11.3.36  Safeguard Review Program

Manual Transmittal

July 21, 2015

Purpose

(1) This transmits revised text for 11.3.36, Disclosure of Official Information, Safeguards Review Program.

Material Changes

(1) Editorial changes have been made throughout this document to updated web site references and links, as well as to renumber sections and to clarify guidance.

(2) IRM Section 11.3.36.5.1 title Agency Reports removed.

(3) IRM Section 11.3.36.6 title Initial Safeguard Security Report renamed Initial and Annual Safeguard Security Report and renumbered IRM Section 11.3.36.7 rewritten to present related procedures.

(4) IRM Section 11.3.36.6.1 Safeguard Security Report Preparation Guidelines rename Annual SSR Guidelines and renumbered IRM Section 11.3.36.7.2

(5) IRM Section 11.3.36.7.1 Initial Safeguard Security Report

(6) IRM Section 1.3.36.7.2. Annual Safeguard Security Report Preparation Guidelines.

(7) IRM Section 11.3.36.7.3 Annual Safeguard Security Report Content

(8) IRM Section 11.3.36.8 title change renamed Safeguard Security Report Analysis.

(9) IRM Section 11.3.36.8.1 Delinquent or Incomplete Reports or Reported Deficiencies renamed Delinquent or Incomplete Annual SSRs and Deficiencies.

(10) IRM Section 11.3.36.8.2 Documentation renumbered IRM 11.3.36.6

(11) IRM Section 11.3.36.9 Need and Used removed

(12) IRM Section 11.3.36.9.1 Need and Use Determinations removed.

(13) IRM Section 11.3.36.9.2 Need and Used Reviews removed.

(14) IRM Section 11.3.36.10 revised Safeguard Review Report On-site Safeguard Reviews removed

(15) IRM Section 11.3.36.10.1 Planning and Review removed section revised Safeguard Review Report Format.

(16) IRM Section 11.3.36.10.2 Opening Conference removed section revised Safeguard Review Report Content.

(17) IRM Section 11.3.36.10.3 Review Techniques renumbered IRM 11.3.36.15.1.

(18) IRM Section 11.3.36.10.4 Team Coordination renumbered IRM 11.3.36.15.2.

(19) IRM Section 11.3.36.10.5 Safeguard Review Work Papers renumbered IRM 11.3.36.15.6

(20) IRM Section 11.3.36.10.6 Limited Reviews removed.

(21) IRM Section 11.3.36.11 revised titled Correctives Action Plan (CAP) Reporting Safeguard Review Reports renumbered 11.3.36.10

(22) IRM Section 11.3.36.12 Management Information Reports renumbered IRM 11.3.36.19 and IRM 11.3.36.12 revised and titled Technical Inquires (TIs).

(23) New Section IRM 11.3.36.12.1 Timeliness of TI added.

(24) New Section IRM 11.3.36.12.2 TI Assignment added.

(25) New Section IRM 11.3.36.12.3 Initial TI Review added.

(26) New Section IRM 11.3.36.12.4 Initial TI Processing Procedures

(27) New Section IRM 11.3.36.12.5 Ways to Resolve the TI

(28) New Section IRM 11.3.36.12.6 Format of E-mail for Closure and QR

(29) New Section IRM 11.3.36.12.7 Closure of TI

(30) IRM 11.3.36.13 Report to Congress renumbered IRM 11.3.36.20 and IRM 11.3.36.13 revamped and titled 45 Day Notifications.

(31) New Section IRM 11.3.36.13.1 Agency Submission Reports and Correspondence added.

(32) New Section IRM 11.3.36.13.2 Mailbox Staff Responsibilities added.

(33) New Section IRM 11.3.36.13.3 Notification Assignments added.

(34) New Section IRM 11.3.36.13.4 Analysis of Notification added.

(35) New Section IRM 11.3.36.13.5 Report Timeliness added.

(36) New Section IRM 11.3.36.13.6 DES 45 Day Notification Processing added.

(37) New Section IRM 11.3.36.13.7 DES Processing to Complete 45 Day Notice Package

(38) IRM Section 11.3.36.14 Enforcement renumbered IRM 11.3.36.21 and IRM 11.3.36.14 revamped and titled Quality Review added.

(39) IRM Section 11 .3.36.14.1 Reviewers Actions renumbered IRM 11.3.36.2.21 and IRM 11.3.36.14.1 revamped and titled Quality Review of Safeguard Security Report added.

(40) IRM Section 11.3.36.14.2 Directors Action renumbered IRM 11.3.36.21.2 and IRM 11.3.36.14.2 revamped and titled Quality Review of Safeguard Security Report added.

(41) IRM 11.3.36.14.3 Alternative Actions renumbered IRM 11.3.36.21.5. and IRM 11.3.36.14.3 Quality Review of Technical Reviews added.

(42) IRM 11.3.36.14.4 Quality Review of Corrective Action Plan added

(43) New Section IRM 11.3.36.15 State and Local Agency Review

(44) New Section IRM 11.3.36.15.1 Review Techniques

(45) New Section IRM 11.3.36.15.2 Team Coordination

(46) New Section IRM 11.3.36.15.3 Need and Use Reviews

(47) New Section IRM 11.3.36.15.4 Preliminary Findings Report

(48) New Section IRM 11.3.36.15.5 Closing Conference

(49) New Section IRM 11.3.36.15.6 Work Papers

(50) New Section IRM 11.3.36.16 Federal Agency Reviews

(51) New Section IRM 11.3.36.16.1 Review Techniques

(52) New Section IRM 11.3.36.16.2 Need and Use Reviews

(53) New Section IRM 11.3.36.16.3 Preliminary Findings Report

(54) New Section IRM 11.3.36.16.4 Closing Conference

(55) New Section IRM 11.3.36.16.5 Work Papers

(56) New Section IRM 11.3.36.17 Inventory Management Reports

(57) New Section IRM 11.3.36.17.1 Technical Inquires and Notifications

(58) New Section IRM 11.3.36.17.2 Safeguards Review Report

(59) New Section IRM 11.3.36.17.3 Safeguards Security Review Report

(60) New Section IRM 11.3.36.14.4 Corrective Action Plan

(61) New Section IRM 11.3.36.18 Safeguards Mailbox and Secure Data Transfer reserved to be published.

(62) Exhibit 11.3.36-3 Quality Review Safeguard Report Preparation Check Sheet added.

(63) Exhibit 11.3.36-4 Quality Review of Technical Inquires Preparation Check Sheet added.

(64) Exhibit 11.3.36-5 Quality Review Safeguard Security Report Preparation Check Sheet added.

(65) Exhibit 11.3.36-6 Quality Review Corrective Action Plan Preparation Check Sheet added.

(66) Exhibit 11.3.26-7 Artifact for Review added

(67) Recommendation for FTI Suspension and/or Termination

Effect on Other Documents

This material supersedes IRM 11.3.36, Safeguard Review Program, dated September 11, 2014

Audience

All Operating Divisions and Functions.

Effective Date

(07-21-2015)


Edward Killen
Director, Governmental Liaison, Disclosure and Safeguards (GLDS)
Privacy, Governmental Liaison and Disclosure (PGLD)

11.3.36.1  (09-11-2014)
Purpose

  1. This section provides written guidance for all Office of Safeguards' personnel when performing safeguard evaluations and reviews. The Safeguards staff is responsible for ensuring that agencies and their contractors, who have access to Federal Tax Returns and Return information, collectively termed Federal Tax Information (FTI) from the Internal Revenue Service (IRS) maintain adequate safeguards for the protection of such information. Written procedures and instructional guidelines are included to help the reviewer determine whether the agencies provide adequate protection for FTI that is consistent with the Department of Treasury, Internal Revenue Service guidelines, manuals and regulations.

    Note:

    The term agency includes Federal, state, and local agencies, entities, and agency contractors. The term contractor will generally reference agency contractor , while IRS contractors will specifically be referred to IRS contractors..

