Accounts for IRS employees placed on Leave Without Pay (LWOP) while performing military duty shall adhere to the inactivity provisions in the Business Role Account Inactivity section of this IRM.

IRS employees placed on furlough may be provided access to e-mail, intranet and internet only for usage during the furlough time-period.

The employee's supervisor or Contracting Officer's Technical Representative (COTR) shall request reinstatement of access upon the return to active duty of the employee or contractor.

The responsible organization shall immediately suspend, cancel, and/or adjust all access privileges associated with changes in status of the user.

Review of inactive user IDs/accounts;

Coordinated review of access control lists with information owners;

Coordinated review of network, system, and resource access authority for non- IRS entities with responsible IRS business areas; and

Setting of automated account expiration for non-IRS entities, where technically feasible, and when the access termination date can be predetermined.

The sanctions process shall be consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

Refer to the Sensitive But Unclassified (SBU) Information, Controlled Unclassified Information (CUI), and Personally Identifiable Information (PII) sections of this IRM for further guidance.

Disciplinary actions shall take into account the sensitivity of the information involved, the impact of the offense, and the number of prior offenses.

Contract terms shall permit the government to exclude contractor employees from accessing IRS information and information systems.

Develop and keep current a list of personnel with authorized access to IRS facilities where information systems and data reside (except for those areas within the facility officially designated as publicly accessible);

Issue authorization credentials (e.g., badges, identification cards, and smart cards);

Review and approve the access list and authorization credentials at least annually, removing from the access list personnel no longer requiring access

Enforce physical access authorization for all physical access points (including designated entry/exit points) to the facility where information systems reside (excluding those areas within the facility officially designated as publicly accessible);

Limit access to Department of the Treasury and IRS buildings and structures housing sensitive information systems to authorized personnel;

Verify individual access authorizations before granting access to a facility;

Control entry to facilities containing information systems using physical access devices and/or guards;

Control access to areas officially designated as publicly accessible in accordance with the IRS’s assessment of risk;

Secure keys, combinations, and other physical access devices;

Inventory physical access devices at a minimum annually; and

Change combinations and keys at least annually and when keys are lost, combinations are compromised, or individuals who have access are transferred, terminated, or no longer require access.

Based on the level of risk; and (NIST SP 800-53 PE-3)

Sufficient to safeguard assets against possible loss, theft, destruction, accidental damage, hazardous conditions, fire, malicious actions, and natural disasters.

IRS-owned or controlled facilities, or

Information systems, and/or

SBU information.

Employ management, operational, and technical information system security controls as defined within this IRM at alternate work sites;

Assess the effectiveness of security controls at alternate work sites; and

Provide a means for employees to communicate with information security personnel in case of security incidents or problems.

Training shall incorporate realistic, simulated events into contingency training in order to ensure personnel are adequately prepared for times of crisis. (NIST SP 800-53 CP-3 CE1) (H)

An alternate storage site shall be identified that is separated from the primary storage site so as not to be susceptible to the same hazards. (NIST SP 800-53 CP-6 CE1) (M, H)

The alternate storage site shall be configured to facilitate recovery operations in accordance with recovery time and recovery point objectives. (NIST SP 800-53 CP-6 CE2) (H)

Potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster shall be identified and explicit mitigation actions outlined. (NIST SP 800-53 CP-6 CE3) (M, H)

Establish an alternate processing site including necessary agreements to permit the resumption of information system operations for essential missions and business functions in accordance with the recovery time objectives defined in the Information Technology Contingency Plan (ITCP) when the primary processing capabilities are unavailable; and

Ensure that equipment and supplies required to resume operations are available at the alternate site or contracts are in place to support delivery to the site in time to support the organization-defined time period for resumption.

Identify an alternate processing site that is separated from the primary processing site so as not to be susceptible to the same hazards. (NIST SP 800-53 CP-7 CE1) (M, H)

Identify potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. (NIST SP 800-53 CP-7 CE2) (M, H)

Develop alternate processing site agreements that contain priority-of-service provisions in accordance with the organization’s availability requirements. (NIST SP 800-53 CP-7 CE3) (M, H)

Ensure that the alternate processing site provides information security measures equivalent to that of the primary site. (NIST SP 800-53 CP-7 CE5) (M, H)

Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with the organization’s availability requirements; and

Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.

Frequency;

Retention;

Offsite schedule, including personnel who are authorized to send and receive backup media;

Logs of backups, including recording errors that might occur;

Backup schedule;

Restoration of software from the original medium, not from backups; and

Reconfiguration of the media in accordance with IRS policy.

