11.3.36  Safeguard Review Program

11.3.36.1  (08-08-2008)
Purpose

  1. This section provides the written guidance for all Office of Safeguards' personnel when performing safeguard evaluations and reviews. The Safeguards staff is responsible for ensuring that agencies and their contractors, who receive Federal Tax Returns and Return information collectively Federal Tax Information (FTI) from the Internal Revenue Service (IRS) maintain adequate safeguards for the protection of such information when performing safeguard evaluations and reviews. Written procedures and instructional guidelines are included to help the reviewer determine whether the agencies are providing adequate protection for FTI that is consistent with the Department of Treasury, Internal Revenue Service guidelines, manuals and regulations.

    Note:

    The term agency includes Federal, state, and local agencies, or entities and their contractors. The term contractor will generally be used with reference to agency contractors, while IRS contractors will be referred to as such.

  2. The safeguard program is a cooperative effort with the recipient agencies and their contractors, to ensure the confidentiality of FTI. Outreach and communication are key elements in promoting protection of FTI. In order to fulfill legal requirements and IRS responsibilities, the program must also maintain viable enforceable standards and full time enforcement capabilities.

11.3.36.2  (08-08-2008)
Legal Requirements

  1. In accordance with legal requirements of Internal Revenue Code (IRC) §6103 and written agreements, the IRS discloses FTI data to various Federal, state, and local agencies, as well as contractors.

  2. IRC §6103(p)(4) requires that agencies receiving tax returns and return information provide adequate safeguards to protect the confidentiality of the tax returns and return information to the satisfaction of the Secretary (of Treasury).

  3. IRC §6103(p)(4)(E) requires the following recipients of Federal tax returns or return information to report to the Secretary their safeguard procedures for protecting those returns and return information:

    1. Federal agencies that receive information for certain purposes

    2. The Government Accountability Office (GAO)

    3. State tax agencies, bodies, or commissions

    4. State and local child support enforcement agencies

    5. State public assistance and law enforcement agencies

    6. Agents and contractors of child support enforcement agencies, Federal lending agencies (including lenders, agencies and educational institutions) and their agents (reports are to be submitted through the contracting agencies)

      Note:

      This pertains to any agency, lender, and institution disclosing mailing addresses received pursuant to IRC §6103(l)(6)(A), (l)(12)(B), (m)(2), (m)(4), (m)(6), or (m)(7) to its agent(s) and contractor(s).

  4. The provisions of 26 CFR 301.6103(n)-1(d) authorize the IRS to determine the compliance with any safeguards imposed on all contractors, whether agency or IRS contractors.

  5. IRC §6103(p)(8) requires that states provide safeguards to protect the confidentiality of paper copy and electronic media copy of the Federal return (or portion thereof) that is attached to or reflected on any State tax returns as may be required of taxpayers by the state.

    Note:

    When preparing for a safeguard review that includes IRC §6103(p)(8) data, refer to IRM 11.3.32.14.1 , Disclosure to States and Local Governments which "...authorizes the IRS to require the State agencies maintain adequate safeguard procedures for the returns and return information they receive pursuant to IRC §6103(d)."

  6. IRC §6103(p)(5) requires the Commissioner to furnish annual reports to the House Committee on Ways and Means, the Senate Committee on Finance, and the Joint Committee on Taxation. The reports describe procedures and safeguards established by the various agencies and their respective contractors who receive FTI , as well as indicating deficiencies on the part of the agencies and their contractors.

  7. IRC §7213 provides criminal penalties for unauthorized disclosures of FTI.

  8. IRC §7213A provides criminal penalties for unauthorized inspection of any return or return information by officers and employees of the United States, officers and employees of persons described in IRC §6103(n), state and other employees.

  9. IRC 7431 provides civil remedies for violations of the disclosure and inspection statutes.

  10. A complete listing of the applicable security laws, regulations, and other guidance is contained in Exhibits 2.1.10–1 and 2.1.10–2 of IRM 2.1.10, Automated Information Systems Security.

11.3.36.3  (08-08-2008)
Awareness

  1. When an agency or their contractor receives, or expresses an interest in receiving, FTI which requires safeguarding, IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies and Entities, will be sent to the agency or their contractor to advise them of the IRS safeguards requirements. The IRS will provide assistance to the agency and their contractor assistance to resolve any questions.

  2. Agencies should stress to their employees and contractors the importance of safeguarding FTI through the use of training material such as IRS Videos, prior to contractor's initial receipt of FTI. Whenever possible, IRS Communications, Liaison and Disclosure (CLD) personnel shall assist agencies to develop and present disclosure and safeguards training.

11.3.36.4  (08-08-2008)
Implementing Requirements

  1. Federal, State and local agencies listed in IRM 11.3.36.2(3) and (4) must submit the following to the office of Safeguards:

    1. Safeguard Procedures Reports (SPRs) and

    2. Annual Safeguard Activity Reports (SARs)

  2. These reports are described in detail in IRMs 11.3.36.6 and 11.3.36.7.

  3. The IRS reviews reports received from agencies and contractors to determine the adequacy of agency safeguards.

  4. If an agency or contractor fails to submit the required report or to provide sufficient information to allow the IRS to determine the adequacy of its safeguards, the IRS reviewer may propose withholding FTI from that agency. See IRM 11.3.36.8.1., which provides additional guidance.

  5. On-site Safeguard reviews of agencies and their contractors are undertaken when the criteria in IRM 11.3.36.10 are met.

11.3.36.5  (08-08-2008)
Responsibilities

  1. The Office of Safeguards within Communications, Liaison and Disclosure (CLD), Small Business/Self-Employed (SB/SE) has oversight responsibility for the safeguards program. The Office of Safeguards also has specific program responsibility as listed in Exhibit 11.3.36–1.

  2. The Office of Safeguards has responsibility for the safeguard review program for state tax agencies, and their contractors.

11.3.36.5.1  (08-08-2008)
Agency Reports

  1. Agencies and their contractors that receive FTI are subject to the safeguards of IRC §6103(p)(4) and therefore, the agency and their contractors must file a Safeguard Procedures Report (SPR),with the IRS prior to the receipt of FTI. This enables the IRS to review the agencies', and its authorized contractors', procedures to protect FTI from unauthorized inspection or disclosure before the information is released. Agencies must submit a revised Safeguard Procedures Report whenever significant changes occur in their safeguard program or at least every six (6) years; this should take into consideration changes made by agency contractors. See the subsection on " Submission of Safeguard Procedures."

  2. Annually thereafter, agencies submit a Safeguard Activity Report (SAR)to certify that they are continuing to appropriately protect return information.

  3. It is important that these reports are complete and remain current. In order for agencies and contractors to submit acceptable reports, recipients of FTI must be aware of the IRS reporting requirements. The requirements are outlined below and are included in IRS Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies and Entities.

  4. Agencies should make like requirements of their contractors to submit their SPRs and SARs to the agency for routing to the Office of Safeguards.

  5. Agency reports will be evaluated upon receipt. If the reports are complete and no significant questions arise, the evaluation will conclude within 30 calendar days for the SPR and for the SAR, with written notification to the agency (and contractor via the agency.)

    Note:

    SPRs must be accepted prior to initial release of FTI to agencies.

  6. The Office of Safeguards assumes a proactive approach to assure that agencies submit complete and comprehensive SPRs. To the extent necessary and possible, agency hands-on guidance/assistance is provided so that the agencies and their contractors will be aware of what is considered FTI, its level of importance, and when an updated report is required.

11.3.36.6  (08-08-2008)
Safeguard Procedures Report

  1. IRC §6103(p)(4)(E) requires agencies and contractors receiving FTI to file a report that describes the procedures established and utilized by the agency or the contractor for ensuring the confidentiality of FTI. The Safeguard Procedures Report is a record of how the agency or the contractor uses the information, and how it is protected from unauthorized inspection or disclosure by that agency or contractor.

  2. A Safeguard Procedures Report is considered an agency’s procedural guide to contain sufficient detail, for the use and protection of the FTI.

11.3.36.6.1  (08-08-2008)
Safeguard Procedures Report Preparation Guidelines

  1. Agencies are required to develop safeguard procedures for all tax data they receive and all uses of that data by the agency or the authorized contractor. Agencies and contractors receiving FTI under a single section of the Code may have several separate or independent uses of the data within the agency, involving several functional units.

  2. Disclosures Under Multiple Code Sections (Federal Agencies) - Some Federal agencies receive FTI from the IRS under the authority of more than one section of the Internal Revenue Code. In these cases, the agency must distinguish between the IRC sections, and provide safeguard procedures for each program or use. The agency may either file separate Safeguard Procedures Reports or consolidate the separate procedures for the various programs or uses into a single SPR.

  3. Federal, state, and local agencies requesting using Form 8300, Reports of Cash Payments Over $10,000 Used in a Trade or Business, (available information pursuant to IRC §6103(I)(15)) must file a separate SPR for this program. All agencies requesting data under IRC §6103(I)(15) are referred to the Office of Safeguards.