  2. The safeguard program is a cooperative effort with the recipient agencies and their contractors, to ensure the confidentiality of FTI. Outreach and communication are key elements in promoting protection of FTI. In order to fulfill legal requirements and IRS responsibilities, the program must also maintain viable enforceable standards and full time enforcement capabilities.

11.3.36.2  (09-11-2014)
Legal Requirements

  1. In accordance with legal requirements of Internal Revenue Code (IRC) §6103 and written agreements, the IRS discloses FTI data to various Federal, state, and local agencies, as well as contractors.

  2. IRC §6103(p)(4) requires that agencies receiving tax returns and return information provide adequate safeguards to protect the confidentiality of the tax returns and return information to the satisfaction of the Secretary (of Treasury).

  3. IRC §6103(p)(4)(E) requires the following recipients of Federal tax returns or return information to report to the Secretary their safeguard procedures for protecting those returns and return information:

    1. Federal agencies that receive FTI information.

    2. The Government Accountability Office (GAO)

    3. State tax agencies, bodies, or commissions

    4. State and local child support enforcement agencies

    5. State public assistance and law enforcement agencies

    6. State Affordable Care Act (ACA)

      Note:

      This pertains to any agency, lender, and institution disclosing mailing addresses received pursuant to IRC §6103(l)(6)(A), (l)(12)(B), (m)(2), (m)(4), (m)(6), or (m)(7) to its agent(s) and contractor(s).

    7. Department of Corrections (DOC) agencies

    8. IRC 6103 (k)(10)

  4. The provisions of 26 CFR 301.6103(n)-1(d) authorize the IRS to determine the compliance with any safeguards imposed on agency contractors.

  5. IRC §6103(p)(8) requires that states provide safeguards to protect the confidentiality of paper copy and electronic media copy of the Federal return (or portion thereof) that is attached to or reflected on any State tax returns as may be required of taxpayers by the state.

    Note:

    When preparing for a Safeguard Review that includes IRC §6103(p)(8) data, refer to IRM 11.3.32.14.1 , Disclosure to States and Local Governments which "...authorizes the IRS to require the State agencies maintain adequate safeguard procedures for the returns and return information they receive pursuant to IRC §6103(d)."

  6. IRC §6103(p)(5) requires the Commissioner to furnish annual reports to the House Committee on Ways and Means, the Senate Committee on Finance, and the Joint Committee on Taxation. The reports describe procedures and safeguards established by the various agencies and their respective contractors who receive FTI , as well as indicating deficiencies on the part of the agencies and their contractors.

  7. IRC §7213 provides criminal penalties for unauthorized disclosures of FTI.

  8. IRC §7213A provides criminal penalties for unauthorized inspection of any return or return information by officers and employees of the United States, officers and employees of persons described in IRC §6103(n), state and other employees.

  9. IRC 7431 provides civil remedies for violations of the disclosure and inspection statutes.

  10. A complete listing of the applicable security laws, regulations, and other guidance is contained in Exhibits 2.1.10–1 and 2.1.10–2 of IRM 2.1.10-1 and IRM 2.1.10-2IRM 2.1.10 Automated Information Systems Security.

11.3.36.3  (09-11-2014)
Awareness

  1. When an agency receives, or expresses an interest in receiving, FTI ensure that the agency obtains a copy of IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies . Copies of Publication 1075 can be obtain from http://www.irs.gov/uac/Safeguards-Program

11.3.36.4  (09-11-2014)
Implementing Requirements

  1. Federal, State and local agencies listed in IRM 11.3.36.2 (3) and (4) must submit the following to the office of Safeguards:

    1. Initial SSR and

    2. Annual SSR

  2. These reports are described in detail in IRM 11.3.36.7 and IRM 11.3.36.8.

  3. The IRS reviews reports received from agencies to determine the adequacy of agency safeguards.

  4. If an agency fails to submit the required report or to provide sufficient information to allow the IRS to determine the adequacy of its safeguards, the IRS reviewer may recommend withholding FTI from that agency. , provides additional guidance.

  5. On-site Safeguard Reviews of agencies and their contractors are undertaken when the criteria IRM 11.3.36.15.1 are met.

11.3.36.5  (09-11-2014)
Responsibilities

  1. The Office of Safeguards located within Governmental Liaison ,Disclosure and Safeguards(GLDS) function has oversight responsibility for the Safeguards Program. The Office of Safeguards also has specific program responsibility as listed in Exhibit 11.3.36–1

  2. The Office of Safeguards has responsibility for the Safeguard Review program for state, federal and local agencies, and other entities. t.

11.3.36.6  (07-21-2015)
Documentation

  1. All steps taken in the review process must be documented in one business day unless extenuating circumstances require additional time. All notes, worksheets, communication contacts, memoranda, and other correspondence will be retained in the file and in notes on e-Trak to support decisions.

11.3.36.7  (07-21-2015)
Initial and Annual Safeguard Security

  1. IRC §6103(p)(4)(E) requires agencies receiving FTI to file an SSR that describes the procedures established and used by the agency for ensuring the confidentiality of the information received from the IRS. The SSR is a record of how FTI is processed by the agency; it states how it is protected from unauthorized disclosure by that agency. The agency shall file a SSR in accordance with Publication 1075Section 7.2.4 SSR Update Submission Dates

  2. The SSR should include:

    • Future actions that will affect the agency’s safeguard procedures,

    • Summary of the agency’s current efforts to ensure the confidentiality of FTI,

    • Certification that the agency is protecting FTI pursuant to IRC §6103(p)(4) and the agency’s own security requirements.

    • Modifications/changes to the procedures or safeguards described in a previous SSR

      Note:

      SSRs must be approved prior to initial release of FTI to agencies

  3. Disclosures Under Multiple Code Sections (Federal Agencies) - Some Federal agencies receive FTI from the IRS under the authority of more than one section of the Internal Revenue Code. In these cases, the agency must distinguish between the IRC sections, and provide safeguard procedures for each program or use. The agency must file a consolidated SSR for the various programs or uses.

  4. Federal, state, and local agencies using Form 83000, Reports of Cash Payments Over $10,000 Used in a Trade or Business, available information pursuant to IRC §6103(l)(15) must file a separate SSR for this program. All agencies requesting data under IRC §6103(l)(15) are referred to the Office of Safeguards.

    Note:

    Where IRS/CI and the U.S. Attorney’s Office are among the participants of a multi-agency task force, and there is an investigative need to obtain Form 8300 information, the Assistant U.S. Attorney (AUSA) assigned to the task force is the requestor of information. Safeguards FTI responsibility and authority will therefore be centralized with the AUSA’s office.

11.3.36.7.1  (07-21-2015)
Initial SSR

  1. Agencies executing data exchange agreements involving access to FTI subject to safeguarding requirements must have an approved SSR prior to having access to FTI. Publication 1075 Section 7.2.1 Initial SSR Submissions Instructions. The SSR must be submitted for IRS Safeguards approval at least 90 days prior to the agency receiving FTI.

  2. The agency must address all elements in the SSR template at http://www.irs.gov/uac/Safeguards-Program additionally the initial SSR must contain the evidentiary requirements (artifacts) are focused on:

    1. Controls that in their absence would potentially leave FTI exposed to a threat

    2. IRS-specific controls that are critical for the protection of FTI.

  3. The Office of Safeguards will perform a comprehensive review of the agency’s entire SSR and each control description for compliance with standards to understand the agency’s overall security posture before approving the SSR and may request additional artifacts as needed.

11.3.36.7.2  (07-21-2015)
Content of Initial SSR

  1. General:

    1. Responsible officers or employees.

    2. Functional organizations using the data.

    3. Computer facilities or equipment and system security.

    4. Physical security.

    5. Retention policy and disposal methods.

  2. Safeguard activities shall include , a minimum, the following items:

    1. Disclosure Awareness Program- Describe the efforts to inform all employees an contractors having access to FTI of the confidentiality requirements of the Internal Revenue Code, the agency’s security requirements, and the sanctions imposed for unauthorized inspection or disclosure of FTI.

