Part 2. Information Technology

Chapter 13. Enterprise Networks

Section 21. Telecommunications Encryption Standards

2.13.21  Telecommunications Encryption Standards

2.13.21.1  (09-05-2008)
Purpose

  1. This Internal Revenue Manual (IRM) pertains to all Internal Revenue Service (IRS) personnel, particularly Enterprise Networks (EN) personnel and contractors working with telecommunications encryption at the IRS.

  2. This IRM establishes minimum security controls for cryptographic devices within the IRS network and provides guidance on and the processes for using these devices. It supplements any existing guidance regarding the security of cryptographic devices within the IRS network.

2.13.21.2  (09-05-2008)
Deviation

  1. A temporary exception or deviation to these guidelines must be requested in writing from the Associate Chief Information Officer (ACIO) of EN, with collaboration from the Director of Modernization and Information Technology Services (MITS) CyberSecurity, and from the Department of the Treasury Security Office. The exception must describe the reasons for non-compliance, a schedule for becoming compliant, and the security measures to be taken in the interim. Refer to IRM 10.8.1, Information Technology (IT) Security Policy and Guidance for more information on the deviation process.

2.13.21.3  (09-05-2008)
Roles and Responsibilities

  1. EN is responsible for managing telecommunications encryption in accordance with Treasury policies and IRS standards. Refer to IRM 10.8.1, IT Security, Policy and Guidance and IRM 10.8.2, IT Security Roles and Responsibilities for more information.

2.13.21.3.1  (09-05-2008)
Security Operations Duties

  1. The Director of IT Security Operations, through the Network Security Officer, is responsible for promulgating these standards and guidelines and coordinating their implementation with the ACIO of EN.

  2. The ACIO of EN is responsible for scheduling and implementing the application of these guidelines for all cryptographic devices installed within the IRS network and directing the implementation of the guidelines by subordinate telecommunications offices. The ACIO of EN also is responsible for maintaining architectural documentation reflecting the topology of IRS voice and data networks.

2.13.21.3.2  (09-05-2008)
Security Evaluation and Oversight Duties

  1. The Director of Security Evaluation and Oversight is responsible for addressing compliance with these standards and guidelines during scheduled and unscheduled security reviews and evaluations.

  2. All IRS organizations with telecommunications personnel must schedule and implement these standards and guidelines within the scope of their operations in accordance with direction from the Director of Security Evaluation and Oversight.

2.13.21.4  (09-05-2008)
IRS Encryption Standards for Data Communications

  1. Encryption must be implemented on all sensitive but unclassified (SBU) data circuits that travel outside the physical boundaries of an IRS facility. Encryption services must be provided using the following methods:

    1. Encryption algorithms that satisfy Federal Information Processing Standards Publication (FIPS PUB) 140-2.

    2. Encryption devices that employ FIPS PUB 140-2, Level 11, cryptographic modules from the National Institute of Standards and Technology Cryptographic Module Validation List.

  2. The Treasury Communications Systems (TCS) contract provides the required encryption services for all IRS circuits obtained under that contract. For circuits the IRS acquires from sources other than the TCS contract, telecommunications acquisition staff must arrange for the following required encryption services:

    1. Encryption services to be provided and managed by TCS.

    2. Installation, operation, and maintenance of encryption devices

    3. Formal documentation of the circuit and its encryption plan to the IRS and TCS Network Management Centers (NMC) if locally acquired circuits extend beyond the IRS network.

2.13.21.5  (09-05-2008)
Procedures and Guidelines

  1. The following section provides procedures and guidelines for telecommunications encryption methods already in place at the IRS.

2.13.21.5.1  (09-05-2008)
Physical Security for Cryptographic Devices and Materials

  1. Physical security guidelines must be implemented as follows:

    1. Physical access controls over spaces containing installed cryptographic devices must be implemented in accordance with IRS requirements for controlled access areas. See IRM 1.16.8, Emergency Planning and Incident Reporting.

    2. Physical access controls over spaces containing key management devices must be implemented in accordance with IRS requirements for restricted access areas. Refer to IRM 1.16.8, Emergency Planning and Incident Reporting for more information.