    Note:

    Where IRS/CI and the U.S. Attorney's Office are among the participants of a multi-agency task force, and there is an investigative need to obtain Form 8300 information, the Assistant U.S. Attorney (AUSA) assigned to the task force is the requestor of information. Safeguards FTI responsibility and authority will therefore be centralized with the AUSA's office.

11.3.36.6.2  (08-08-2008)
Safeguard Procedures Report Content

  1. The SPR will be submitted using the approved SPR template available from the Office of Safeguards. The template includes sections for specific required content.

  2. Responsible Officer(s):

    1. The name, title, address and telephone number of the agency official authorized to request the tax information from the IRS

    2. The name, title, address and telephone number of the agency official responsible for the implementation of the safeguard procedures.

  3. Location of the Data - Include an organization chart or narrative description of the receiving agency organization, which includes all functions where tax data must be processed or maintained. If the information is to be used or processed by more than one function, then the pertinent information must be included for each function.

  4. Flow of the Data - The report must contain a flow chart or narrative description of:

    1. The agency flow of the FTI data from its receipt through its return to the IRS or its final destruction

    2. How FTI is to be used or processed

    3. How FTI is tracked and protected as it passes through the organizational levels within the agency

    Note:

    It will be indicated and noted as to how FTI is commingled or transcribed into non-tax data that is being used and kept by the agency. If there are multiple uses (programs) or multiply organizations within the agency who use FTI data, then depict this flow of data through the use of multiple flow charts or narratives to describe all of the FTI organizational uses (programs).

  5. System of Records - A description of the permanent record(s) used to document requests for, receipt of, dissemination of (if applicable), and final disposition (return to the IRS or destruction) of the FTI (including all electronic media). Agencies and their contractors are expected to be able to provide an "audit trail" for all information requested and received; the trail is to also include copies or distribution beyond the original document/media.

  6. Secure Storage of the Data - The agency will provide a description of the security measures employed to provide secure storage for the FTI when it is not in current use. Secure storage encompasses such diverse considerations as locked files or containers, secured facilities, key or combination control, off-site data warehousing/storage, and restricted areas. It is requested that Federal agencies submit a Vulnerability Assessment that is to be completed based on General Services Administration (GSA) standards for their building(s) as it pertains to addressing physical security.

  7. Restricting Access to the Data - A description of the procedures or safeguards to ensure access to FTI is limited to those individuals who are authorized access and have a need to know. Describe how the information will be protected from unauthorized access when in use by the authorized recipient. The physical barriers to unauthorized access should be described (including the security features where FTI is used or processed) and systemic or procedural barriers.

  8. Disposal - A description of the method(s) of disposal of the different types of FTI is provided by the IRS, and/or produced by the agency and contractor (e.g., print-outs, back-up tapes and the like), if not returned to the IRS. The IRS will request a written agency report that documents the method of destruction by which records were destroyed (see paragraph (5), System of Records, above).

  9. Information Technology (IT) Security - A description of all automated information systems and networks that receive, process, store, or transmit FTI. These systems must have safeguard measures in place to restrict access to sensitive data (see Publication 1075, Section 5.6). These safeguards should address all key components of IT security. They should:

    • Describe the systemic controls employed to ensure all IRS data is safeguarded from unauthorized access or disclosure

    • Include the procedures to be employed to ensure secure storage of the disks and the data, limit access to the disk(s), or computer screens, and the destruction of the data

    • Have additional comments regarding the safeguards employed to ensure the protection of the computer

    • Describe in detail the security precautions undertaken if the agency’s computer systems are connected or planned to be connected to other systems

    • The Safeguard Procedures Report must include procedures for ensuring that all data is safeguarded from unauthorized access or disclosure

  10. Disclosure Awareness Program - Each agency and contractor who receives returns and return information must have an awareness program wherein all employees having access to FTI certify annually of the training received and receipt of the confidentiality provisions of the Internal Revenue Code, as well as, the civil and criminal sanctions for unauthorized inspection or disclosure of FTI. A description of the formal program should be included in the Safeguard Procedures Report.

11.3.36.6.3  (08-08-2008)
Submission of Safeguard Procedures Reports

  1. The initial Safeguard Procedures Report should be submitted to the IRS at least 45 days prior to the scheduled or requested receipt initial of FTI.

  2. IRC §6103(p)(4)(E) requires agencies receiving FTI to file a report that describes the procedures established and used by the agency for ensuring the confidentiality of the information received from the IRS. The Safeguard Procedures Report (SPR) is a record of how FTI is processed by the agency; it states how it is protected from unauthorized disclosure by that agency. Annually thereafter, the agency shall file a Safeguard Activity Report (SAR). This report advises the IRS of minor changes to the procedures or safeguards described in the SPR. It also advises the IRS of future actions that will affect the agency's safeguard procedures, summarizes the agency's current efforts to ensure the confidentiality of FTI, and finally, certifies that the agency is protecting FTI pursuant to IRC §6103(p)(4) and the agency's own security requirements.

  3. Whenever legislative changes or new data exchange agreements or Memorandum of Understandings (MOUs) authorize an agency to receive FTI for a new or different purpose, a new or revised Safeguard Procedures Report covering the additional program(s) must be submitted to the IRS.

    Note:

    Agencies must submit a new SPR whenever significant changes occur in their safeguard program or every six (6) years. Significant changes would include, but are not limited to, new computer equipment, facilities, or systems.

  4. Agencies shall submit their SAR on the template developed by the Office of Safeguards. The most current template may be requested by contacting SafeguardReports@irs.gov. The SAR should be accompanied by a letter on the agency’s letterhead signed by the head of the agency or delegate, dated.

11.3.36.7  (08-08-2008)
Safeguard Activity Report

  1. Each agency and authorized agency contractor requesting or receiving FTI is required to file a Safeguard Procedures Report describing the procedures and safeguards utilized to ensure the confidentiality of the information.

  2. Annually thereafter, the agency and the authorized agency contractor must file a Safeguard Activity Report which serves to:

    1. Advise the IRS of minor modifications/changes to the procedures or safeguards described in the Safeguard Procedures Report

    2. Advise the IRS of future actions which will affect the agency’s safeguard procedures

    3. Summarize the agency’s current efforts to ensure the confidentiality of FTI

    4. Certify that the agency or the contractor is protecting tax return information in accordance with IRC §6103(p)(4)

11.3.36.7.1  (08-08-2008)
Content of Safeguard Activity Report

  1. Changes to information or procedures previously reported, e.g.:

    1. Responsible officers or employees

    2. Functional organizations using the data

    3. Computer facilities or equipment and system security changes or enhancements

    4. Physical security changes or enhancements

    5. Retention or disposal policy or methods

  2. Current annual safeguard activities shall include, at a minimum, the following items:

    1. Disclosure Awareness Program - Describe the efforts to inform all employees and contractors having access to FTI of the confidentiality requirements of the Internal Revenue Code, the agency’s security requirements, and of the sanctions imposed for unauthorized inspection or disclosure of FTI

    2. Functional organizations using the data

    3. Computer Facilities or Equipment and System Security - Changes or enhancements

    4. Physical Security - Changes or enhancements

  3. Agency Disclosure Awareness Program – The agency should describe the efforts to inform all employees having access to FTI of the confidentiality requirements of the IRC, the agency’s security requirements, and the sanctions imposed for unauthorized inspection or disclosure of return information.

  4. Reports of Internal Inspections – The agency should provide copies of a representative sampling of the Inspection Reports and a narrative of the corrective actions taken (or planned) to correct any deficiencies should be included with the annual SAR.

  5. Disposal of FTI – The agency should report the disposal or the return of FTI to the IRS or source. The information should be adequate to identify the material destroyed and the date and manner of destruction, including copies of destruction logs.

    Note:

    Including taxpayer information in the disposal record is not necessary and should be avoided.

  6. Other information – The agency should provide other information to support the protection of FTI, in accordance with IRC §6103(p)(4) requirements.

  7. The agency should report all actions taken, or being initiated, regarding recommendations in the Final Safeguard Review Report issued because of the latest safeguard review.

  8. Planned Actions Affecting Safeguard Procedures - Any planned agency or contractor action which would create a major change to current agency procedures or safeguards will be reported. Such major changes would include, but are not limited to, new computer equipment, facilities or systems to perform programming, processing or administrative services requiring access to FTI.

  9. Agency Use of Contractors – Agencies must account for the use of all contractors, permitted by law or regulation, to do programming, processing or administrative services requiring access to FTI.

11.3.36.7.2  (08-08-2008)
Submission of Safeguard Activity Reports

  1. Agencies are to submit their reports to the Office of Safeguards electronically. Reports must be sent encrypted via IRS approved encryption techniques. The e-mail address for all reports is: SafeguardReports@irs.gov.

  2. Safeguards personnel need to evaluate SARs thoroughly and quickly. If a SAR is incomplete or unclear, the agency will be contacted and asked to provide the necessary additional information, as may be feasible. The aggregate reports (most current SPR and SARs) will clearly reflect the safeguard procedures in place at that time.