    2. Functional organizations using the data

    3. Computer Facilities or Equipment and System Security- Changes or enhancements

    4. Physical Security- Changes or enhancements.

  3. Agency Disclosure Awareness Program -The agency should describe the efforts to inform all employees having access to FTI of the confidentiality requirements of the IRC, the agency’s security requirements, and the sanctions imposed for unauthorized inspection or disclosure of return information.

  4. Reports of Internal Inspections -The agency should provide copies of a representative sampling of the Inspection Reports and a narrative of the corrective actions taken (or planned) to correct any deficiencies should be included with the annual SSR.

  5. Disposal of FTI -The agency should report the disposal or return of FTI to the IRS or source. The information should be adequate to identify the material destroyed and the date and manner of destruction, including copies of destruction logs.

    Note:

    Including taxpayer information in the disposal record is not necessary and should be avoided.

  6. Other information -The agency should provide other information to support the protection of FTI, in accordance with IRC §6103(p)(4) requirements.

  7. Planned Actions Affecting Safeguard Procedures --Any planned agency or contractor action which would create a major change to current agency procedures or safeguards will be reported. Such major changes would include, but are not limited to, new computer equipment, facilities or systems to perform programming, processing or administrative services requiring access to FTI.

  8. Agency Use of Contractors - Agencies must account for the use of all contractors, permitted by law or regulation, to do programming processing or administrative services requiring access to FTI.

11.3.36.7.3  (07-21-2015)
Annual SSR Preparation Guidelines

  1. Preparation of an Annual SSR begins with a review of the previous SSR submission:

    • Cover outstanding actions list

    • Identify areas where there is no change (NC)

    • Identify areas that are not applicable (NA)

    • Address content changes

  2. When agency requests extension to file their annual SSR, refer them Publication 1075 Section 7.2.2 SSR Update Submission Dates

11.3.36.7.4  (07-21-2015)
Annual SSR Content

  1. Agencies are required to submit an annual SSR encompassing any changes that impact the protection of FTI:

    • New data exchange agreements.

    • New computer equipment, systems, or applications (hardware or software).

    • New facilities; and

    • Organization changes, such as moving IT operations to a consolidated data center from an embedded IT operation.

  2. The following information must be updated in the SSR to reflect updates or change regarding the agency or safeguarding procedures within the reporting period:

    • Changes to information or procedures previously reported

    • Current annual period safeguard activities

    • Planned actions affection safeguard procedures

    • Agency use of contractors (non-agency employees)

  3. Location of the Data- Include an organization chart or narrative description of the receiving agency organization, which includes all functions where tax data must be processed or maintained. If the information is to be used or processed by more than one function, t hen the pertinent information must be included for each function.

  4. Flow of the Data- The report must contain a flow chart or narrative description of:

    1. The agency flow of the FTI data from is receipt through its return to the IRS or its final destruction

    2. How FTI is to be used or processed

    3. How FTI is tracked and protected as it passes through the organizational levels within the agency

    4. Describe how FTI is commingled with agency data or separated

    5. Describe the paper or electronic products created from FTI

    6. Where contractors are involved in the flow of FTI including,

    Note:

    It will be indicated and noted as to how FTI is commingled or transcribed into non-tax data that is being used and kept by the agency

  5. System of Records- A description of the permanent record(s) used to document requests for, receipt of, dissemination of (if applicable), and final disposition (return to the IRS or destruction) of the FTI (including all electronic media). Agencies and their contractors are expected to be able to provide an "audit trail " for all information requested and received; the trail is to also include copies or distribution beyond the original document/media.

  6. Secure Storage of the Data The agency will provide a description of the security measures employed to provide secure storage for the FTI when it is not in current use. Secure storage encompasses such diverse considerations as locked files or containers, secured facilities, key or combination control, off-site data storage facilities, and restricted areas.

  7. Restricting Access to the Data- A description of the procedures or safeguards to ensure access of FTI is limited to those individuals who have authorized access and have a need to know. Describe any physical barriers to how the information will be protected from unauthorized access when in use by the authorized recipient. Describe any physical barriers to unauthorized disclosure (including all security features where FTI is assessed, used or processed) as well as systemic and/or procedural barriers.

  8. Disposal- For all FTI provided by the IRS, and/or produced by the agency and/or contractor (e.g., print-outs, back-up tapes and the like), and not returned to the IRS, provide written agency report that documents the method of destruction by which records were destroyed (See paragraph (5), System of Records above)

  9. Information Technology (IT) Security The written report must describe all automated information systems and networks that receive, process, store, or transmit FTI. We not that all such systems are required to have safeguard measures in place which address all key components of IT security to restrict access to sensitive data. See Publication 1075, Section 9.0. The written report should :

    1. Describe the systemic controls employed to ensure all IRS data is safeguarded from authorized access or disclosure

    2. Include the procedures to be employed to ensure secure storage of the disks and the data, limit access to the disk(s), or computer screens, and the destruction of the data

    3. Have additional comments regarding the safeguards employed to ensure the protection of the computer

    4. Describe in detail the security precautions undertaken if the agency’s computer systems are connected or planned to be connected to other systems.

    5. The SSR must include procedures for ensuring that all data is safeguarded from unauthorized access or disclosure.

  10. Disclosure Awareness Program- Each agency and contractor who receives returns and return information must have an awareness program wherein employees having access to FTI certify annually of the training received and receipt of the confidentiality provisions of the Internal Revenue Code, as well as, the civil and criminal sanctions for unauthorized inspections or disclosure of FTI. A description of the formal program should be included in the SSR.

11.3.36.8  (07-21-2015)
Safeguard Security Report Analysis

  1. In order to make supportable recommendations to the SSR, reviewers need to have a thorough understanding of applicable statutes, Treasury regulations, agency agreements and contracts, and the agency’s and their contractor's system of processing FTI.

    • The SSR team lead assigns this case to an analyst in e-Trak and provides the reviewer 35 business days to complete an analysis.

    • The reviewer will not accept SSR sections missing evidentiary documents.

    • The reviewer will work directly with the agency to submit required evidentiary documents.

    • The reviewer will work with the agency to revise any incomplete documents or incomplete sections of the SSR.

    • The reviewer will provide comments in blue font for sections which require additional information.

11.3.36.8.1  (07-21-2015)
Delinquent or Incomplete Annual SSRs and Deficiencies

  1. Delinquent Safeguard Security Reports (SSR) with incomplete information should initially be resolved through informal telephone contact between the reviewer and the agency.

  2. If a SSR is missing critical information to determine whether FTI is adequately, protected, reasonable attempts, including at least one written request, must be made to obtain the missing information.

  3. Formal procedures to withhold FTI will be initiated if an agency fails to:

    1. Send in an acceptable report or

    2. Send in the requested material or

    3. Take action to correct a deficiency

    .

  4. Reasonable attempts, including at least one written request, must be made to obtain missing information, or corrective action to be implemented .

  5. If an SSR deficiency is minor and will not cause unauthorized disclosures, and the deficiency cannot be immediately corrected then the report will be accepted with the deficiencies noted with the comment in the SSR.

    Example:

    An agency may not have adequate disclosure awareness training for its employees. The agency agrees, but it may take a couple of months to develop a program and complete initial training. The report may be accepted if this condition is documented, including planned follow-up action.

  6. If a control has not been fully implemented, document the current state of the control and anticipated implementation date.

  7. Completing Review Process

    1. The reviewer will complete the transmittal letter that is sent to the agency, the SSR Analysis, SSR Acceptance Checklist and Deliverable Acceptance Form.

    2. Load documents to the Documents file on e-Trak, make a case note on e-Trak with the actions taken, update the Comments field on the case with the status, update Email Notification Comments field on the case and submit the package to quality review.

