2.3  Safeguard Reviews

10.2.3.1  (09-25-2008)
Scope

  1. This section establishes security guidelines to ensure that Internal Revenue Service contracts for the procurement of property and services requiring the disclosure of sensitive, protected information are administered in accordance with all applicable laws, regulations and procedures.

  2. These procedures apply to private contractors performing work on behalf of the IRS under a contract or other acquisition agreement and which involve the authorized disclosure of sensitive information (i.e. return or return information, personnel information, and administrative or internal management information critical to the accomplishment of the mission of the Service) or access to sensitive systems. In addition, services covered in this section may include property and services for tax administration purposes; services from any private contractor (i.e. processing of films and other photo impressions of any return, statement, document or any other information requiring protection); and Information Technology Services (i.e. design, operation, repair or maintenance of information systems).

  3. This section does not provide guidance on access to sensitive information granted under law and/or agreement to other Federal, state or local government agencies. Guidance on these types of Safeguard Reviews can be found in IRS Publication 1075, Tax Information Security Guidelines for Federal State, and Local Agencies.)

  4. For contracts that do not require the processing of sensitive information but rather require a simple service such as copying documents for litigation, the IRS contracting office and requesting activity must make sure that appropriate disclosure language and security requirements are included in the Statement of Work (SOW). In addition, prior to the start of the contract, the private contractor must complete a security check sheet (provided by IRS) and must provide a certification of compliance with the protections required in the SOW or agreement.

10.2.3.2  (09-25-2008)
Roles and Responsibilities

  1. The Chief, Agency-Wide Shared Services is authorized to prescribe Safeguard Reviews for use within the IRS. The Director, Physical Security and Emergency Preparedness, is responsible for oversight of the planning, developing, implementing, evaluating, and controlling of this IRS Program. The Associate Director, Security and Emergency Programs Division, is responsible for planning, developing, implementing, evaluating, and controlling this IRS Program.

10.2.3.3  (09-25-2008)
Request for Services

  1. When requesting contract services, the requesting activity should make sure that all security aspects are addressed. In addition to physical security; information technology security, disclosure and personnel security components may be identified. In the event that other security components are identified, these requirements must also be included in the SOW and must be verified with appropriate security organization.

  2. If it is necessary to disclose to a private contractor tax data or other information which must be protected, the requesting activity must prepare a SOW and include the following information:

    1. A narrative statement of work describing all intended requirements and applications.

    2. A statement identifying the data to be disclosed.

    3. Proposed physical security safeguards (and all other security components) to protect the information or systems which must be disclosed to the vendor/contractor, or a statement that additional safeguards are not required.

    4. A statement that a site survey is or is not required.

  3. Proposed physical security safeguards must be tailored to the specific service or information that is being required. Simply providing all possible safeguards is not appropriate. The requesting activity should identify the service/information and then review physical security requirements required for the protection of the specific information being disclosed. Internal Revenue Manual 10.2.15, Minimum Protection Standards, provides information on required protective measures.

10.2.3.4  (09-25-2008)
Review of Request for Services

  1. The requesting activity (Business Unit) should coordinate with the appropriate Physical Security personnel, or other security components, to determine if:

    1. The request involves disclosure of returns or return information or other sensitive information that requires protective measures as prescribed in IRM 10.2.15.

    2. All physical security requirements are identified and adequately addressed in the action.

  2. When requested, the appropriate Security personnel will:

    1. Review the SOW to determine the nature of materials (data) being processed, purpose and use, applications, etc.

    2. Recommend routing to other security components for review if there are other than physical security implications and there is no indication of review by other security components.

    3. Ensure it meets minimum security requirements and recommend additional safeguards when necessary.

    4. Ensure that any safeguards specified by the requesting activity are appropriate, reasonable and in compliance with minimum security standards.

    5. Notify the requesting activity if the safeguards specified are inappropriate and recommend appropriate safeguards necessary to protect the data identified.

    6. Review and evaluate existing reports, if applicable, for completeness and accuracy.

    7. Follow-up to ensure that deficiencies identified are being corrected.

10.2.3.5  (09-25-2008)
The Survey Checklist

  1. The contracting officer shall require vendors to provide the following information, in writing, as part of their offers:

    1. A copy of any internal security review and findings the vendor may have made within the previous 12 months.

    2. A narrative description of the vendor's proposal to comply with the required security measures.

    3. A copy of all of the vendor's policies and procedures relating to security.

    4. An organization listing or chart, if available.

  2. When the prospective contractor has been identified, the contracting officer will notify the requesting activity so that arrangements can be made and coordinated with security to conduct a review and analysis of any vendor provided security information.