  3. Submission dates for the Safeguard Activity Reports

    • Federal agencies should submit their reports for the calendar year by January 31 of the following year

    • Law enforcement agencies receiving Form 8300 information, under IRC §6103(l)(15) should submit their reports for the processing year (May 1 through April 30) by June 30

    • Other state agencies (i.e., Departments of Labor, Departments of Transportation, etc.) receiving FTI under IRC §6103(d) and agencies receiving FTI under IRC §6104(c) with charitable organization oversight should submit their reports for the processing year (June 1 though May 31) by June 30

    • State tax agencies should submit their reports for the calendar year by January 31 of the following year

    • State welfare agencies and the DC Retirement Board should submit their reports for the processing year (September 1 though August 31) by September 30

    • State child support enforcement agencies should submit their reports for the processing year (March 31 through February 28) by March 31

    Note:

    Educational institutions receiving FTI under IRC §6103(m)(4)(B) should send reports to the oversight agency.

11.3.36.8  (08-08-2008)
Analysis of Records

  1. In order to make supportable recommendations, reviewers need to have a thorough understanding of applicable statutes, Treasury regulations, agency agreements and contracts, and the agency’s and their contractor's system of processing FTI.

  2. The familiarization process is accomplished through a review of all information available in the file, with emphasis on the following references and sources:

    1. Safeguard Procedures Report - The SPR should always be reviewed against the subsequent and prior Safeguard Activity Reports

    2. Publication 1075 - Tax information Security Guidelines for Federal, State and Local Agencies and Entities

    3. Studies and audits - GAO and other studies conducted of an agency's general and data processing operation may give pertinent information

    4. Safeguard Review Reports - If previous reviews were conducted, the reports are examined for previous findings, recommendations, and follow-up actions

    5. Treasury Inspector General for Tax Administration (TIGTA) - TIGTA may have information about the agency that could have an impact on the sharing of FTI

    6. Safeguard Activity Reports - The SARs provide useful information regarding current Responsible Officer(s), the number of offices inspected, latest calendar/tax years of latest tax data destroyed, enhancements to computer systems

    7. Data Services Report - Review report to determine the type and volume of disclosures made to the agency and to the contractor. Review their Transcript Delivery System (TDS) report to determine what transcripts were requested and printed by state tax agencies

11.3.36.8.1  (08-08-2008)
Delinquent or Incomplete Reports or Reported Deficiencies

  1. Delinquent reports, reports with incomplete information or reports which reveal safeguard deficiencies should initially be resolved through informal telephone contact between the reviewer and the agency, in regards to SPRs solicited by the Office of Safeguards.

    Reminder:

    Any requests for missing reports, material, or actions to correct deficiencies will be followed up in writing.

  2. If an agency or contractor has sent the required report but does not supply the missing information or take corrective action upon request, the reviewer may consider a limited on-site review in order to obtain the information or cause corrective action to be taken.

  3. If the agency fails to respond to a request or refuses to schedule an on-site limited review, then formal procedures to withhold FTI may be initiated under alternative actions ( See IRM 11.3.36.14.3). Conducting a review is an option and not required.

  4. Reasonable attempts, including at least one written request, must be made to obtain a report, missing material, or cause corrective action to be implemented. If an agency fails to respond by sending in an acceptable report, the requested material or take action to correct a deficiency, formal procedures to withhold FTI will be initiated ( See IRM 11.3.36.14).

  5. If any agency or agency contractor fails to respond and is no longer receiving tax data, a written request will be made, to have the agency or contractor destroy any residual data or have it transferred back to the IRS.

  6. If a deficiency is minor, not causing immediate unauthorized inspections or disclosures or the potential of immediate unauthorized inspections or disclosures then the report may be held in abeyance or accepted with the deficiencies noted. The circumstances must be documented, including corrective actions to be taken and scheduled follow-ups by the reviewer.

    Example:

    An agency may not have adequate disclosure awareness training for its employees. The agency agrees, but it may take a couple of months to develop a program and complete initial training. The report may be accepted or held in abeyance if this condition is documented, including planned follow-up action.

11.3.36.8.2  (08-08-2008)
Documentation

  1. The steps taken in reviewing reports and/or soliciting additional information from the agency should be well documented. All notes, worksheets, communication contacts, memoranda, and other correspondence will be retained in the file to support decisions made as a result of the process.

11.3.36.8.3  (08-08-2008)
Response to Agency and Contractor

  1. If the evaluation of the reports and related materials does not indicate a need for an on-site review, then a letter should be sent to the agency acknowledging receipt and acceptance of the report. The letter will be signed by the appropriate supervisory level. The letter, however, should allow for the possibility of an on-site review, if subsequent information from other sources indicates a need for further investigation. It will be the responsibility of the agency to share the letter with their contractor(s), if information therein is applicable to the contractor(s).

    Note:

    Letters regarding reports of authorized agents and contractors of agencies should be sent to the attention of the agency head.

11.3.36.9  (08-08-2008)
Need and Use

  1. The IRS routinely discloses large amounts of FTI to state tax agencies, bodies and commissions for tax administration purposes under the statutory authority of IRC §6103(d)(1) . (See IRM 1.3.32 for a discussion of Basic and Implementing Agreements.)

    Note:

    When referring to tax agencies throughout IRM 11.3.36.9, this also includes bodies and commissions.

  2. Whenever FTI is exchanged on a large scale, the probability of loss of confidentiality is increased. Limiting the quantity of FTI disclosures to the states to that which is genuinely needed and will be used for tax administration purposes, is a fundamental component of an effective disclosure program. Every effort will be made to eliminate disclosure of unnecessary information to state tax agencies.

  3. The objective of the need and use process is to reduce the likelihood of unauthorized disclosure or access, and is not meant to deny federal, state and local agencies information needed for tax and no-tax administration purposes.

  4. In recognition of the importance of the concept of limiting disclosures to the states, IRS Policy Statement P-1-35 states in part: "Tax information provided by the IRS to State tax authorities will be restricted to the authorities’ justified needs and uses of such information."

  5. Disclosures to state and local agencies under IRC §4102 and IRC §6103(k)(5) are subject to need and use considerations even though the safeguarding provisions of IRC §6103(p)(4) do not apply.

11.3.36.9.1  (08-08-2008)
Need and Use Determinations

  1. All federal, state and local agency requests for FTI are subject to a Need and Use Determination which is to be documented by the Disclosure Manager with oversight responsibilities for the agency. Disclosure owns the need and use determination responsibility while the Office of Safeguards owns the need and use verification.

  2. Need and Use Determinations are to be made at the time of request, prior to the actual disclosures, and should be a cooperative effort with the state tax agency to accurately determine the minimum amount or information required to accomplish the stated objective(s).

    Example:

    One of the available taxpayer transcripts may eliminate the need for a complete return.

  3. The "basic" agreement provides for the mutual exchange of tax data between specific State tax agencies (IRM 11.3.32.5(1)). The scope of the basic agreement and subsequent implementing agreement will initially be developed and negotiated through discussions between the Governmental Liaison and Disclosure (GLD) Area Manager and the head of the State tax agency (IRM 11.3.32.5(4)).

  4. Specific requests for return information may be related to a state agency project or to a joint project with the IRS, and there may be a separate Memorandum of Understanding covering the project. The Disclosure Manager should ensure that a documented Need and Use Determination is part of the request file.

  5. Although a Need and Use Determination for a specific request may have been completed and documented, the agency may subsequently desire to use the information for a different tax administration purpose. If the subsequent use of the data is for bona fide tax administration purposes, and not in contravention of the Code, then applicable regulations, existing agency agreements, or Service policies, this would not usually be considered unauthorized use of the data as long as notification is given to the Office of Safeguards in the agency's annual SAR.

  6. Need and Use Determinations for state agencies requesting data for tax modeling or revenue estimate purposes will be completed in accordance with IRM 11.3.36.9.1 and Exhibit 11.3.32-6

  7. The Office of Data Services, Governmental Liaison and Disclosure (GLD) will be responsible for maintaining complete and current documentation of the state tax agency’s need for and use of all FTI and data elements which are provided to the agency on a continuing basis pursuant to the implementing agreement.

  8. The Office of Governmental Liaison and Disclosure (GLD) has developed project guidelines for use when developing joint projects with the States. The Office of Safeguards will be consulted on projects regarding any statutory (e.g., Privacy Act or IRC §6103) considerations of the proposed disclosures or exchanges.

  9. Need and Use Determinations reflect the use of the tax data for tax administration purposes. The determination will not be contingent upon a cost-benefit analysis developed to make a business case for the project. However, projects that fall short of their initial objectives or expectations may indicate a need for a subsequent determination regarding the continuation of disclosures for the project.

11.3.36.9.2  (08-08-2008)
Need and Use Reviews

  1. A Need and Use Review is considered as the verification or confirmation of the Need and Use determination made prior to the release of the requested tax information to the state agency.