    3. Upon completion of the review, the SSR will be submitted to the head of the agency via U.S. mail and via softcopy to the agency POC.

      Note:

      It is 60 calendar days from receipt of a SSR to deliver the approval back to the agency. Of these 60 days, DES/CSR has 35 days to conduct the analysis and submit to quality review.

11.3.36.9  (07-21-2015)
Safeguard Review Preliminary Findings Report (PFR)

  1. The Preliminary Findings Report (PFR) identifies the items requiring correction to improve the safeguarding of Federal tax information in accordance with Publication 1075 and must be completed during the on-site safeguard review. The PFR is the only document the agency will receive during the on-site review.

  2. For each finding, the evaluated risk for potential loss, breach or misuse of FTI establishes the recommended timeframe for resolution. The risk category is noted next to each finding in risk category order in the report to assist the agency in establishing priorities for corrective action.

    Note:

    The findings are reflective of offices visited during the review but must be implemented at all agency locations.

    Risk Category Associated Timeframe for Resolution
    Critical 3 months from the date of the review closing conference
    Significant 6 months from the date of the review closing conference
    Moderate 9 months from the date of the review closing conference
    Limited 12 months from the date of the review closing conference
  3. A preliminary closing is conducted when the review is still in progress – when additional locations will be visited or outstanding issues need to be resolved, in which case the review closing conference scheduled by the reviewer will generally be held via teleconference. The DES must inform the Chief, SRT prior to the closing if there is a need for a preliminary closing and be granted approval to proceed with a preliminary close out. See section 8 below.

  4. Pre-Review Preliminary Findings Report

    1. Obtain the latest PFR template from the Share Point site

    2. Complete the cover page of the report to include the state, department name, if applicable, agency name, agency code, month/day/year of closing conference and Preliminary Closing, if applicable.

      Example:

      State of (State Name) State of Wyoming

      Example:

      Department Name if applicable Department of Social Services

      Example:

      Agency Name (STACN-TYPE) Child Support Enforcement (WY82X-CS)

      Example:

      Month, DD, YYYY - October 26, 2014 (Preliminary Closing) if applicable.

      Note:

      The DES should complete the PFR to the extent possible prior to the on-site Safeguard Review.

    3. Add the name of all on-site safeguard review reviewers to the template.

  5. On-site Review PFR Completion of Findings - Computer Security Reviewer

    1. Completing PFR with Off-site Support

    2. Complete SCESEMs with finding statement for failed tests

    3. Encrypt and attach completed SCSEMs to the email with the information in the following table:

      Information Explanation
      Primary Agency Include the agency code and type (e.g. MO43X-CS)
      Shared Agencies Include agency codes/types for any applicable shared agencies
      Risk Level Critical, Significant, Moderate, or Limited
      SCSEM Type Technology Type (e.g., Windows 2003, Network Assessment, etc)
      PFR Title & Hostname Document how the system title should be documented on the PFR e.g., Windows 7 Tumbleweed Server (WINTWX01)
  6. Completing PFR without Off-site support

    1. Complete the PFR template with technology type and hostname and risk level using a high water mark file i.e. Cisco Firewall-(FWSM01) - (Significant)

    2. Include numbers and percentage rates for each finding header Passed, Failed, Additional information requested, N/A. Total Number of Tests Performed and Current Pass Rate.

    3. Include the following information for each finding SCSEM Test ID#, NIST Control, and Brief and concise finding statement.

    4. Compile technologies and use the following order when applicable MOT and Network Assessment.

  7. On-Site Review PFR Completion of Findings-Disclosure Specialist

    1. The on-site safeguard reviewer must keep track of all findings during the on-site safeguard review. The reviewer has discretion to determine the process for tracking the findings throughout the on-site review.

    2. During the on-site safeguard review, as findings arise, the DES and Computer Security Reviewer should apprise the agency point of contacts (physical and IT) and provide recommendations for mitigation. The DES should go over the findings with the POC again prior to the closing conference, if at all possible. This will help to eliminate any unexpected issues/concerns during the closing conference.

    3. The Standard Findings for PFR document should be utilized to prepare the PFR while on-site .

      Note:

      The Standard Findings for the PFR document is different than the Standardized Language which are used in completing the Safeguard Review Report

    4. The PFR should be updated daily to include all the review findings.

      Step PFR Update Procedures
      1. Input the findings in the appropriate section by risk category order beginning with the highest level risk.

      Example:

      All critical findings, all significant findings, all moderate findings, and all limited findings within each section.

      2. Critical findings need to be reported to the Chief, SRT immediately. The agency will have one week to report to the Chief, their mitigation strategy for those findings.
      3. The risk category is listed immediately following the finding in parenthesis.

      Example:

      The agency fails to maintain a system of records (logs) identifying the date information was received, its exact location, who has access to data and, if disposed, the date and method of disposition. See Publication 1075 Section 3.2 and Exhibit 9 (Significant)

      4. Include a comment after each finding in parenthesis that briefly describes the issue.

      Example:

      The FTI reports electronically sent to the field offices are not logged.

    5. Add the mandatory comments as required on the PFR for your agency type.

      Example:

      The agency does not allow state auditors access to FTI.

    6. Section H will be provided to the DES as soon as possible in accordance with directions from the on-site SRT Chief.

    7. The DES should combine the Section H with the A-G portion of the PFR to provide a complete document to the agency. The lead CSR should be available to assist and/or combine the documents in this process if the DES encounters difficulties.

    8. Remove the Outstanding Items at the Time of Closing Conference page.

      Note:

      If Preliminary Closing following guidelines outlined in 8 below

    9. Use the Safeguard Naming Convention to save the electronic document.

      Note:

      WY82X-CS-PFR-102614 (Note: Date is the date of closing)

    10. Review the PFR for technical accuracy, grammatical, and formatting errors. A quality product must be provided to the agency.

    11. The DES portion of the PFR must be emailed to the Chief, SRT as soon as possible in accordance with directions from the on-site SRT Chief.

    12. Provide the completed PFR to the agency Point of Contact prior to the closing conference. The lead CSR should be available to assist in this process should the DES encounter difficulties to ensure that the closing goes forward as scheduled. The document should be provided in enough time to allow the agency POC to make enough copies prior to the closing conference. The DES will need to provide the agency with the number of copies needed for the IRS staff, including contractors, if applicable.

  8. Post Review (Closing Conference held) PFR Submission

    1. Load a copy of the PFR to the Documents file in e-Trak. The should be done no later than Monday following the review.

    2. Notify the designated support person that the document is loaded. (Check with SRT Analyst for designated support person).

    3. Input a case note in Note(s) in e-Trak of the actions taken on the case.

  9. Preliminary Closing Conferences - if you were unable to complete the review and a preliminary closing has been approved the following procedures must be taken:

    1. On the title page of the PFR leave the wording “Preliminary Closing”.

    2. Complete the Outstanding Items at the Time of Closing Conference page (last page of report).

    3. Establish with the agency POC a date/time for the closing teleconference and apprise the Chief, SRT. The official closing conference should be scheduled, if possible, within one week of the on-site review.

    4. Once the outstanding issues have been resolved, the PFR must be updated. For further guidance see the procedures outlined in Sections 4 and 5 above.

11.3.36.10  (07-21-2015)
Safeguard Review Reports

  1. The Safeguard Review Report serves as a record of the IRS’s evaluation of an agency’s compliance with the safeguard requirements for the protection of tax returns or return information as prescribed in IRC §6103(p)(4).

  2. The requirements in the Internal Revenue Code have been augmented by other Treasury Department or Internal Revenue Service requirements as well as National Institute of Standards & Technology (NIST) Special Publication (SP) 800-53, Recommended Security Controls ; these requirements must be addressed as well.

    Example:

    NIST SP 800-53 mandates that all automated information systems and networks which process, store, or transmit sensitive but unclassified (SBU) information are to meet the requirements for Management Security Controls, Operational Security Controls and Technical Security Controls.