  3. A sample Contractor Facility Security Survey checklist can be found in section 10.2.3.8. (The Disclosure of Information Handbook (IRM 11.3) also provides guidance.) However, reviewers should regard the vendor provided information as a guide to aid in the site review process. Additions, deletions and alterations may be required in order to tailor them to a specific contract and its requirements.

  4. The checklists and review notes will be used in preparing the narrative report.

  5. The same level of security observed at the contractor's main facility should be provided at any off-site facility used to store or process IRS data, and back-up facilities.

  6. If a deficiency is noted in the security checklist which is serious enough to warrant immediate corrective action, or there is enough evidence to indicate a possible security breach, the requesting activity’s reviewer will coordinate with the Security function and the contracting officer to assess impact and determine immediate actions necessary. Once immediate breach, actual or potential, has been acted upon, actions to permanently resolve will be determined and implemented by contractor with approval by business unit and contracting officer.

10.2.3.6  (09-25-2008)
Reporting Requirements

  1. Upon completion of the review and analysis of the security checklist, the requesting activity’s reviewer and Security will provide the contracting officer with a verbal report if there is evidence of a potential security compromise, certifying security standards compliance and/or identifying the vulnerability and corrective action. This verbal report will be followed by a written report within 5 workdays.

  2. The Checklists and notes taken during the analysis will provide the basis of the narrative and should be attached to the final report.

  3. Final recommendations to bring the contractor into compliance with security standards should be reasonable and, whenever possible, the least costly alternatives which will yield the same desired level of security.

  4. The reviewer will complete and transmit within five workdays the original of the completed review report to the responsible contracting officer with a copy to the appropriate Security office.

  5. Reports for contracts which have Servicewide impact will be forwarded to National Office Procurement and a copy to the Associate Director, Security and Emergency Programs Division, Physical Security and Emergency Preparedness.

  6. ) Security personnel will review the final report and all associated documentation for completeness, accuracy and compliance to security standards. Any questions identified during the analysis will be coordinated with the contracting officer for clarification and verification.

  7. After coordination with Security personnel, a recommendation on whether the contractor is able to meet the security standards will be made to the contracting officer by the requesting activity.

  8. Where security deficiencies were noted, a written follow-up by Security personnel will be made to ensure that appropriate corrective action has been taken by the contractor.

  9. If the security requirements recommended as a result of the analysis cannot be met by a contractor prior to the start of the work, a determination of non-responsiveness will be recommended and an alternate contractor will be reviewed for security compliance.

  10. Copies of all documentation pertaining to the contract will be maintained on file by the local Security function.

10.2.3.7  (09-25-2008)
Contractor Recertification

  1. An existing contractor's ability to adequately protect IRS data from unauthorized use or disclosure must be recertified:

    • Annually, for contracts which extend beyond a one year period

    • Prior to contract renewal

    • Whenever the security measures employed by the contractor become a matter of concern (e.g. suspected security breach).

  2. Contract recertifications are the responsibility of the user function. If the recertification is conducted due to a physical security concern, Security personnel will be briefed on the specifics and will assist in the analysis and report preparation. Security personnel will also be available for assistance in other recertifications if the user function does not have the technical expertise available.

  3. Security personnel will establish an agreement with the contracting officer to be kept informed of contract recertification schedules.

  4. The recertification letter to the contractor should include all contractual language necessary to protect the Service's security and contractual rights.

  5. The contractor will be requested to submit, in narrative form, a self assessment regarding his/her ability to protect IRS data. The narrative will, at a minimum:

    1. Describe, in detail, changes in security safeguard procedures or authorized access to IRS data.

    2. Indicate any change in site location and turnover of technical personnel handling IRS data.

    3. Report results of internal inspections conducted by the contractor and any security breaches occurring within the past year.

  6. The contracting officer will determine if a security violation detected in a recertification site survey constitutes a breach of contract or if a contract modification is necessary. Evidence of unauthorized disclosure of IRS data discovered during the review will be reported to the local IRS Disclosure Office and local Security function for appropriate notification to the National Office.

  7. The contractor will respond to the recertification letter within 15 calendar days from the date of receipt.

  8. When received, the narrative data and all associated documents will be sent to the requesting activity and security personnel for review and analysis to determine if an on-site recertification site review is required. Response to the recertification letter by the contractor does not eliminate the Service's right to inspect the contractor's facility to ensure that the responses are factual; nor does it in any way change or modify the contractual rights to perform on-site reviews if a security breach is suspected or reported.