  2. An on-site Need and Use Review of each agency receiving FTI will be conducted as part of the Safeguard review.

  3. The on-site Need and Use Reviews are conducted in order to provide a reasonable assurance that the state tax agency’s actually have a need for and use of FTI:

    1. Coincides with the anticipated usage described in the initial determination(s) and

    2. Is consistent with statutes, regulations, existing agency agreements, and Service policies

  4. The scope of the review should be broad enough to provide the reviewer with sufficient information to document a conclusion as to the agency’s need for and use of FTI. The reviewer will not make any assumptions regarding the current status (or usefulness) of exchanges that have been routinely in effect for many years.

  5. Other key areas to be reviewed would include (but are not limited to):

    1. Routine exchanges

    2. Joint projects or other specific exchanges

    3. MOUs

    4. Extracts (shown on the latest Governmental Liaison Data Exchange Program Enrollment Agreement Form)

  6. Non-use of tax data does not necessarily constitute FTI misuse. However, the objective is to reduce or eliminate unnecessary disclosures of FTI. If the original Need and Use determination was valid, but the actual utilization has been postponed, the reviewer's responsibility is to evaluate whether there is a reasonable expectation that continued retention of the data will be of value to the state for tax administration within a reasonable and logical timeframe .

  7. Office of Safeguards - The results of the Need and Use Review will be included in the Safeguard Review Report In Section G. At a minimum the report must:

    1. Describe the scope of the review, with a description of the exchanges selected for review and the reasons for the selection

    2. Contain a summary of the findings

    3. Contain specific recommendations as applicable

    4. Establish a mutually agreeable implementation of, or follow-up to, the recommendations

11.3.36.10  (08-08-2008)
On-site Safeguard Reviews

  1. Agencies receiving FTI for the first time may be reviewed within one year of initial receipt of FTI.

  2. Afterwards, safeguard reviews are conducted on an as-needed basis with a minimum requirement of once every three years. Evaluation of reports, as required by IRM 11.3.36.8, may determine whether more frequent reviews are necessary.

  3. The Office of Safeguards will develop the annual review plans to ensure that all agencies are reviewed at least once every three years.

  4. The contents of SPRs, SARs, and Governmental Liaison (GL) Data Services Reports are useful indicators of a need to conduct a review earlier than the regularly scheduled review. Often, however, a report does not present any irregularities or provide any indication as to the insufficiency of safeguards. In such cases, the reviewer needs to consider other factors. These factors include:

    1. Length of time since last on-site review

    2. Past history of problems

    3. Knowledge obtained during liaison visits

    4. Information reported from outside sources such as TIGTA and GAO

    5. Analysis of Congressional records and news items having impact on agencies and their contractors

    6. Significant changes in the nature or volume of disclosures to the agency

    7. New administration within the agency

    8. New location

    9. Major changes in the processing system

    10. Opening or relocation of a field office

  5. Policy Statement P-1-35 states " Tax information provided by the IRS to State tax authorities will be restricted to the authorities’ justified needs and uses of such information." An on-site Need and Use evaluation must be conducted as part of the Safeguard review.

11.3.36.10.1  (08-08-2008)
Planning the Review

  1. All safeguard reviews begin with an evaluation of agency and contractor procedures and activity reports.

  2. The objectives of the evaluation are to identify:

    1. The mission, objectives, and goals of the agency, body or commission and contractors as they relate to the use of FTI

    2. Key managerial and internal controls for the safeguarding of FTI

    3. High risk areas, procedural deficiencies, possible failure to account for FTI

    4. Indications that tax data is being used contrary to approved need and use

  3. The safeguard review team should develop an effective review plan expending resources only to the extent necessary to ensure that FTI tax returns and return information are protected and are used for a proper purpose.

  4. All safeguard review plans should address the adequacy of computer systems security.

  5. The length of time required for a safeguard review will vary considerably from agency to agency. Factors such as the size and complexity of the agency and of authorized agency contractors, geographic dispersion, the amount and type of FTI disclosed by the IRS, prior safeguard review experience with the agency will influence the time expended on the review.

  6. All personnel participating in a review should have a good understanding of the agency’s systems and procedures for processing FTI, as well as a familiarity with the legal and procedural authorities under which tax data is disclosed to that agency or authorized agency contractor.

  7. A written review plan and/or review preparation checksheet should be prepared for each safeguard review to facilitate control of the review, to provide a permanent record of the review, and to effectively communicate the specific objectives of the review. If the written review plan is used instead of the review preparation checksheet, it should contain the following information:

    1. A brief description of the agency’s system of standardized records of disclosure and the controls established to restrict access to those with a "need to know." Included in this description should be the type and volume of FTI received; an analysis of previous SAR, SPR and SRR, including any corrective actions which remain outstanding; and any known initiatives underway

    2. The scope and purpose of the review

    3. A list of records to be reviewed (e.g., training manuals, flow charts, awareness program documentation and organizational charts relating to the processing of FTI)

    4. A list of the specific areas to be reviewed as well as agency personnel to be interviewed

    5. A description of tests, spot checks or sampling techniques to be applied. These descriptions serve as guides for planning and conducting the review and they may be modified by reviewers as required during the on-site review

    6. Information regarding special areas of interest which should be known by team members, such as critical agency and contractor operations, special techniques to be used, coordination between team members, and documentation required for specific deficiencies

    7. An administrative subsection containing estimated travel expenses, the identification of any items of equipment that may be required for completion of the review and on-site logistical information

  8. Contact the agency to establish dates, locations and a tentative review schedule. If reviewing an agency's contractor, initial contact should be made with the agency.

    Note:

    Where the Office of Safeguards has disapproved the use of contractors by an agency, on-site reviews of those contractors will not be conducted. Work papers will be fully documented to substantiate the disapproval decision, reasons for decision, status on part of agency to remove all FTI from contractor’s possession.

  9. A letter to the agency confirming the intent to conduct an on-site Safeguard Review will be written over the signatory element of the Director, Office of Safeguards, and signed by the reviewer and will include:

    1. Agency, contact name and title, if applicable

    2. Review participants

    3. Scope and purpose

    4. Agenda and dates at each locations/site (opening conference no earlier than 60 days from date of letter)

    5. Specific areas of review

  10. The Preliminary Security Evaluation (PSE) conference call will be conducted with agency personnel, especially the agency computer security officer. The PSE conference will focus on:

    1. Number and type of computer platforms operational within the agency

    2. Data requests for controls, requirements and verification of evidence

11.3.36.10.2  (08-08-2008)
Opening Conference

  1. Upon arrival at the Agency, an opening conference will be held in advance of the review.

  2. In the case of large agencies, separate conferences may be held with officials of separate divisions or bureaus. Arrangements for such a conference will be made by the Disclosure Enforcement Specialist (DES) with the stated agency contact.

  3. The purpose of the opening conference is to acquaint agency officials with plans for the on-site review and to make any adjustments to the necessary arrangements and accommodations for this review. Specific areas to be reviewed as well as a generalized statement of review methods can also be identified within the reviewers opening comments. Interview schedules with agency personnel identified in the plan should be set up at this time.

11.3.36.10.3  (08-08-2008)
Review Techniques

  1. Interviews - During the on-site review, agency employees and contractors may be interviewed. Interviews are valuable in that they provide information based on personal experience. This information can help determine the extent of disclosure, safeguards and security awareness as well as awareness of penalty provisions of IRC §7213, IRC §7213A , IRC 7431. Additionally, interviews can provide answers to questions regarding operations and procedures. Interviews do not have to be restricted to employees; they may also be conducted with third parties (e.g., custodians, security guards, other tenants) to gather information on the measures used to restrict access to areas housing tax data.

  2. Observation - Observing actual agency on-site operations is a required step in the review process. Reviewers must tour the areas or departments which handle or store FTI, including the data processing center, regardless of whether it is agency-operated, a shared facility or a contractor facility. The reviewer should note actual written policy and procedures, actual operational execution of these policies and procedures, as well as work flow. The inspection should also provide information about the following security measures:

    1. Perimeter security

    2. Containerization

    3. Keys and combination controls

    4. Intrusion alarms

    5. Fire detection and annunciation equipment

    6. Physical access controls

    7. Storage and handling

    8. Emergency procedures, including data breaches and incident management

    9. Destruction and disposal

    10. Computer system security (including alternate work sites)

  3. Review Guide - See Exhibit 11.3.36-1, which contains a security outline that can be used as a tool in evaluating reports and planning safeguard reviews. This exhibit is not all inclusive and is used only as a guide to be modified or expanded to meet the requirements of a specific review. Not all questions and topics may pertain to a given review and conversely, additional questions and review topics may arise as a result of information gathered during the evaluation.

  4. Test Checks - These consist of spot checks of agency files and the examination of IRS records of FTI. The number of files checked should be large enough to constitute a statistically significant sample of the total number of similar records maintained by the agency.