  3. Treasury’s and NIST SP 800-53 requirements have been incorporated as IRS requirements, and have been included in IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies as requirements for recipient agencies.

  4. It is important that a SRR addresses all of the specified requirements, and clarifies actions, agencies and/or authorized contractors must take to achieve compliance with the requirements.

  5. The report should be a complete document that provides a description of all findings and recommended actions. Reports should adhere to the Office of Safeguards reporting guidelines. Exhibit 11.3.36-2

  6. The letter transmitting the report to the agency will serve as a transmittal document.

    • The letter must completed using the most current template.

    • The letter must be addressed to the head of the agency.

    • The current primary POC must be named in the body of the letter.

      Note:

      Both the head of the agency and the POC must be correctly listed on the Agency screen in e-Trak

    • The next agency CAP due date must be listed correctly in accordance with Publication 1075 Table 5.

  7. All safeguard reviews must address the adequacy of computer security. The report must contain a review of the agencies and contractor's compliance with the computer security requirements contained in the current IRS Publication 1075 (as revised).

  8. The Corrective Action Plan (CAP) accompanies the report. This is the document used by the agency to respond to the report and Safeguards to track the agencies progress. The agency will report actions taken on safeguard review recommendations in their semi-annual Corrective Action Plan (CAP) the deficiencies that are outstanding. Refer to Publication 1075Section 7.3.1 CAP Instruction and Submission Dates for further guidance.

  9. All actions taken and pertinent information regarding the entire review process and the report should be clearly outlined in e-Trak case notes.

  10. Safeguards standard report and letter templates in addition to standardized findings language should be used to assist in preparing quality reports using a standard format that will improve consistency, accuracy, and the quality of reports issued to the agency partners. The reviewer should make reference to specific sections in Publication 1075 for all findings.

  11. Timeliness of Reports - SRR should be issued to the agency within 45 days of the final closing conference to convey our commitment to ensuring the confidentiality of the FTI and return information. Management should be apprised of circumstances involving reports that have not been forwarded timely.

    Note:

    A review is completed when the SRR is issued to the agency.

  12. Designated support staff will create a case on e-Trak and hold it in intake status until it is ready for Analysis/Prep. When the official closing of the review has occurred the DES will load the PFR to the documents file on e-Trak. The DES will send Management Assistant an email indicating that the PFR had been loaded. Management Assistant will move the case from intake status to analysis/prep status based on DES assignment. The case will show in the DESs tracking inbox on e-Trak. The DES will create assignments for the Computer Security Reviewers (CSRs) for completion of Section H and/or any other team members that need to work aspects of the case.

    Note:

    The case should have a Case Sub Type of interim while it is in the DES status. After the report had been generated, and prior to moving the case to Quality Review, the Case Sub Type must be changed from interim to final.

  13. A SRR is issued even if there is no agreement with the agency on all findings and/or recommendations. The IRS and the agency will continue in a cooperative effort to ensure that the FTI is adequately protected from unauthorized access or disclosure.

11.3.36.10.1  (07-21-2015)
Safeguard Review Report Format

  1. In order to promote uniformity in the format of SRR and to ensure that all reviews and reports address the key areas of the IRS’s safeguard requirements, all SRR will be prepared according to this standard format.

  2. Title Page or Cover Sheet- Each report will have a cover sheet, which must be updated with the agency specific information:

    1. The State, Municipality or Federal Agency.

    2. Agency name an in parenthesis specific agency state/fed abbreviation, agency code and agency type.

      Example:

      MAXX-DOR or FDXX-FED-XXX

    3. Month/Year of Report (based on month report issued)

  3. Table of Contents (TOC) - After completing the full report the TOC must be updated to ensure the page numbers are correct. The F9 key will update the TOC for Sections A-H. A manual update must be don for the Introduction, Background and Scope sections.

  4. Acronyms Listing- Update the Acronyms Listing with acronyms used throughout the report. Spell out acronyms the first time the acronym is used. Subsequently, use the acronym only.

11.3.36.10.2  (07-21-2015)
Safeguard Review Report Content

  1. INTRODUCTION - Verify that the Introduction used matches the code authority for which the agency is receiving information. The DES must choose the correct template to use. If not template exist for the agency, such as for federal agencies, briefly outline the statutory provisions, in general, which permit the disclosure of returns or return information, and the intended purpose or benefit(s) of the disclosures. Any limitations or restrictions imposed by the IRC or regulation can be included in the introduction portion of the report, especially if it is germane to a finding or recommendation elsewhere in the report.

    Note:

    For federal agencies the (d) template may be used but the introduction must be changed to correspond with the agency and the code authority for which the agency receives FTI.

  2. BACKGROUND - Verify the Background used matches the code authority for which the agency is receiving information. If using the e-Trak generated template, you must chose the correct template. This section, which is agency and contractor specific, should contain the name of the agency reviewed, and if applicable, the specific organization(s) or function(s) within that agency. If several, separate, programs are being reviewed, the background section should give a brief description of each program.

    Note:

    For federal agencies the (d) template may be used but the Background must be changed to correspond with the agency and the code authority for which the agency receives FTI.

    • Insert the information highlighted in red on the template in the SRR.

    • Develop the information highlighted in blue on the template in the SRR.

    • For HS and CS agencies you must identify the relationship between the field office/county offices and the state, i.e. state run/county administered or state run/state administered.

    • In the contractor portion you must develop a comprehensive list of all contractors the agency uses that have access to FTI or are listed in the Findings of the report. Contract language must be addressed for each contractor unless all contracts either contain or do not contain the language then a blanket statement can be used for all.

    • In the IT portion you must develop a description of how the agency’s IT services are provided. If the agency uses an embedded IT as well as a consolidated data center, the services that each provides to the agency should be clear. The Service Level Agreement (SLA) or contract with the agency providing the IT services must be addressed. The last sentence of the IT paragraph should state who at the agency will be required to address the Section H findings.

    • Example of the contractor and IT portion of the SRR.12XCS utilizes the following contractors for services that involve the disclosure of FTI.

    • ABC processes FTI for the 12XCS application XLECS and manages the data center operation in Albuquerque, NM. Contract language included or not for each or statement for all or none having the language.

    • District Attorney Offices are employed under cooperative agreements with 12XCS to provide child support services.

    • 123, Inc. provides off-site storage of backup tapes containing FTI for ABC.

    • The XXXX Department of Human Resources, Information Services Division (XDHR ISD) provides hardware and software maintenance, application support, end user support, workstation management, and systems development for all of the divisions within the Department of Human Resources. In addition, information technology services are provided by the XXXX Department of Finance, Information Services Division (XDOF ISD). The XDOF ISD operates the consolidated state data center that provides information technology infrastructure to directly serve a number of government entities. The XDOF ISD provides infrastructure monitoring, support services, including mainframe support, server management, network services, and development services. XDOF is a separate agency than XDHR. FTI is received at the XDOF ISD Data Center through CyberFusion connection to a RACF mainframe. The FTI is transmitted to a mainframe hosted at ABC located in City, State. The XXXX Location, Enforcement, and Collection System (XLECS) application resides on the mainframe. End users access the XLECS application from their workstations. In addition, reports containing FTI are generated on the mainframe at the XDOF ISD Data Center and are sent electronically to a server maintained by XDOF ISD residing at the State House Data Center. The Service Level Agreement (SLA) with the agency contains the required Safeguards language. The computer security findings in Section H will require corrective action by XXX and XXX (agency IT Divisions used to process FTI).

    • See Section C. of this report for further discussion of the required actions to ensure safeguarding language is in all contracts and agreements with entities with access to FTI to ensure the continuous protection of taxpayer privacy and confidentiality of FTI.

  3. SCOPE - This section contains descriptive reviewer information regarding the conduct of the review. This section of the report should give the reader a sense of how the review was conducted and what programs and procedures were included or excluded from the review. In addition, the scope and objectives section should also indicate:

    1. The highlighted information in red from the template.

    2. Correct spelling of reviewers names.

    3. Correct dates of review.

    4. GL should be shown if participated in the review.

    5. Agency POC listed as coordinating the review and their title.

    6. In the locations section, list every location that was visited for your agency. If someone else visited a location for you, it must be listed and annotated who visited the site.