    3. Cryptographic keying materials delivered to sites for holding, pending a key change by the responsible key management agent, must be afforded protection in accordance with requirements in Treasury Directive Publication (TDP) 71-10, Chapter Vl.

2.13.21.5.2  (09-05-2008)
Protection of Technical Means of Control

  1. Various technical control means (e.g., bypass-lock keys, smart cards) exist for each cryptographic device. These technical control means must be protected. Required protection procedures are as follows:

    1. Technical control means must be inventoried, identification (ID) tagged, controlled, and secured upon receipt of the encryption device.

    2. A roster of individuals authorized to access and use technical control means must be maintained.

    3. Issuance of technical control means must be controlled and monitored using a standard access log. Since information varies at different sites, a standard access log template is not included with this IRM. However, the standard access log should document the date, time out/time in, name of recipient, purpose, and identity of the issuer. The log must be maintained for seven (7) fiscal years.

    4. Unless required to enable operation, technical control means must not remain installed in the device.

    5. If technical control means are required for operation, the device must be stored in a locked cabinet and access to the cabinet key must be monitored and controlled.

    6. When not installed in the device, technical control means must be stored in an appropriate security container. See IRM 1.16.12,Facility and Property Protection for more information.

2.13.21.5.3  (09-05-2008)
Circuit and Encryptor Inventory

  1. Detailed records must be kept on encryption devices at all sites. Since information varies at different sites a standard template is not included with this IRM. However, inventory documentation should include the following information for each device:

    1. Physical address and organizational location (such as Enterprise Networks or Application Development)

    2. Encryptor ID Number or TCS assigned Component Identifier

    3. Data Communications Utility/Trip Circuit Supervision circuit number (or equivalent)

    4. Bandwidth or speed

    5. Provider ID (TCS or other)

    6. Physical and organizational identity of the distant end

    7. Date of installation and frequency of key changes made to the unit (e.g., every 24 hours, weekly, monthly, etc.).

  2. All documentation must be updated when a system changes or is installed. Site telecommunications and site security personnel must review the documentation annually as part of an established security review process.

2.13.21.5.4  (09-05-2008)
Circuit Encryptor Operational Verification

  1. The operational status of encryption devices at all sites must be verified periodically by authorized site personnel. The required verification period depends on the size, type, and number of encryptors at the site as well as the criticality of connectivity and protection required. The following standards must be followed:

    1. The National Office, IRS campuses, and Enterprise Computing Centers must verify operational status daily.

    2. Field offices and large posts of duty (POD) must verify operational status weekly.

    3. Other PODs must verify operational status monthly.

  2. During periodic checks, the encryptor status indicator must be examined to determine whether the encryptor is operating properly (i.e., "secure" is indicated) or has failed (i.e., "bypass" , "alarm" , or "off" is indicated). These results must be recorded and maintained. However, since information varies at different sites an operational status reporting standard template is not included with this IRM.

  3. Some of the newer encryptors used by TCS present an "alarm" light only, with no other indication of proper operation. The reason for an alarm, or other non-secure operation, must always be determined by opening an Information Technology Asset Management System (ITAMS) trouble ticket in accordance with circuit outage procedures. The IRS NMC must coordinate with the TCS NMC as appropriate.

  4. In the event of an observed failure, the appropriate repair organization must be notified immediately to begin a service response. The following procedures must be followed:

    1. For TCS circuits, the established trouble ticket process for each site must be followed.

    2. For non-TCS circuits, the repair/restoration maintenance process created by the acquiring telecommunications staff must be followed.

    3. In either case, a standard verification log must be controlled and maintained at each site. Since information varies at different sites, a standard verification log template is not included with this IRM. However, the standard verification log should document the date and time the trouble was observed, time the trouble was reported, trouble ticket number, estimated date and time of restoration, actual date and time of restoration, and comments (e.g., whether data was transmitted in encrypted or clear text, and whether end users or NMC were notified).


More Internal Revenue Manual