11.3.36.10.4  (08-08-2008)
Team Coordination

  1. Communication between team members, as the review is progressing, is vital and beneficial, as it can surface problems and provides information that may alter or expedite the review plan.

    Note:

    The preliminary safeguard review report findings and recommendations should be discussed at the closing conference. This allows the agency the opportunity to better understand what the reviewer/team has found and provide additional information, should the agency see the need to do so.

  2. Deficiencies which pose immediate threats to the confidentiality of FTI in the agency’s or the contractor's possession must be brought to the attention of the Director, Office of Safeguards, via a briefing e-mail from the DES immediately upon returning to the office after the on-site review. The preliminary safeguard review report findings and recommendations will also be provided to the Director, Office of Safeguards, via fax or e-mail from the DES immediately upon returning from the review.

11.3.36.10.5  (08-08-2008)
Safeguard Review Work Papers

  1. Work papers provide the evidence to support the conclusions and recommendations contained in the Safeguard Review Report. Safeguard review team members will accumulate work papers during the planning and execution stages of the review. Work papers serve as the connecting link between the on-site review and the final report and should support the conclusions in the final report.

  2. Work papers will consist of memoranda of contact, complete safeguard evaluation matrixes, copies of correspondence, reports, charts and material obtained from the agency or the contractor. The work papers should be limited to matters specifically related to objectives contained in the safeguard review plan and should fully identify the sources of all information. Work papers must be complete in their coverage of all objectives of the safeguard review plan.

11.3.36.10.6  (08-08-2008)
Limited Reviews

  1. Often an agency may request an on-site visit to evaluate specific items. Such visits do not constitute a Safeguard Review. The safeguard evaluation may point to one or two items where clarification could best be obtained through on-site observation.

  2. An ad hoc review may not require a team approach. Modifications in the procedures can be made in the planning and review process. However, a report of findings may/or may not be issued.

11.3.36.11  (08-08-2008)
Safeguard Review Reports

  1. The Safeguard Review Report serves as a record of the IRS’s evaluation of an agency’s compliance with the safeguard requirements for the protection of tax returns or return information as prescribed in IRC §6103(p)(4).

  2. The requirements in the Internal Revenue Code have been augmented by other Treasury Department or Internal Revenue Service requirements as well as National Institute of Standards & Technology (NIST) Special Publication (SP) 800-53, Recommended Security Controls ; these requirements must be addressed as well.

    Example:

    NIST SP 800-53 mandates that all automated information systems and networks which process, store, or transmit sensitive but unclassified (SBU) information are to meet the requirements for Management Security Controls, Operational Security Controls and Technical Security Controls.

  3. Treasury’s and NIST SP 800-53 requirements have been incorporated as IRS requirements, and have been included in IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies and Entities as requirements for recipient agencies.

  4. It is important that a Safeguard Review Report addresses all of the specified requirements, and clarify what actions, if any, are need to be taken by the agency and/or the authorized contractor to achieve compliance with the requirements.

  5. The report should be a complete " stand-alone" document which provides a description of all findings and recommended actions.

  6. The "final report" will contain the agency’s and/or the authorized contractor's response to Internal Revenue Service (IRS) recommendations, and any IRS comments regarding the agency’s and/or the authorized contractor's response or proposed corrective actions.

  7. Any agreement as to actions to be taken or implementation dates must be included in the final report, but may be repeated in the transmittal letter for added emphasis.

  8. Any letter or memorandum transmitting the report to the agency and the contractor should be just that, a transmittal document. Although the letter may reiterate or summarize some of the key issues contained in the report, the transmittal document should not contain findings and recommendations which are not described in the report.

  9. All safeguard reviews must address the adequacy of computer security. The report must contain an evaluation of the agency’s and contractor's compliance with the computer security requirements contained in the current IRS Publication 1075 (as revised).

  10. All Safeguard Review Reports will include documentation to reflect discussions with the agency and/or their contractors regarding their procedures to prevent and detect unauthorized access to or inspection of FTI.

  11. The report should contain positive as well as negative findings (deficiencies) and the reviewer’s recommendation(s) for correcting the deficiencies. The reader should not be required to consult additional sources in order to understand the requirements, the deficiencies, and the desired actions or outcome.

  12. Timeliness of Reports - Safeguard Review Reports should be provided to the agency and/or to the contractor promptly after the conclusion of the on-site portion of the review to convey our commitment to ensuring the confidentiality of the FTI and return information. The interim Safeguard Review Reports should be issued 45 days after the closing conference.

    Note:

    A review is completed when the final Safeguard Review Report is issued.

  13. Safeguard Review Reports are to be issued to the Agency to share with its contractors. The agency will obtain a written response from its agent and/or contractor and forward the response to the originator of the Safeguard Review Report within 30 calendar days.

11.3.36.11.1  (08-08-2008)
Safeguard Review Report Format

  1. In order to promote uniformity in the format of Safeguard Review Reports and to ensure that all reviews and reports address the key areas of the IRS's safeguards requirements, all Safeguard Review Reports will be prepared according to this standard format.

  2. Title Page or Cover Sheet - Each report will have a cover sheet, which identifies:

    1. The Agency Reviewed

    2. Date of Report

    3. Whether the report is an interim or final report

    Note:

    Document 6630, Safeguard Review Report cover or a locally designed equivalent may be used.

11.3.36.11.2  (08-08-2008)
Safeguard Review Report Content

  1. INTRODUCTION - Briefly outline the statutory provisions, in general, which permit the disclosure of returns or return information, and the intended purpose or benefit(s) of the disclosures. Any limitations or restrictions imposed by the IRC or regulation can be included in the introduction portion of the report, especially if it is germane to a finding or recommendation elsewhere in the report.

  2. BACKGROUND - This section, which is agency and contractor specific, should contain the name of the agency reviewed, and if applicable, the specific organization(s) or function(s) within that agency. If several, separate, programs are being reviewed, the background section should give a brief description of each program.

  3. SCOPE AND OBJECTIVES OF THE REVIEW - This section contains descriptive reviewer information regarding the conduct of the review. This section of the report should give the reader a sense of how the review was conducted and what programs and procedures were included or excluded from the review. In addition, the scope and objectives section should also indicate:

    1. The names and location of the different sites visited

    2. Names and titles of the primary agency and/or contractor contacts and

    3. Names and titles (or functional areas) of participating reviewers

  4. SUMMARY - The reviewer may find it useful to include a summary of the major findings and recommendations made elsewhere in the report. Use of a summary may be employed for added emphasis if the findings are of such importance that a recommendation for discontinuance of disclosures is likely unless the problem is resolved to the IRS’s satisfaction. If the report is lengthy and there are many recommendations of a relatively minor nature, the reviewer may want to use a summary section to highlight a few of the more important issues to be addressed.

  5. FINDINGS AND RECOMMENDATIONS - All safeguard review reports will address each requirement enumerated in IRC §6103(p)(4), and other requirements determined to be necessary to ensure the confidentiality of FTI and return information. To ensure that all the requirements of the IRC, Publication 1075, and the IRM have been addressed, each subsection of this section will contain a statement of the requirement, followed by a description and discussion of the findings and recommendations for each item under this subsection. The final Safeguard Review Report will contain the agency’s response to each recommendation as well as IRS comments pertaining to their response or proposed action.

11.3.36.11.3  (08-08-2008)
Interim Report

  1. An "interim" Safeguard Review Report infers that another report will follow. The interim report to the agency is a report of our evaluation of the safeguards provided for the FTI. The Safeguard Review Report contains our findings and, if applicable, our recommendations for corrective action.

  2. The interim report allows the agency an opportunity to respond to our findings and recommendations. An interim report also allows the agency an opportunity to evaluate our recommendation(s) prior to acceptance and implementation, or to propose different (but equally effective) corrective actions.

  3. The interim report must be accompanied by a transmittal letter to the agency that has been signed by the Director, Office of Safeguards.

11.3.36.11.4  (08-08-2008)
Final Report

  1. The final report is generally a duplicate of the interim report with two additions:

    1. Agency or contractor responses to recommendations

    2. The IRS’s position after consideration of the agency’s response

  2. The agency’s comments/response should be included in the report followed by an indication as to whether the response is acceptable or whether further action is still required.

  3. The length of the report or the complexity of the remaining or unresolved issues should determine the need for a separate summary section in the final report.

  4. The reviewer should use the standard format for presenting the agency response whereby each recommendation is followed by the agency’s response, which is then followed by IRS comments (usually a comment as to the acceptability of the agency’s or contractor’s proposal) about their response.

  5. A final report may be issued without a prior interim report if:

    1. The review concludes with no adverse findings

    2. The findings are of a minor nature and the agency agreed to make the necessary changes to ensure compliance

  6. If a final report is issued without a prior interim report, both the report itself and the transmittal letter should contain an explanation as to why the report is a final, and that the agency has agreed to implement any necessary corrective actions.

  7. The final report should contain time-frames or schedules for the implementation of IRS's recommended changes. If warranted, follow-up should be included in the final report. Follow-up should occur for any deficiency which has not been corrected by the time the final report is issued. The reviewer should specify the schedule and methodology for follow-up to our recommended changes.