    7. In the personnel section, list every one interviewed and their title, including personnel reviewed for Section H.

      Note:

      When an SRR is generated from e-Trak the Title page or Cover Sheet, Table of Contents, Acronym Listing, Introduction, Background and Scope must be completed accordingly.

  4. FINDINGS AND RECOMMENDATIONS - All safeguard review reports will address each requirement enumerated in IRC §6103(p)(4), and other requirements determined to be necessary to ensure the confidentiality of FTI and return information. To ensure that all the requirements of the IRC, Publication 1075, and the IRM have been addressed, each subsection of this section will contain a statement of the requirement, followed by a description and discussion of the findings and recommendations for each item under this subsection.

  5. Begin creating the SRR

    • Create “Parent” Findings for Section A-G by clicking SRR Findings->New SRR Findings

    • Input a finding number: A.1, A.2, G.1, etc., as with the current process

    • Select Open or Held In Abeyance for status

    • Select the appropriate Pub 1075 Section

    • Select Risk Category, as determined during onsite review – Risk categories in the report need to be in order by severity.

    • Input Targeted Implementation Date in mm/dd/yyyy based on the risk category. Remember when calculating the date use days not months (90, 180, 270, 365).

    • No should be selected for “Repeat Finding” (repeat findings), if not please change. We no longer capture repeat findings, therefore no should always be selected.

    • Select No “Components Exist” (default) for A-G findings. H findings will have components and therefore, yes will need to be checked

    • Initialization Date will be populated by Operations staff but should be validated by DES

    • Finding Box: Input standardized language (be sure to use current version) for the finding and amend as necessary. You must include the risk category after the finding in parenthesis. Findings in the PFR should be shown in the report, however, the wording in parenthesis in the PFR is not in the SRR. This information is used to develop the narrative. Use complete sentences when writing. Add the finding narrative. In most cases the narrative should be as short as possible and describe the issue in the finding. Brackets in the Narrative should be removed. Names of offices, locations, etc used in the findings should be consistent.

      Example:

      If the finding shows the Central Office then the discussion should refer to the Central Office, not headquarters, and should be spelled the same.

    • Finding Example: The agency does not maintain an adequate system of records (logs) for tracking the receipt, movement, and disposal of FTI received in paper in Central Registry at the Headquarters Office. (Significant) The agency must maintain a system of records to track FTI Form 8796, specific requests, TDS prints, etc as appropriate] from request to destruction. The log must contain all FTI received or photocopied in accordance with Publication 1075Section 3.3 Converted Media. The log must include the following elements and be maintained for a minimum of 5 years or the applicable records control schedule, whichever is longer: taxpayer name, tax year(s), type of information (e.g. revenue agent reports, Form 1040, work papers) , reason for the request, date requested , date received , exact location of the FTI , who accessed the data and if disposed, the date and method of disposition

    • Recommendation Box: Input standardized language and amend as necessary. You recommendation should resolve your finding. Verify that the targeted implementation dates used in the recommendation match the date in the Targeted Implementation Date box and are calculated accordingly. The dates for each risk category must match the dates in Section H.

    • Recommendation Example: The agency must establish a system of records (log) for recording requests and receipts of interstate cases and payment updates containing FTI. The targeted implementation date for this recommendation is [DATE], which is 6 months from the date of the closing conference. To close this finding, please provide a copy of the system of records (logs) template used to track the receipt, movement, and disposal of paper FTI with the agency’s CAP.

      Note:

      Once the information for numbering, dates, findings/description, recommendation, and the issue codes is filled in, Click Save. If you do not save your data, you will lose it and have to re-enter.

  6. The DES will input all Section H Parent Findings and component findings from the document loaded to e-Trak by the CSR. Parent findings and component findings will be created for every Section H finding even if only 1 component exists.

    • Input a finding number: H.1, H.2, H.3, etc., as with the current process

    • Select Open for status

    • Select the appropriate Pub 1075 Section

    • Select Risk Category, as determined during onsite review – Risk categories in the report need to be in order by severity.

    • Input Targeted Implementation Date in mm/dd/yyyy based on the risk category. Remember when calculating the date use days not months (90, 180, 270, 365).

    • No should be selected for “Repeat Finding” (repeat findings), if not please change. We no longer capture repeat findings, therefore no should always be selected.

    • Select Yes “Components Exist” (default) for H findings. H findings will have components and therefore, yes will need to be checked.

    • Finding Box: Cut and paste language from the Section H document. You must include the risk category after the finding in parenthesis. If information is missing from the document or is incorrect the DES must work with the CSR as necessary to resolve.

    • The DES needs to input the issue codes for all Findings. Issue Codes: Use the 1-to-1 mapping to select the correct issue code. Select Issue Code Group A-G . Select the appropriate Issue Code in the drop down. Select Issue Code Group H . Select the appropriate Issue Code in the drop down. If no direct mapping, choose other.

      Note:

      Once the information for numbering, dates, findings/description, recommendation, and the issue codes is filled in, Click Save. If you do not save your data, you will lose it and have to re-enter.

      Note:

      Once all findings have been input the DES will generate the SRR. The DES must validate the information in the report, ensure the correct information is included in the Title page or Coversheet, Table of Contents, Acronym Listing, Introduction, Background and Scope and that the report includes all findings and matches the data in e-Trak.

    • The DES uploads the report back to the case using the proper naming convention. The file should be uploaded with a .doc extension.

      Example:

      MA104-DOR-SRR-111414.doc

  7. Prepare SRR Letter - If the template is not available on e-Trak you must obtain the latest version from SharePoint.

    • Verify the appropriate code authorities are listed.

    • Verify the current head of agency name and address are listed in the Agency Contacts on the Agency screen in e-Trak and are current. If they are not, you must add.

    • Verify if agency has Secure Data Transfer (SDT) on Agency screen in e-Trak.

    • Verify correct CAP dates are shown.

    • Verify the signature authority (name and title) on the letter

    • The letter should follow the naming convention format and be dated accordingly.

      Example:

      ME01X-CS-SRR-L-091014.doc

  8. Upload the completed SRR and letter by clicking Documents->new Documents and Inputting the appropriate information:

    1. Click Document->New Document

    2. Select Yes for “Ready for Management Approval”

    3. Input a comment that the document is ready for QR

    4. Click Browse, then Select the document from your file system

    5. Click Save

  9. Upload other pertinent documents and create case notes as appropriate. The CSR should upload the documents associated with the Section H. If they are not loaded, you must check with the CSR. In addition to uploading the letter and the report, the following documents are reviewed in QR and need to be complete and uploaded prior to moving the case to QR status:

    • SDSEM – These are considered your review work papers and should be completed with all failures and include a description of the failure. It should cover the sites visited. The coversheet should be completed with the required information.

    • Deliverable Acceptance Form (DAF) – Ensure that the DAF has been loaded to e-Trak if the computer security portion of the review was conducted by BAH.

    • State Agency contact Information

    • PFR

      Note:

      Use the correct naming convention for all documents loaded in accordance with the naming convention document.

  10. Verify that the findings from the previous review are closed out. This includes all Section H component findings. Make a case note in the previous review case as well as the current case stating the reason for closing the findings (due to a new review).

  11. Prior to moving to QR make sure all notes on the case are updated.

    • Make a note in Comments section on Case screen.

      Example:

      11/14/14 – Forwarded SRR to QR - CB

    • ADD the following to the Email Notification Comments on Case screen: PRIORITY (if report is under 45 days) . Report Name: ST/CODE-AGENCY-SRR-DATE . Number of days open Movement = To QR

      Example:

      Priority CO84X-CS-SRR-091014, 30 days, to QR

    • If the package is returned for edits a new document must be loaded. The new submission must be updated with the date it is submitted, all edits completed, all track changes and comments removed.