Conduct backups of user-level information contained in the information system at least:
i. Daily for FIPS 199 HIGH systems,
ii. Weekly for FIPS 199 MODERATE systems, and
iii. Monthly for FIPS 199 LOW systems;

Conduct backups of system-level information contained in the information system at least:
i. Daily for FIPS 199 HIGH systems,
ii. Weekly for FIPS 199 MODERATE systems, and
iii. Monthly for FIPS 199 LOW systems;

Conduct backups of information system documentation including security-related documentation at least:
i. Daily for FIPS 199 HIGH systems,
ii. Weekly for FIPS 199 MODERATE systems, and
iii. Monthly for FIPS 199 LOW systems;

Protect the confidentiality and integrity of backup information at the storage location at the highest level of sensitivity of the data.
i. The media shall be marked with the highest level of sensitivity.

Restrict access to backup media to authorized personnel only.

Quarterly for FIPS 199 HIGH systems;

Semi-annually for FIPS 199 MODERATE systems; and

Annually for all other information systems.

Only legal and licensed (including open source, shareware, and freeware licenses, etc.) software (including operating system, databases, applications, etc.) approved by MITS shall be used or installed on IRS systems and networks.

The use of hardware or software that is not within the Baseline configuration shall be approved through the Enterprise Architecture (EA) waiver process.

IRS checklist shall be adhered to prior to looking outside the IRS to the National Checklist Program Checklist Repository (NCPCR) or other organizations.

Where secure configuration baselines have not been identified or developed for a product where a configuration checklist exists in the National Checklist Program Checklist Repository (NCPCR), a security baseline shall be assumed based on the checklist submitted by the top-most applicable developer in the following list (if there is no checklist from the first provider identified, the default shall fall to the second, and so forth):
1. Office of Management and Budget (OMB)
2. NIST, Computer Security Division
3. Defense Information Systems Agency (DISA)
4. National Security Agency (NSA)
5. Other government agencies
6. Public/private consensus partnerships
7. The product vendor

When configuration settings are developed for any of the platforms for which a checklist exists in the NCPCR, the settings shall be derived from one of the secure baselines available through the NCPCR. (TD P 85-01 S-CVM.3)

The NCPCR shall be checked, not less than annually, for updates to the selected secure baseline(s) (if used as the basis for its checklist) and, for each update found, determine whether changes should be made to Bureau-specific configuration settings. (TD P 85-01 S-CVM.3)

At a minimum annually;

When required due to reorganizations, refreshes, etc. and

As an integral part of IRS information system component installations and upgrades.

Automated tools shall be approved through the MITS organization.

Develop and maintain a current list of software programs not authorized to execute, on IRS information systems. (NIST SP 800-53 CM-2 CE4) (M)

Employ an allow-all, deny-by-exception authorization policy to identify software allowed to execute on IRS information systems (i.e., white lists of authorized software). (NIST SP 800-53 CM-2 CE4) (M)

Develop and maintain a current list of software programs authorized to execute, on IRS information systems. (NIST SP 800-53 CM-2 CE5) (H)

Employ a deny-all, permit-by-exception authorization policy to identify software allowed to execute on IRS information systems. (NIST SP 800-53 CM-2 CE5)

Accurately reflects the current information system;

Is consistent with the authorization boundary of IRS information systems;

Is at a level of granularity deemed necessary for tracking and reporting, as requirements defined within this section for IRS information systems components;

Includes all IRS-defined information deemed necessary to achieve effective property accountability; and

Is available for review and audit by designated IRS officials.

The inventory management system shall include, at a minimum: (NIST SP 800-53 CM-8)

Employ automated mechanisms annually to detect the addition of unauthorized components/devices into IRS information systems and

Disable network access by such components/devices or notify designated MITS personnel of unauthorized components/devices.

The inventory of hardware information, by FISMA system, shall be uploaded into the IRS’ FISMA tool, updated within one month as changes occur, and reviewed at least annually.

Establish, prepare, implement, and enforce a configuration management plan and its controls for all information systems and networks.

Approve changes to IRS information systems with risk-based consideration for security impact analysis;

Document approved configuration changes to the system;

Retain and review records of configuration changes to a system;

Audit activities associated with configuration changes to the system;

Coordinate and provide oversight for configuration change control activities through a Configuration Control Board, which meets on a monthly basis, at a minimum; and

Ensure all business and functional unit owners utilize the IRS’s FISMA guidance and the Security Configuration Management SOP for security change management. For more information on the Security Change Management processes, contact the Cybersecurity Project Management Office (PMO).

The proposed changes shall be reviewed by the appropriate personnel, including the Information System Security Officer (ISSO), to determine the impact of the change on the information system and its interconnections, including the security posture of the information system (or it's supporting GSS).