    Note:

    Subsequent reviews may be conducted to follow-up on specific report recommendations or the agency may be asked to provide pertinent documentation of completed actions.

  8. The agency will report actions taken on safeguard review recommendations in their annual Safeguard Activity Report for deficiencies that were still outstanding in the final report.

  9. A final Safeguard Review Report is issued even if there is not complete agreement or " closure" with the agency on all of the findings and/or recommendations. It is expected that the IRS and the agency will continue in a cooperative effort to ensure that the FTI is adequately protected from unauthorized access or disclosure. If, after repeated attempts to secure the agency’s response, no response to the interim Safeguard Review Report is received, the interim report should be issued as the final and an explanation included in both the report and the transmittal letter.

  10. If it becomes necessary to consider cessation of disclosures to the agency, See IRM 11.3.36.14.

  11. The final report must include a transmittal letter signed by the Director, Office of Safeguards and issued within 30 calendar days after receipt of the agency's response to the interim report.

11.3.36.12  (05-06-2003)
Management Information Reports

  1. In order to assist in monitoring and assessing the success of the Safeguard Review Program, and to provide input for reports to Congress ( See IRM 11.3.36.13), the Disclosure Enforcement Specialists (DES) will submit statistical reports to the Director, Office of Safeguards, as may be required, for tracking purposes. In addition, all DES actions will be reflected in the Electronic Disclosure Information Management System (EDIMS) history.

  2. Accurate program tracking requires that all data maintained reflect all agencies subject to safeguards, and accurate recording of reviews scheduled, in process, and completed.

    Reminder:

    This data will be cross-checked with the data reflected in the E-DIMS database.

  3. Safeguard Procedures Report and Safeguard Activity Report submission and acceptance, and Need-and-Use Reviews are also tracked in an effort to ensure agency and contractor compliance with program requirements.

  4. Occasionally, empirical reports are requested in conjunction with narrative reports describing program accomplishments and shortcomings to establish program goals or guidance for subsequent program emphasis.

11.3.36.13  (08-08-2008)
Report to Congress

  1. An annual report to Congress regarding the procedures and safeguards of recipients listed in IRM 11.3.36.2(3) is prepared by the Office of Safeguards.

  2. The responsible analyst/specialist, in the Office of Safeguards, will submit the report on or before March 31st to the Director, Office of Safeguards. The report is channeled through appropriate management levels for the Commissioner's signature.

  3. The report will be based on information entered into the EDIMS database and other safeguards activity throughout the calendar year, e.g., workshops such as FTA, speaking engagements at external agencies, serving on IRS implementation teams for new legislation, review/commenting on agreements (e.g., CMAs, IAGs, MOUs), etc. All information for safeguard reviews is to be entered by December 31. The information on safeguard review findings is based on the final Safeguard Review Reports.

11.3.36.14  (12-31-2001)
Enforcement

  1. IRC §6103(p)(4) provides that IRS may take such actions as are necessary to ensure that the safeguard requirements are being met. Such actions may include refusing to disclose returns or return information until it is determined that the requirements have been or will be met.

11.3.36.14.1  (05-06-2003)
Reviewer’s Actions

  1. In all cases where serious deficiencies are found or where required reports are not submitted, the responsible reviewer will attempt to obtain voluntary compliance through discussion and negotiation.

  2. When an impasse occurs, involving recipients subject to IRC §6103(p)(4), the matter should be elevated to the appropriate SB/SE management level. The reviewer will provide the officials with all facts which are cause for concern and a recommendation as to what action should be taken if the situation is not corrected.

11.3.36.14.2  (05-06-2003)
Director’s Actions

  1. If the appropriate management is unable to break the impasse, the recipient agency will be notified in writing of the IRS’s preliminary determination and intention to recommend discontinuance of disclosures.

  2. Such notices will allow 30 calendar days for response. Notices will indicate:

    1. That a report is being submitted to the Office of Governmental Liaison and Disclosure detailing the uncorrected deficiencies and the agencies reasons, if any, for noncompliance;

    2. That the Director, Governmental Liaison and Disclosure will take appropriate action.

    Reminder:

    The notification should include the appeal and administrative review procedures provided for in 26 CFR 301.6103(p)(7)–1.

  3. At this time, a written report should be prepared and submitted by the Director, Office of Safeguards to the Director, Governmental Liaison and Disclosure.

  4. If it is determined that Federal tax administration would be impaired because of a safeguards deficiency, a duly delegated IRS official (see Delegation Order 11-2) may immediately suspend disclosures to the agency pursuant to IRC §6103(p)(4) and Treasury Regulation 301.6103(p)(7)-1. This would be the case where unauthorized accesses/disclosures would be made absent the suspension. See IRM 11.3.32.14.

  5. If the 30 day time frame expires without the agency taking satisfactory action, a letter will be drafted to the head of the agency from the Delegation Order 11-2 official notifying the agency that disclosures are being discontinued until such time as the deficiency is corrected. Copies of the letter should be sent to the Director, Office of Safeguards and to the Director, Office of Governmental Liaison and Disclosure. Documentation detailing the uncorrected deficiencies and the agency's reasons, if any, for noncompliance will be organized and maintained.

    Note:

    There must be appropriate coordination with the Deputy Commissioner's and/or Commissioner's offices from this point forward.

  6. The Director, Office of Governmental Liaison and Disclosure actions will be similar to those stated in section 5 above. If the Director is unable to break the impasse, the agency head will be notified in writing of the IRS’s preliminary determination and the Director's intention to recommend discontinuance of disclosure. The notice will allow 30 calendar days for response.

  7. If the 30 day time frame expires without the agency taking satisfactory action, two copies of the proposed letter to discontinue disclosures will be drafted to the head of the agency, from the Director's, Office of Governmental Liaison and Disclosure, notifying the agency that disclosures are being discontinued until such time as the deficiency is corrected. Following the Director's signature, one signed copy will be retained in Headquarters Office, and the other will be forwarded to the Director, Office of Safeguards and to the Director, Governmental Liaison and Disclosure.

11.3.36.14.3  (08-08-2008)
Alternative Actions

  1. The discontinuance of disclosures may take several forms. The appropriate form is dependent upon all of the facts in the case.

  2. All disclosures to an agency may be suspended or permanently cutoff in situations where the deficiency pervades the entire agency or where the agency refuses to submit the required reports.

  3. Suspensions or cutoffs of selected information may be used in cases where the deficiency can be isolated in a certain segment of the agency.

    Example:

    If the deficiency relates to computer processing, electronic disclosures may be suspended while disclosures of paper documents continue.

Exhibit 11.3.36-1  (08-08-2008)
Safeguard Evaluation Guide

DISCLOSURE AND SECURITY - The following outline can be used as a tool in evaluating reports and planning safeguard reviews. Not all questions and topics pertain to a given report or review. Conversely, additional questions and topics may arise as a result of information gathered during an evaluation or review. Publication 1075 should always be used as the definitive authority on conducting a safeguard review.
             
I. IRC 6103    
    A. Need and Use (State tax agencies)
      1. Is data used as agreed upon?
      2. Amount of revenues generated by tax data?
      3. Should new areas of information-sharing be explored?
    B. Permanent System of Standardized Records
      1. What kind of system is used?
      2. How are requests for tax information recorded?
      3. Date and reasons stated?
      4. How are disclosures identified? By name, SSN?
    C. Segregation of Records
      1. How is Federal tax data filed?
      2. Can data be retrieved by individual name?
      3. What identifying information is used for retrieval?
      4. Is tax data kept separate or commingled with other records?
      5. Is commingled tax data identifiable? Can Federal tax data within agency records be located and segregated?
    D. Access
      1. How is access limited to authorized employees?
      2. Who designates authorized employees?
      3. Do authorized employees have a need-to-know?
      4. Are employees with "substantial access" (other than purely clerical) identified?
      5. Are work assignments involving Federal tax data controlled?
      6. Do contractors have access to data?
      7. Review of third party inquiries - any evidence of unauthorized or involuntary disclosure?
      8. Are there written procedures to restrict access to data by state or GAO auditors?
      9. Are procedures in effect for disclosures to other agencies? If fraud is involved, does another agency have access? (Note: contractors and other agencies authorized access to FTI must also meet federal safeguards requirements.)
             
II. Security Awareness    
    A. Employee Awareness
      1. Have written instructions been issued to employees concerning the handling, controlling and securing of FTI?
      2. Have employees received formal or informal training?
      3. Are employees aware of the disclosure and penalty provisions of the law?
      4. Are employees aware of emergency procedures, particularly those regarding the securing of tax information?
      5. Are employees advised annually of the provisions of IRC §7213, IRC §7213A and IRC §7431?
      6. Have the requirements for unauthorized access (UNAX) detection and training been met per the Taxpayer Browsing Protection Act?
      7. Are the initial certification and annual recertification documented and placed in agency and/or contractor files?
    B. Agency Awareness
      1. How often are inspections conducted?
      2. Who conducts the inspections?
      3. Are field offices inspected?
      4. Who acts on the reports?
      5. Have problems been resolved?
      6. Does the agency maintain internal inspection files? (Determine the quality of inspections)
        Review tips:
        1) Sample inspection sheets (5-10) for the sites inspected.
        2) Sampling needs to include the sites within the scope of your current safeguard review.
        3) Compare your findings of sites reviewed to the internal the inspection sheets.
             