  12. DES (Case Responsible) moves case to Quality Review step

    • Select “Submit for Quality Review” from the Workflow Step dropdown

    • Select the appropriate Quality Reviewer from the dropdown, if not already populated

    • Click Save

  13. Time Frames to complete the SRR:

    1. Computer Security Reviewer has 20 Days from official closing to provide the Section H

    2. DES has 35 Days from official closing to submit the SRR to QR

    3. Safeguards has 45 Days from official closing to issue the SRR

11.3.36.11  (07-21-2015)
Corrective Action Plan (CAP) Reporting

  1. Corrective Action Plans or CAPs are the mechanism by which an agency responds to open findings from the SRR. When the SRR is issued to the agency, they also receive a CAP document. Each open finding on the SRR has a corresponding item on the CAP. Each CAP item is part of the overall Safeguards POAM.

  2. The agency must submit the CAP semi-annually, as and attachment to the SSR . The next CAP due date, which is six months from the scheduled SSR due date. For a schedule of when the report is due, please refer to Publication 1075, Section 7.3.1, CAP Submission Instructions and Submission Dates.

  3. If the SRR was issued within 60 calendar days from the upcoming CAP due date in Publication 1075, Section 7.3.1, CAP Submission Instructions and Submission Dates the agency’s first CAP will be due on the next subsequent reporting date to allow the agency adequate time to document all corrective actions proposed and taken.

11.3.36.12  (07-21-2015)
Technical Inquires (TI)

  1. Technical Inquires (TI) are communications routed through the Mailbox (safeguards@irs.gov) requesting assistance with interpretations of Publication 1075 and routine Safeguards matters.

  2. If a qualified inquiry is received by Safeguards verbally or via direct email forward the inquiry to safeguardreports@irs.gov for processing. Please see Section below for instances that do not qualify as Technical Inquiry.

  3. A TI requires a prompt and accurate response for assistance on proper safeguarding FTI in accordance with Publication 1075.

  4. TI responses should be brief and direct specifically addressing the agency’s inquiry.

  5. TI responses should clearly state current IRS Safeguards policy and close the matter to avoid on-going discussions on the same issue.

  6. The objective of the TI process is to provide timely and appropriate answers to agency inquires in application of existing guidance.

11.3.36.12.1  (07-21-2015)
Timeliness for TI

  1. TI’s are considered timely if the case in eTrak is released within 30 calendar days. All TI’s in inventory should be worked timely and consider the time sensitive nature of the agency’s inquiry.

  2. TI’s must be forwarded to Quality Review within 20 calendar days after case creation. See IRM 11.3.36.14.3 Quality Review of Technical Inquires for more information regarding the TI Quality Review Process.

  3. If additional information is needed from the inquirer in order to process the TI, the case responsible party will attempt contact by phone or email to obtain the needed information as soon as possible after case assignment. If a timely response is not received the case responsible party will close the TI with an e-mail advising the agency of closure and advise of:

    • Information required in order to answer the question

    • Inquiry can be resubmitted with the required information

11.3.36.12.2  (07-21-2015)
TI Assignment

  1. Generally DES will be assigned the following types of Technical Inquires:

    • FOIA

    • Physical Security Publication 1075 clarification

    • CAP questions relative to SRR Section’s A to G findings

    • Report

  2. Generally Computer Security Reviewers will be assigned the following types of Technical Inquires

    • VOIP

    • SCSEM

    • Vulnerability scanning

    • Computer Security Publication 1075 clarification questions

    • CAP questions relative to SRR Section H findings

    • SSR

  3. Physical Security Inquires from agencies under an open review will generally be handled by the DES assigned to conduct the review. The DES is the agency’s primary POC for all SSR, CAP, and inquires from their agency POC. An Open Review is easily identified on e-Trak by the calendar year the review is scheduled to occur and can also be identified by referencing the Review Schedule.

11.3.36.12.3  (07-21-2015)
Initial TI Review

  1. If the case responsible party determines the TI is an issue that is not covered in Publication 1075 or generally a Safeguards issue do not delay, discuss with Chief, SRT for reassignment and resolution.

  2. If the scope of the inquiry is beyond your expertise, is not from an agency subject to safeguards oversight or does not pertain to the safeguard program, do not delay, discuss with Chief, SRT for reassignment and resolution.

11.3.36.12.4  (07-21-2015)
TI Processing Procedures

  1. Assigned individual will acknowledge receipt of TI by updating notes in e-Trak case summarizing inquiry.

  2. Research and contact other Safeguards personnel as needed.

  3. Contact the requester, resolve the question(s) at hand and close the TI over the phone whenever possible. Confirm it a written response is needed.

  4. Add appropriate e-Trak notes describing:

    • Discussion with requester

    • Research

    • Contact type(s) made i.e., phone, email, etc.

    • Contact with other Safeguards or IRS personnel

11.3.36.12.5  (07-21-2015)
Ways to Resolve the TI

  1. Resolve the inquiry during the initial phone discussion.

    • Document the discussion and answer provided in e-Trak case notes as described above Section

    • Load original e-mail with your response to the Document file in e-Trak and forward to QR

  2. Complete required research and preparation of written response.

    • Complete research, document in e-Trak case notes.

    • Load original e-mail with your response to the Document file in e-Trak and forward to QR

  3. Facilitate discussion with the inquirer in coordination with computer security reviewer/DES if necessary (coordinate with Chief or Chief-designated party to determine appropriate CSR assignment)

    • Arrange the telephone discussion

    • Document the discussion in e-Trak case notes

    • If written response is required, load original e-mail with your responses to the Document file e-Trak and forward to QR.

11.3.36.12.6  (07-21-2015)
Format of E-mail for Closure and QR

  1. Prepare written response, on the original incoming inquiry loaded to e-Trak, and load to Outgoing Documents in e-Trak and load to Outgoing Documents in e-Trak.

  2. Always use the original incoming TI message.

  3. If there were intervening e-mail threads, they may be included in the response loaded to e-Trak Document file for QR to provide amplifying information.

  4. A separate attachment providing the response is not appropriate.

  5. Include all attachments to be sent to the agency as part of the response.

  6. As written, response should be appropriate for forwarding to the agency personnel in response to the original incoming message. Example format is shown below:

    • Subject: OH531-SWA-TI, 30-2013-00915 for QR, 20 days

    • Opening: Hello (Agency POC), this is in response to your inquiry dated (Month,DD,YYYY), concerning (State the subject)

    • Body: Type narrative paragraph restating agency question with specific answer

    • Closing sentence: I hope this fully responds to your inquiry.

  7. Cite Publication 1075 references as appropriate. Answer should provide guidance that is complete but does not just restate Publication 1075 text. Ensure that the agency will fully meet Publication 1075 standards on the issue if they follow the guidance provided.

  8. Do not provide telephone number or e-mail contact information

11.3.36.12.7  (07-21-2015)
Closure of TI

  1. All Technical Inquires do not require email/written response (see above Ways to Resolve the TI). Utilize the most appropriate method pending the type an extent of issues/inquires raised.

  2. When an e-mail response is required the DES will create an email to the agency requestor, copy to all individuals on original incoming message, using the email dropped into Documents in e-Trak. DES will upload a copy of the e-mail response in Documents.

  3. Technical Inquires are closed on e-Trak by support staff who will:

    1. Locate e-mail to send in Outgoing Correspondence (if written response is required)

    2. Ensure the to line is addressed to initial party that sent the inquiry and copy all appropriate personnel from original e-mail

    3. Upload a copy of the sent email in Outgoing Correspondence

    4. Add not to e-Trak case “TI closed; response sent to POC”

    5. Change Workflow Step>Approve for Release Final

    6. Save

  4. To meet the timeliness metric for Technical Inquires the case must be Released in e-Trak within the 30 day prescribed timeframe

11.3.36.13  (07-21-2015)
45 Day Notifications

  1. Publication 1075 requires agencies to notify the Office of Safeguards prior to executing any agreement to disclose FTI to a contractor no less than 45 days prior to the disclosure of FTI.