If the change request creates a significant change in the security posture of the system, the information system shall be required to undergo a re-certification and accreditation.

Document proposed changes to IRS information systems;

Notify AO of changes;

Report and track approvals that have not been received in accordance with FISMA guidance to the authorizing official;

Prohibit changes until designated approval has been received; and

Document completed changes to IRS information systems.

The analysis findings shall be reported to the AO for resolution/remediation.

Validate the security functions were implemented correctly;

Verify the security functions are operating as intended;

Ensure the security functions are producing the desired outcome with respect to meeting the security requirements for the system; and

Report findings to the AO for resolution/remediation.

Procedures shall be established for evaluating, approving, and installing patches and hot fixes to ensure patches are installed;

Security patches shall be tested and installed on a timeline in accordance with the criticality of the patches. (TD P 85-01 S-PM.2)

The IRS shall ensure that, upon daily power up and/or connection to the IRS’s network, workstations (including remote connections using government furnished equipment [GFE]) are checked to ensure the most recent MITS-approved patches have been applied, and any absent or new patches are applied as necessary or otherwise checked no less than once every 24 hours (excluding weekends, holidays, etc.). (TD P 85-01 S-PM.3)
i. Workstations shall include desktop and laptop computers that connect at any time to IRS networks.

The IRS shall apply patches available from the Department of Homeland Security when addressing new vulnerabilities. (TD P 85-01 S-CVM.17)

All installations that are IRS owned or outsourced operations shall be reported monthly for FISMA and Treasury submission. This includes all systems in the following environments: production, disaster recovery, training, development & testing.

Ensuring that configurations are measured and reported;

Changes to security controls are tested and documented; and

Compliance metrics for all of their reportable FISMA assets are reported to Security Configuration Management.

System name

All Data Elements within the “System Inventory Report” tab (to include all dates for artifacts such as security categorization (FIPS 199), contractor system designation; system category, major/minor stand-alone/child designator; national security system designator, etc.)

Interfaces, interconnections, etc.

Annual testing reports as they are completed.

Contingency plans

Contingency plan test results

Privacy-related artifacts or links.

Security Awareness Training and Education (SATE) Plan

Awareness training statistics, funding, etc.

Specialized training statistics, funding, etc.

Security Authorization Documentation:
i. Accreditation Letter (for accredited system)
ii. Certification Letter
iii. E-Authentication (if applicable)
iv. FIPS 199 Review
v. Risk Assessment
vi. Security Test & Evaluations (ST&E)
vii. System Security Plan
viii. Security Assessment Report – Self Assessment
ix. Inter-agency agreements/Inter-Service Agreements
x. Incident Response data

Other items as advised to security officers through the Cyber Security Sub-Council.

Establish and document mandatory configuration settings for IT products employed within IRS information systems using an automated means to check that the security configuration settings of IRS-installed/operated equipment are continually maintained in accordance with security configuration checklists (e.g., NIST checklist, DISA Security Technical Implementation Guide (STIG), NSA hardening guides, Center for Internet Security (CIS) security benchmark guides) that reflect the most restrictive mode consistent with operational requirements;

Implement and enforce the established configuration settings;

Identify, document, and approve exceptions from the mandatory configuration settings for individual components within IRS information systems based on explicit operational requirements; and

Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.

Ensure that changes/upgrades to systems, applications, and programs are compatible with the SCAP and the FDCC;

Use tools compatible with the SCAP when monitoring security configurations of Vista and Windows XP; and (TD P 85-01 S-CVM.6)

Refer to NIST SP 800-126, The Technical Specifications for the Security Content Automation Protocol (SCAP) and NIST SP 800-117, Guide to Adopting and Using the Security Content Automation Protocol (SCAP) for further guidance.

Such CIO-approved "permanent" deviations are not required to be tracked in POA&Ms.

All other FDCC deviations, not approved as a "permanent" deviation by the Department of Treasury CIO, shall be tracked in a POA&M. (TD P 85-01 S-CVM.20)

This requirement applies to information systems categorized at the following FIPS 199 impact-levels:
• LOW systems connected to an IRS network
• MODERATE
• HIGH

A list of authorized software programs

A list of unauthorized software programs

Rules authorizing the terms and conditions of software program usage

Schedule, perform, document, and review records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or IRS requirements;

Control all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;

Require that a designated official explicitly approve the removal of the information system or system components from IRS facilities for off-site maintenance or repairs;

Sanitize equipment to remove all information from associated media prior to removal from IRS facilities for off-site maintenance or repairs; and

Check all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions.

Date and time of maintenance;

Name of the individual performing the maintenance;

Name of escort, if necessary;

A description of the maintenance performed; and

A list of equipment removed or replaced (including identification numbers, if applicable).