PHYSICAL SECURITY (for FTI) - The following outline can be used as a tool to assess physical security measures specifically used to safeguard tax information.
             
I. Access Controls    
    A. Sensitive/Restricted Areas
      1. What physical barriers are used to restrict access?
      2. How are restricted or limited areas marked?
      3. How is the area controlled?
        a. Is the desk of supervisor or other responsible employee located at the entrance?
        b. Are areas cleaned during duty hours or after hours in the presence of regularly assigned employees of the guard/service?
        c. Are areas locked by adequate security devices after office hours?
        d. Are locks keyed off-master?
        e. Do wall partitions rise above any false ceiling to the actual ceiling (slab to slab)?
    B. Entry procedures
      1. Is access limited to employees who have official need?
      2. Is a list of authorized employees posted at the entrance?
      3. What ID are employees required to show?
      4. Are visitors permitted?
      5. What procedures are followed to admit customer service personnel into the restricted areas (are they always escorted, by whom)?
      6. Are sign-in/sign-out registers used?
      7. How often and by whom are registers used?
      8. How is access restricted during non-duty hours?
             
II. Storage    
    A. Containers
      1. How is data physically stored?
      2. Are containers locked when not under supervision?
      3. Locking bars
        a. Can material be removed when bars are in place and locked?
        b. Can locking hasp at top or fastener at bottom be easily removed with hand tools?
        c. Are steel locking bars affixed to cabinets to preclude surreptitious removal of contents?
      4. Types of locks on cabinets with bars?
    B. Key and combination control
      1. Who maintains controls (keys, locks, etc.)?
      2. How often are combinations changed?
      3. How often are keys inventoried (last inventory and results)?
      4. What is the policy on reproducing keys?
      5. Is it required that keys be removed from locks and placed in a secure location while containers are unlocked?
      6. Are the number of keys distributed held to a minimum?
      7. Does the key control system ensure that keys are returned when an employee terminates or transfers?
      8. What records are maintained of all keys issued and returned?
      9. Are the correct padlocks being used?
      10. After a cabinet has been opened, are the padlocks stored in the cabinet itself or locked through the staple until the cabinet is secured?
      11. Who has keys or combinations to the buildings, rooms, safes, cabinets, or files where Federal tax data is stored?
             
III. Disposal    
    A. Paper Documents
      1. Burning - is there complete combustion?
      2. Shredding - are strips rendered unreadable?
        a. Size of strips
        b. Print perpendicular to cutting line
      3. Pulping - what size is material reduced to?
      4. Disintegration - how fine a screen is used?
    B. Magnetic Media
      1. Shredding - size of strip?
      2. Electronic/electromagnetic erase or multiple write over?
             
IV. Facility Access Controls    
    A. Entry procedures
      1. Who monitors the doors?
      2. How is entry controlled for:
        a. Employees?
        b. Visitors?
        c. Vendors, maintenance personnel?
      3. Are property passes required and checked?
      4. Are packages searched; what is the policy?
      5. After duty hours:
        a. What identification is required?
        b. Is a sign-in register used?
        c. Who reviews the register?
    B. ID Card/System
      1. What type of personnel identification system is utilized?
      2. Who issues the ID cards?
      3. Are employees required to wear ID cards?
      4. What are procedures if employee reports to work without the ID card?
      5. In the event of evacuation, are IDs checked on re-entry?
      6. Are inventories complete and all cards accounted for?
      7. Are ID supplies secured, and is stock controlled?
    C. Sign-in/sign-out registers
      1. Content?
      2. Who monitors?
      3. Is ID required?
      4. By whom and how often is register reviewed?
      5. What action is taken if a problem is detected?
    D. Alarms
      1. Type
        a. Intrusion (photoelectric, magnetic contact, foil, capacitance, electromagnetic, ultrasonic, infrared, etc.)?
        b. Duress?
        c. Fire/Smoke?
        d. Humidity?
             
COMPUTER SECURITY (for FTI) - The following outline can be used as a tool to assess the security of only those systems involved in processing FTI.
             
I. Electronic Media Controls    
    A. Electronic Media Library
      1. Librarian
        a. Full-time or part-time?
        b. Other responsibilities?
        c. All shifts?
        d. Duties performed?
      2. Procedures
        a. Documented or informal?
        b. Electronic Media Access (charge out) logs?
          1. In house?
          2. Outside of agency?
        c. Electronic Media Inventories
          1. Periodic?
          2. Results of prior inventories?
        d. External labeling procedures for Federal tax data
          1. Type?
          2. Procedures in actual use?
    B. Automated Electronic Media System
      1. Is Federal media part of a system?
      2. How do employees access the system?
      3. What system documentation is there?
      4. What are system outputs?
    C. File Retention Cycles
      1. Are cycles documented?
      2. Are cycles monitored to ensure destruction?
    D. Data Backup
      1. How are data files backed up?
        a. Who performs actual backup?
        b. On what type of media are backup files contained?
          1. Removable storage media
          2. Internal storage
      2. Storage
        a. Where is data stored?
        b. How are files protected?
        c. Who has access to these files?
      3. Retention
        a. What is retention period?
        b. How many generations of backup files exist at the same time?
        c. Are backup files stored off-site?
    E. Destruction of Sensitive Information: What is the method for clearance of magnetic media (removable and non-removable) before reallocation or destruction?
             
II. Recommend that computer Security analysts conduct or review computer systems, telecommunications environment, agency or contractor facility  
    A. Security Policy
      1. Written policy document exists?
      2. Addresses FTI, how it will be restricted, level of protection it will be given?
        An example:
        a. Privileges that can/cannot be granted
        b. Users restrictions, e.g. contractors
        c. Data transmissions
        d. Products created (what's allowable)
        e. Commingling (if so, where and how will be identifiable)
        f. Final disposition
    B. Systemic Access Controls
      1. Type of Controls used:
        a. Account codes
        b. Unique authorization codes for access and update
        c. Passwords (who assigns, frequency of change, how many cycles before the same password can be reused, length of cycle)
        d. User profiles
        e. User Identifications (User ID)
        f. Other
      2. Type of Restriction
        a. User ID
        b. File of command codes
      3. Administration of Controls
        a. Periodic changes of systemic controls?
        b. Who manages and monitors controls (security officer, etc.)?
    C. Operating System
      1. How is access to the operating system restricted?
      2. How is access to the files/applications that contain Federal data restricted?
      3. How can security routines be bypassed? Are they recorded?
      4. How many users have "privileged" authority?
      5. Are all accesses to the operating system recorded?
      6. Are all accesses to files that contain Federal tax data recorded?
      7. When an application is completed, is all data used by the application removed from memory?
    D. System Reports
      1. What information is available on the reports?
      2. Are reports monitored to detect unauthorized access to files containing Federal tax data?
      3. What actions are taken when unauthorized events are detected?
      4. How long are reports retained?
    E. Terminal Capabilities
      1. Remote job entry?
      2. Data base inquiry?
      3. Data base update?
      4. Interactive programming?
    F. Retrieval and Output Controls
      1. Are audit trails maintained of accesses or updates to magnetic data (terminal to disk inquiry, etc.)?
      2. Are audit records of listings or extracts made?
      3. Do these audit trails or records include:
        a. Reasons for access?
        b. Current location of data?
        c. Final disposition?
    G. Networked Systems
      1. What protection is there for IRS information?
      2. Are procedures documented?
    H. Personnel Access to Computer Areas
      1. Authorized personnel only (all shifts)?
      2. Who authorizes non-computer personnel?
    I. Data Transmissions
      1. Is Federal tax data transmitted from one point to another? From where to where?
      2. What type(s) of communications devices are used for data transmissions (e.g., fiber optics, twisted pair lines, etc.)?
      3. Are the transmissions encrypted ?

Exhibit 11.3.36-2  (05-06-2003)
Safeguard Review Report Format — Findings and Recommendations

The format for the Safeguard Review Report is described in subsections 36.11.1 and 36.11.2 as uniformly consisting of:
     
A. Title Page or Cover Sheet
B. Introduction
C. Background
D. Scope and Objectives of the Review
E. Summary (Optional)
F. Findings and Recommendations
G. Need and Use
H. Computer Security
     
The section of the Safeguard Review Report entitled Findings and Recommendations should be further divided into sub-sections to address all of the safeguard requirements as follows:
     
FINDINGS AND RECOMMENDATIONS
     
A. MAINTAINING A SYSTEM OF STANDARDIZED RECORDS
     
  Requirement : 26 USC 6103(p)(4)(A) requires that a permanent system of standardized records be kept which documents requests for, and disclosures of, returns or return information.
     