  2. In addition to the initial receipt of FTI Publication 1075 Section 2.1 the following circumstances or technology implementations also require the agency to submit notification to the Office of Safeguards via the Safeguards mailbox, a minimum of 45 days ahead of the planned implementation, for the following activities that involve FTI:

    Activities that involve FTI Response
    FTI in subject to Advance approval required to proceed
    Cloud computing Yes, by Safeguards
    Consolidated data center No
    Disclosure to a contractor No, and only applicable for agencies specifically authorized pursuant to 6103 statute or regulation
    Re-disclosure by contractor to sub-contractor Yes, by Safeguards and only applicable agencies specifically authorized pursuant to 6103 statute or regulation
    Data Warehouse Processing Yes, by Safeguards
    Non-agency owned information systems Yes, by Safeguards
    Test modeling for tax administration Yes, by Disclosure
    Test Environment Yes, by Safeguards
    Virtualilzation of IT systems Yes, by Safeguards
       
  3. The agency is required to provide notification which includes all of the information requested in Exhibit 6

    Note:

    Live Data Testing form is not needed in production environment only pre-production.

11.3.36.13.1  (07-21-2015)
Agency Submission of Reports and Correspondence

  1. All correspondence should be sent electronically by Secure Data Transfer or encrypted using SecureZip, to the Safeguardsreports@irs.gov mailbox and include a cover letter signed by the head of the agency or authorized delegate.

  2. Use of a template will enhance the agency’s ability to provide all of the information to process the notification. Template suggested for the agency to use is embedded below. The use of this template will minimize processing errors as well as eliminate the a contractor check sheet as the comments will confirm notification compliance.

11.3.36.13.2  (07-21-2015)
Mailbox Staff Responsibilities

  1. Retrieve the 45-Day Notification Letter from the mailbox

  2. Assign an e-Trak case to DES and/or for Computer Security Reviewer (CSR) assignment rules are subject to occasional change and the most current version is located on Data Services SharePoint site)

  3. Upload notification from agency into the created e-Trak case.

  4. Acknowledge receipt of 45 Day Notification via email response

  5. Upload acknowledgement email into created e-Trak case.

  6. Update the e-Trak Case Notes

  7. Notify case assignment to SRT Chief, Mailbox Staff, IRS contractor, CSR and DES via email and update e-Trak.

11.3.36.13.3  (07-21-2015)
Notification Assignments

  1. 45 Day Notification Letters for contractor and/or sub-contractor access to FTI are assigned to DES (see Data Services SharePoint site for the most current version of the assignment rules)

  2. Generally 45 Day Notification Letters for Live Data Testing, Non-Agency-Owned-Information-Systems, Data Warehouse, Cloud Computing, VoIP, IVR, Web Portals, and Virtual Environment which requires Information Technology (IT) review are assigned:

    1. Computer Security Reviewer (IRS contractor) as e-Trak Case Responsible.

    2. Disclosure Enforcement Specialist (DES”) as e-Trak Analyst

    3. Copy to Supervisor of Mailbox Staff

      Note:

      Agencies seeking to implement VoIP and IVR should seek advice from the office of Safeguards. The use of contractors for these services will require a 45 Day Notice.

11.3.36.13.4  (07-21-2015)
Analysis of Notification

  1. DES Process

    1. Retrieve the agency’s notification letter from e-Trak

    2. Contract agency for additional information as needed.

    3. Reach out to Chief or Senior Technical Advisor as needed.

    4. Work to completion according to DES 45 Day Notification Processing IRM 11.3.36.13.6

    5. IT related contractor notifications complete the contractor portion, upload the documents to e-Trak, and notify IRS contractor of completion

    6. Document any delays in e-Trak and notify Chief of any delays

    7. Completed and upload the acknowledgement letter to be issued to the Agency to eTrak Documents (template located in Safeguards SharePoint site)

    8. Upload case cover sheet

    9. Submit to Chief or Associate Director for signature (approval authority rules located in Safeguards SharePoint site)

  2. Computer Security Reviewers Process

    1. Retrieve the agency’s notification letter from e-Trak

    2. Contact agency for additional information as needed

    3. Work to completion within prescribed timeframe

    4. Contact DES to inform them of status of account

    5. Upload the acknowledgement letter of Agency to e-Trak Documents (template located in Safeguards SharePoint site)

    6. DES will perform a quality review of above noted letter prior to sending for approval.

      Note:

      If the agency needs a 45 day letter issued on an emergency basis they should send the notification to the Safeguards mailbox. If necessary the DES will notify the Chief and/or Senior Technical Advisor if additional guidance is needed.

11.3.36.13.5  (07-21-2015)
Report Timeliness

  1. 45 Day Notices are timely if processed to completion (Release status in eTrak) within 30 days of case creation in eTrak. Des will notify their Chief if there is a delay in processing beyond 30 days and update eTrak notes.

  2. Processing Tax Modeling and IT notification letters often required additional time, DES will work with Statistics of Income (SOI), CSR, IRS contractor, and Senior Technical Advisor as applicable to complete this process in a timely manner. Notify Chief of expected extended time frame if expected to exceed the 30 day due date.

    Note:

    Non-processible letters are appropriate for use if the agency fails to meet the sufficient requirements in the Publication 1075, Exhibit 6 , within a reasonable time period after submission of a 45 Day Notice. Case Responsible party should attempt to perfect the Notices as soon as possible after assignment but within 30 day timeframe for processing using the appropriate method of communication (email, telephone contact) and by issuing appropriate deadlines for response. If the agency fails to meet the deadline a non-processible letter will be issued. (insert letter in exhibit)

11.3.36.13.6  (07-21-2015)
DES 45 Day Notification Processing

  1. After receipt of assignment notice, retrieve notification form the eTrak document folder and save to your hard drive.

  2. Acknowledge receipt in eTrak by entering eTrak Note.

  3. Review the information provided to ensure it is within the standards in Publication 1075 and all Exhibit 6 information was provided.

  4. In additional information is needed from the agency to process the notification, call and/or email the agency POC listed in the notification as soon as possible after case assignment. The agency should respond directly to you and/or mat respond to SafeguardsReports@irs.gov and cc you. Provide the agency with a specific due dare for the response that is reasonable and within the 30 days allowed for processing 45 Day Notices.

  5. Document any delays in eTrak along with the cause for such delays and notify Chief if delays are expected to exceed the 30 day metric for resolution.

  6. If the agency fails to appropriately respond by the due date issued prepare the non-processible letter.

  7. Document all information received from the agency in the eTrak case created for the Notice and load documents and emails as appropriate.

  8. Prepare Safeguards response letter for approved/confirmed Notices. Always address the letter to the Head of Agency, Director, Deputy Director, etc, if the letter has been signed by them. Do not send the letter addressed to the POC unless this is the only name identified on the letter.

11.3.36.13.7  (07-21-2015)
Notifications Involving Tax Modeling, Revenue Forecasting, or Statistical Analysis

  1. DES must coordinate with the SOI. Specific current email contacts for coordination with SOI can be found in the desk guide for processing 45 Day Notices. Provide the following in this coordination:

    1. Copy of the agency’s notification

    2. Copy of the agency’s current Need and Use document

    3. If no current Need and Use document is on file, obtain a signed copy from the agency and email to the Disclosure Manager for approval.

    4. Copy of the agency’s separate statement detailing the methodology and date to be used by the contractor.

    5. Notate eTrak with actions taken throughout the process.

    6. Resume process of request - Once approved, incorporate SOI’s approval statement in the closing letter template.

    7. Upload response letter to outgoing correspondence and checklist to document (each of which are templates found in Safeguards SharePoint site)

    8. Submit to Associate Director for signature.


More Internal Revenue Manual