Verifying that there is no organizational information contained on the equipment;

Sanitizing or destroying the equipment;

Retaining the equipment within the facility; or

Obtaining an exemption from a designated organization official explicitly authorizing removal of the equipment from the facility.

Authorize, monitor, and control non-local maintenance and diagnostic activities;

Allow the use of non-local maintenance and diagnostic tools only as consistent with IRS policy and documented in the security plan for the information system;

Employ strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions;

Maintain records for non-local maintenance and diagnostic activities; and

Terminate all sessions, maintenance ports, and network connections when non-local maintenance is completed.

Designated IRS personnel shall review the maintenance records of the sessions.

Require that non-local maintenance and diagnostic services be performed from an information system that implements a level of security at least as high as that implemented on the system being serviced; or

Remove the component to be serviced from the information system and prior to non-local maintenance or diagnostic services, sanitizes the component (with regard to IRS information) before removal from IRS facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software and surreptitious implants) before reconnecting the component to the information system.

A current list of authorized maintenance organizations or personnel shall be maintained.

Have the required access authorizations, or

Be accompanied by designate IRS personnel with required access authorizations and technical competence deemed necessary to supervise the information system maintenance when maintenance personnel do not possess the required access authorizations.

Identify, report, and correct information system flaws;

Test software updates related to flaw remediation for effectiveness and potential side effects on IRS information systems before installation; and

Incorporate flaw remediation into the IRS configuration management process.

Identify potentially security-relevant error conditions;

Generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information that could be exploited by adversaries; and

Reveal error messages only to authorized personnel.

UNIX and Linux systems functioning as a server on the internal, trusted network are not required to deploy anti-virus software; all other UNIX and Linux systems are still required to deploy anti-virus software.

Systems not required to deploy anti-virus software are still required to implement the operational and technical control guidance outlined within this IRM. These control functionalities include, but are not limited to:
i. Access Controls (e.g., Role-based);
ii. Incident Response training;
iii. Patch Management;
iv Audit log reviews;
v. Firewalls and host intrusion detection system (HIDS); and
vi. File integrity verification (e.g., hash or checksum).

Transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means; or

Inserted through the exploitation of information system vulnerabilities.

Perform weekly scans of an information system;

Perform real-time scans of files from external sources as the files, internet downloads, and e-mail are received, downloaded, opened, or executed in accordance with IRS security policy; and

Either block or quarantine malicious code, and send an alert to the system administrator in response to malicious code detection.

Malicious code protection mechanisms shall be centrally managed. (NIST SP 800-53 SI-3 CE1)

Malicious code protection mechanisms (including signature definitions) shall automatically update (NIST SP 800-53 SI-3 CE2)

Non-privileged users shall be prevented from circumventing malicious code protection capabilities (e.g., disabling). (NIST SP 800-53 SI- 3 CE3)

Employees sending e-mail messages containing SBU shall do so using Outlook, encrypting the information when it is transmitted and stored with the MITS-approved solution for e-mail encryption.

E-mail messages with text containing SBU sent to another IRS e-mail address or to an e-mail address external to the IRS shall be encrypted using the MITS-approved solution for e-mail encryption.

Files containing SBU data sent to an IRS e-mail address or to an e-mail address external to the IRS must be encrypted using the MITS-approved solution for e-mail encryption.

Monitor events on an information system and networks in accordance with MITS/Cybersecurity defined monitoring objectives and detect information system attacks;

Identify unauthorized use of an information system;

Deploy monitoring devices:
i. Strategically within IRS networks to collect IRS-determined essential information; and
ii. At ad hoc locations within a network to track specific types of transactions of interest to the IRS;

Heighten a network’s and/or information system’s level of monitoring activity whenever there is an indication of increased risk to IRS operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; and

Obtain legal opinion from the IRS Chief Counsel with regard to monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations.

Audit logs shall be maintained to track prohibited sources and services.

Monitor inbound and outbound communications for unusual or unauthorized activities or conditions. (NIST SP 800-53 SI-4 CE4) (M, H)

Provide near real-time alerts when indications of compromise or potential compromise occur. (NIST SP 800-53 SI-4 CE5) (M, H)

Prevent non-privileged users from circumventing intrusion detection and prevention capabilities. (NIST SP 800-53 SI-4 CE6) (M, H)

Receive information system security alerts, advisories, and directives from designated external organizations on an ongoing basis;

Generate internal security alerts, advisories, and directives;

Disseminate security alerts, advisories, and directives to IRS personnel; and

Implement security directives in accordance with established timeframes, or notifies the issuing organization of the degree of non-compliance.