A.1 FINDING: Briefly describe the first finding under this requirement. Include a listing of all types of media in which Federal tax data exists, e.g., printouts, backup tapes, case files, computer files.
     
  DISCUSSION: This should be a brief narrative describing the condition, process or practice listed as a "finding" in A.1 above. The narrative should be in sufficient detail so that the reader will understand the system, process or practice that lead to the " finding."
     
  RECOMMENDATION: If the finding is such that a change should be initiated by the agency, the recommended corrective action should be described.
     
A.2 FINDING: The second finding pertaining to the agency’s system of records. Findings should be related to the requirements, which is the reason for clearly describing each of the requirements imposed on an agency receiving tax returns or return information.
     
  DISCUSSION: Each of the findings will be followed by a discussion of the procedures or practices that lead to that second finding.
     
  RECOMMENDATION: Since the finding and the discussion can be describing a positive as well as a negative situation, it is possible that there will be no recommendation for change, and thus Recommendation A.2 may be "None. All requirements have been met."
     
A.3 FINDING: Each subsequent finding will be successively numbered and the Recommendation will be the same number as the Finding.
     
  DISCUSSION: All Findings and Recommendations pertaining to the standardized records requirement will bear the prefix A, and in that way, the agency can respond to each Recommendation by number.
     
  RECOMMENDATION: The reviewer can use the concept of the "audit trail" when reviewing the agency’s records. Can they document the request for, the receipt, processing, distribution and destruction/disposition of the tax information? See Exhibit 11.3.36–2 for additional record keeping considerations.
     
B MAINTAINING A SECURE PLACE FOR STORAGE OF TAX RETURNS AND RETURN INFORMATION
     
  Requirement : 26 USC 6103(p)(4)(B) requires that a secure place or area be maintained where FTI is stored.
     
B.1 FINDING: A "finding" is a statement of condition, and may describe either a positive or adverse condition.
    NOTE: Computer Operations, e.g., rooms with servers, at field offices, should be evaluated for this requirement. Appropriate findings should be included in the report.
     
  DISCUSSION: Secure storage requirements apply to computer tapes, disks, or cartridges as well as paper documents. Who processes the tape, and how is it secured before and after processing at the computer facility?
     
  RECOMMENDATION: Recommended corrective action as required. Include implementation dates or schedules if applicable.
     
B.2 FINDING: Second finding pertaining to the secure storage requirement.
     
  DISCUSSION: The secure storage requirements encompass such diverse security considerations as locking cabinets or rooms, key control, and off-site storage of back-up tapes.
     
  RECOMMENDATION: None
     
C LIMITING ACCESS TO TAX DATA TO EMPLOYEES OF THE AGENCY WHO HAVE A NEED-TO-KNOW AND WHO ARE AUTHORIZED TO HAVE ACCESS.
     
  Requirement :IRC §6103(p)(4)(C) requires that access to FTI be restricted to those persons whose duties require access and to whom disclosures may be made under provisions of law.
    NOTE: It is especially important that both tests be applied to persons with access to returns or return information; that is, they have a need-to-know and are authorized by statute. (An agency's contract programmer may have a need-to-know, but the disclosure to contractors may not be authorized by statute).
     
C.1 FINDING: Agency should be limiting access to those employees having a need and federal statutory right to know.
     
  DISCUSSION: Access by employees should be limited to those portions of FTI that is actually required in the performance of their assigned duties.
    NOTE: The same restrictions to access shall apply to any contractor or subcontractor.
     
  RECOMMENDATION: The reviewer may need to advise the agency to implement changes or develop a system to restrict access to information consistent with employees duties and responsibilities.
    NOTE:It is especially important that both tests be applied to persons with access to returns or return information; that is, they have a need-to-know and are authorized by statute. (An agency’s contract programmer may have a need-to-know, but the disclosure to contractors may not be authorized by statute.)
     
  Unauthorized access may be in the form of unauthorized viewing (inspection) of tax data, and the reviewer should ascertain what, if any, procedures have been (or are being) initiated by the agency to prevent or detect casual viewing of returns or return information. All Safeguard Review Reports will include documentation to reflect discussions with the agency regarding their procedures to prevent and detect unauthorized access to, or inspection of, tax returns or return information.
     
  Penalties are applicable to unauthorized inspection of returns or return information as well as unauthorized disclosures (see Taxpayer Browsing Protection Act).
     
  Limiting access to computer systems or computer screens should be discussed in the sub-section devoted to computer security issues. Limiting access also applies to the controls used to protect the agency’s facilities. Physical access controls for the computer facilities may, at the reviewer’s discretion, be discussed either in this sub-section or under computer security.
     
D PROVIDING OTHER SAFEGUARDS DETERMINED TO BE NECESSARY.
     
  Requirement : IRC §6103(p)(4)(D) requires that other safeguard measures be provided that the Secretary of the Treasury determines to be appropriate to protect the confidentiality of FTI. IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, specifies that recipient agencies are to conduct periodic internal inspections to ensure that safeguards are adequate. The publication also provides employee awareness guidelines to ensure that all appropriate agency employees are aware of the disclosure provisions of the Internal Revenue Code and the penalties provided for the unauthorized disclosure of return information.
     
D.1 FINDING: Agencies should, at a minimum, advise their employees of the provisions of IRC 7213, 7213A, and 7431. Also, include comments regarding orientation programs and the actual training provided e.g. the topics covered relevant to Federal tax data. Comment on your review of or the practices for employee and contractor employee certification and annual recertification.
     
  DISCUSSION: Publication 1075 and Exhibit 11.3.36–1 contain some examples of awareness efforts or initiatives.
     
  RECOMMENDATION: The reviewer may have to take an active role in the agency's awareness efforts by providing definitions of explanations of what constitutes "return information" and the confidentiality requirements imposed by the code.
     
D.2 FINDING: Agencies may not be conducting, and documenting, internal inspections to ensure the security of the return information.
     
  DISCUSSION: Properly conducted and documented security inspections by the agency can be a valuable adjunct to our safeguard reviews.
     
  RECOMMENDATION: The inspections should be conducted by a function that does not use the return information, and the inspection results and follow-up actions should be included in the agency’s annual Safeguard Activity Report.
     
E. SUBMISSION OF REQUIRED SAFEGUARD REPORTS.
     
  Requirement : In accordance with IRC §6103(p)(4)(E), the IRS has prescribed that, at least 45 days prior to the scheduled receipt of the tax information, recipient agencies submit a Safeguard Procedures Report describing the procedures established to ensure the confidentiality of the returns or return information received. Subsequent to submission of the Safeguard Procedures Report, a Safeguard Activity report must be submitted annually to give current information regarding their safeguard program.
    NOTE: If the Safeguard Procedures Report is several years old, the reviewer should ensure that current agency procedures are accurately reflected in the SPR. The reviewer should request a new SPR if the original one is more than five years old, or safeguard procedures have substantially changed. Also, include comments regarding whether actual agency practices observed during the on-site review comply with the SPR on file and with the SARs submitted since the last review.
     
F. DISPOSAL OF RETURNS AND RETURN INFORMATION UPON COMPLETION OF USE
     
  Requirement : IRC §6103(4)(F) requires agencies to return tax information to the IRS, make the information "a non-disclosure" , or, in some cases, retain the information and safeguard it.
     
G. NEED AND USE
     
  Requirement : Policy Statement P–1–35 states that "Tax Information provided by the IRS to State tax authorities will be restricted to the authorities’ justified needs and uses of such information." Other agencies must use the information only for the purpose(s) authorized by statute.
     
  State Tax Agencies: If a "need and use" review of a state tax agency has been conducted recently this should be noted and a summary of that report may be included in this portion of the Safeguard Review Report. ( See IRM 11.3.36.9.2.)
     
  Federal and Other State Agencies: During reviews of Federal or non-tax state agencies that may receive return information specified by statute, the reviewer should note how the agency actually uses the data, and if these uses are in accordance with the enabling legislation. This would include sharing the data with agencies not specified by statute, or using the data for, or in, programs not included in the statute, as well as unauthorized disclosure to agents or contractors.
     
  A Safeguard Review Report should always include observations about the agency’s actual use of the data.
     
H. COMPUTER SECURITY.
     
  Requirement : All automated information systems and networks which process, store, or transmit sensitive but unclassified information (tax return information, information covered by the Privacy Act, etc.) must meet the requirements for Controlled Access Protection as evaluated by the National Security Agency or National Institute of Standards and Technology.*
    NOTE: The reviewer should also pay particular attention that all features are operational, because the user has the option of selecting operational features of the security software.
     
  In data processing environments, certain, specified, personnel may require access to the hardware and software used to store or process Federal tax information, but not all information processing personnel require access to the FTI. Agencies should ensure that only those employees with a need-to-know are allowed access to Federal tax information.

More Internal Revenue Manual