  9. If the contract is up for renewal, the reviewer (Business Unit) will immediately notify the contracting officer verbally when a recertification determination has been made. If the contractor is to be recertified, a written report to this effect will be sent to the contracting officer confirming the verbal notification.

  10. If the contractor cannot be certified from available data, the reviewer will coordinate with the contracting officer to schedule a recertification site survey of the contractor's facility.

10.2.3.8  (09-25-2008)
Sample Contractor Facility Security Survey Checklist/PHYSICAL SECURITY ASSESSMENT OF CONTRACTOR SITE

  1. CONTRACTOR NAME:

  2. ADDRESS:

  3. PURPOSE OF CONTRACT:

  4. Describe building and location (e.g. two story structure, located in business district, multi-tenant, list of other tenants)

  5. How many floors does contractor occupy? What are the floors?

  6. How many entrances to the building? How many entrances into the office?

  7. When is the office cleaned? Observation: In Place/Partially in Place/Planned or Not Applicable: Findings/Comments:

  8. Is cleaning performed in the presence of IRS employees or cleared IRS contractors?Observation: In Place/Partially in Place/Planned or Not Applicable: Findings/Comments:

  9. PE-1: Physical and Environmental Protection Policy and Procedures: NIST 800-53 Control: The organization develops, disseminates, and periodically reviews/updates:

    1. a formal, documented, physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance

    2. formal, documented procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls.

    3. Observation: In Place/Partially in Place/Planned or Not Applicable

    4. Findings/Comments

  10. PE-2: Physical Access Authorizations NIST 800-53 Control: The organization develops and keeps current a list of personnel with authorized access to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible) and issues appropriate authorization credentials. Designated officials within the organization review and approve the access list and authorization credentials [Assignment: organization-defined frequency, at least annually].

    1. Control Enhancements: The organization controls physical access to the information system independent of the physical access controls for the facility.

    2. Observation: In Place/Partially in Place/Planned or Not Applicable:

    3. Findings/Comments:

  11. PE-3: Physical Access Control: NIST 800-53 Control: The organization controls all physical access points (including designated entry/exit points) to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible) and verifies individual access authorizations before granting access to the facility. The organization controls access to areas officially designated as publicly accessible, as appropriate, in accordance with the organization’s assessment of risk.

    1. Control Enhancements: The organization controls physical access to the information system independent of the physical access controls for the facility.

    2. Observation: In Place/Partially in Place/Planned or Not Applicable:

    3. Findings/Comments:

  12. How is access to the offices controlled during working hours? Observation: In Place/Partially in Place/Planned or Not Applicable: Findings/Comments:

  13. How is the office secured at the end of the day? Observation: In Place/Partially in Place/Planned or Not Applicable: Findings/Comments

  14. Who has access to the office after hours(position of employee, cleaning crew, building management)? Observation: In Place/Partially in Place/Planned or Not Applicable: Findings/Comments:

  15. PE-5: Access Control for Display Medium NIST 800-53 Control: The organization controls physical access to information system devices that display information to prevent unauthorized individuals from observing the display output Observation: In Place/Partially in Place/Planned or Not Applicable: Findings/Comments:

  16. Is there any type of Intrusion Detection System? Yes_____ No____ If yes, describe (glass breaks, motion sensors, Door Contacts). If yes, is it activated during duty and non-duty hours? Yes____ No____ Observation: In Place/Partially in Place/Planned or Not Applicable: Findings/Comments:

  17. PE-6: Monitoring Physical Access NIST 800-53 Control: The organization monitors physical access to the information system to detect and respond to physical security incidents. Control Enhancements:

    1. The organization monitors real-time physical intrusion alarms and surveillance equipment

    2. The organization employs automated mechanisms to recognize potential intrusions and initiate appropriate response actions.

    3. Observation: In Place/Partially in Place/Planned or Not Applicable: Findings/Comments:

  18. PE-7: Visitor Control NIST 800-53 Control: The organization controls physical access to the information system by authenticating visitors before authorizing access to the facility where the information system resides other than areas designated as publicly accessible. Control Enhancements: The organization escorts visitors and monitors visitor activity, when required Observation: In Place/Partially in Place/Planned or Not Applicable: Findings/Comments:

  19. How is IRS sensitive data stored?______________________________ If IRS sensitive data is containerized, what type of containers are utilized and are the keys controlled? Observation: In Place/Partially in Place/Planned or Not Applicable: Findings/Comments:

  20. Is sensitive data locked up when not under the supervision of authorized employees? Observation: In Place/Partially in Place/Planned or Not Applicable: Findings/Comments:

  21. Who are the employees who have access to IRS sensitive data? (Please provide a listing of names and position titles) Observation: In Place/Partially in Place/Planned or Not Applicable: Findings/Comments:

  22. How are waste copies of sensitive data disposed of? Observation: In Place/Partially in Place/Planned or Not Applicable: Findings/Comments:

  23. Have employees and contractors been made aware of the non-disclosure agreement? Observation: In Place/Partially in Place/Planned or Not Applicable: Findings/Comments:

  24. Are employees and contractors aware of the penalties for unauthorized use or disclosure of information?Observation: In Place/Partially in Place/Planned or Not Applicable: Findings/Comments:

  25. PE-8: Access Records NIST 800-53 Control: The organization maintains visitor access records to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible) that includes: name and organization of the person visiting, signature of the visitor, form of identification, date of access, time of entry and departure, purpose of visit, name and organization of person visited. Designated officials within the organization review the visitor access records [Assignment: organization-defined frequency]. Control Enhancements:

    1. The organization employs automated mechanisms to facilitate the maintenance and review of access records

    2. The organization maintains a record of all physical access, both visitor and authorized individuals.

    3. Observation: In Place/Partially in Place/Planned or Not Applicable:

    4. Findings/Comments:

  26. PE-9: Power Equipment and Power Cabling NIST 800-53 Control:The organization protects power equipment and power cabling for the information system from damage and destruction. Control Enhancements: The organization employs redundant and parallel power cabling paths Observation: In Place/Partially in Place/Planned or Not Applicable: Findings/Comments:

  27. PE-10: Emergency Shutoff NIST 800-53 Control: The organization provides, for specific locations within a facility containing concentrations of information system resources, the capability of shutting off power to any information system component that may be malfunctioning or threatened without endangering personnel by requiring them to approach the equipment. Control Enhancements: The organization protects the emergency power-off capability from accidental or unauthorized activation Observation: In Place/Partially in Place/Planned or Not Applicable: Findings/Comments:

  28. PE-11: Emergency Power NIST 800-53 Control: The organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss. Control Enhancements:

    1. The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source.

    2. The organization provides a long-term alternate power supply for the information system that is self-contained and not reliant on external power generation.

    3. Observation: In Place/Partially in Place/Planned or Not Applicable:

    4. Findings/Comments:

  29. PE-12: Emergency Lighting NIST 800-53 Control: The organization employs and maintains automatic emergency lighting that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes. Control Enhancements: None. Observation: In Place/Partially in Place/Planned or Not Applicable: Findings/Comments:

  30. PE-13: Fire Protection NIST 800-53 Control:The organization employs and maintains fire suppression and detection devices/systems that can be activated in the event of a fire. Control Enhancements:

    1. The organization employs fire detection devices/systems that activate automatically and notify the organization and emergency responders in the event of a fire

    2. The organization employs fire suppression devices/systems that provide automatic notification of any activation to the organization and emergency responder

    3. The organization employs an automatic fire suppression capability in facilities that are not staffed on a continuous basis.

    4. Observation: In Place/Partially in Place/Planned or Not Applicable:

    5. Findings/Comments:

  31. PE-14: Temperature and Humidity Controls NIST 800-53 Control: The organization regularly maintains, within acceptable levels, and monitors the temperature and humidity within the facility where the information system resides. Control Enhancements: None. Observation: In Place/Partially in Place/Planned or Not Applicable: Findings/Comments:

  32. PE-15: Water Damage Protection NIST 800-53 Control: The organization protects the information system from water damage resulting from broken plumbing lines or other sources of water leakage by providing master shutoff valves that are accessible, working properly, and known to key personnel. Control Enhancements: The organization employs mechanisms that, without the need for manual intervention, protect the information system from water damage in the event of a significant water leak. Observation: In Place/Partially in Place/Planned or Not Applicable: Findings/Comments:

  33. PE-16: Delivery and Removal NIST 800-53 Control: The organization authorizes and controls information system-related items entering and exiting the facility and maintains appropriate records of those items. Control Enhancements: None. Observation: In Place/Partially in Place/Planned or Not Applicable: Findings/Comments:

  34. PE-17: Alternate Work Site NIST 800-53 Control: The organization employs appropriate management, operational, and technical information system security controls at alternate work sites. Control Enhancements: None. Observation: In Place/Partially in Place/Planned or Not Applicable: Findings/Comments:

  35. PE-18 Location of Information System Components NIST 800-53 Control: The organization positions information system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access. Control Enhancements: The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards and for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy. Observation: In Place/Partially in Place/Planned or Not Applicable: Findings/Comments:


More Internal Revenue Manual