2.25.2  IRS Portal and Extranet Usage Standard

2.25.2.1  (08-15-2008)
Purpose

  1. This section defines the standard and directs the usage of the Public User Portal (PUP), the Registered User Portal (RUP), and the Employee User Portal (EUP). For all business applications in development prior to the ELC MS3 and all new business applications, IRS intranet users and external system interactions for these business applications shall utilize one of the three portals identified in this IRM. The IRM covers access portals required for both external web based users (individuals and systems) and internal web based users (individuals). In other words, all web based user interactions and all web based external systems interactions shall use one of the three portals identified in this IRM, as determined by the Enterprise Architecture Office (EA).

  2. It is the standard of the IRS that interactive and batch electronic connections are organized through as few portals as feasible and that the use of those portals is appropriate to the IRS’ mission. The reduction in numbers of portals is important to achieve maximum integration of assets; reduction of costs; and standardization of security.

  3. IRS organizations and users in complying with this portal standard are essential to the IRS achieving enterprise goals. If there are any questions or if additional guidance on this standard is required, contact Enterprise Architecture Office at 202-283-6576.

2.25.2.2  (08-15-2008)
Portal Definitions

  1. A "Portal" as used in this standard is defined as the web based infrastructure (hardware and software) that serves as the entry point for web access to IRS applications and data. The portal provides common services such as communications services, platform services, security services and applications services, content managements services, and common, secure methods for accessing/updating IRS application and data. The various portals are distinguished by whether their users are internal or external, by the nature of the interaction or exchange, and by the nature of threats, risks, and protections required by the data or applications, including the method of authentication and authorization.

  2. The PUP (formerly the Digital Daily) is the IRS external or Internet portal that allows unrestricted public access to non-sensitive materials and applications, including forms, instructions, news, and tax calculators. No authentication is required for access to any materials on the PUP.

  3. The RUP is the IRS external portal that allows registered individuals and third party users (registration and login authentication required) and other individual taxpayers or their representatives (self authentication with shared secrets required) to access IRS for interaction with selected tax processing and other-sensitive systems, applications, and data. User interactions are encrypted from the user’s workstation or system to the portal, across the Internet or via direct circuits. The RUP, via the Common Communication Gateway, also supports IRS extranets, such as the exchange of bulk files of information with the IRS and the Virtual Private Network (VPN) (both inbound and outbound), by registered and authorized external entities.

  4. The EUP is the internal IRS portal that allows IRS employee users to access IRS data and systems, such as tax administration processing systems, financial information systems, and other data and applications, including mission critical applications. Modernization registration and authentication are required for access to sensitive and mission critical applications, and all user interactions with those systems are encrypted from workstation to portal across the IRS internal network. The EUP allows IRS employee users with LAN accounts (Windows Network Login) to access Intranet sites, selected applications, non-sensitive data and selected sensitive processing where network encryption and modernization logon are not required (e.g., employee access to selected elements of their own personnel data). IRS network authentication is a basic requirement for access to any materials or services, and is also required to access modernization registration and authentication.

2.25.2.3  (08-15-2008)
Portal Standard Guidelines

  1. Commencing August 31, 2003, all proposed and design-phase business applications requiring end-user interactions (human-computer interactions) or external file transfer and system-to-system capabilities shall conform to this standard. Existing applications or systems in production are exempt from this standard until they undertake major changes or are replaced by modernized processing.

    Note:

    All planned system development efforts in the Milestone 2 & 3 Phases or before are subject to this standard.

  2. This standard does not cover stand alone workstation software applications (e.g., office automation) which do not interact with separate systems or applications beyond standard network file sharing. Also, this standard does not apply to top security level organizations that have exceptions or have been permitted certain access to systems with the appropriate approval.

  3. The following standard statements shall be adhered to:

    1. All data and applications, which do not require authentication and are/will-be available to the general public, shall be accessed through the Public User Portal.

    2. All interaction by external entities, which requires authentication, will be accessed through the Registered User Portal.

    3. All internal tax administration processing involving taxpayer data and subject to unauthorized access (UNAX) restrictions shall be accessed through the Employee User Portal and require modernization authentication and workstation to portal encryption. All other internal IRS employee interactions with processing systems and web sites should also be accessed through the EUP, with modernization logon and encryption requirements determined by their sensitivity and risk profile.

2.25.2.4  (08-15-2008)
Portal Identification and Assignment

  1. Exhibit 1 shows the Portal Identification and Assignment Checklist. The checklist is intended to facilitate analysis in determining the correct portal capabilities needed by a project. The checklist will gather the information required to make portal and capability assignments based on business and security requirements and will be submitted to EA. Completed checklists serve as the basis for determining portal assignments for specific processing within a project or system. Completed checklists also are used as a tool in the decision making process when waivers are requested.

  2. Note that any specific project or system may use multiple portals (e.g., a project may make public data available to taxpayers via the PUP, make sensitive applications available to taxpayers and third parties via the RUP, and make both data and applications available to employees via the EUP).

  3. Business owners proposing new applications or significant modifications to existing system interfaces shall complete the checklist. EA personnel shall assist business owners in completing the checklist. Business owners shall include the completed checklist with the project Unified Work Request (UWR), the Integrated Program Plan (IPP), and/or the Case for Action (CFA).

  4. EA shall review the completed checklists and determine the appropriate portal capabilities for the proposed application. In the event that the business owner disagrees with the portal assignment(s), the business owner may apply to EA for a waiver.

2.25.2.5  (08-15-2008)
IRS Portal and Extranet Usage Standard Governance

  1. The IRS Portal and Extranet Usage Standard will be managed and enforced by Enterprise Architecture Office within the Modernizations and Information Technology Services (MITS).

  2. EA will:

    • Facilitate communication and information flow across the Enterprise for the three IRS portals.

    • Provide guidance and communication to stakeholders across the PUP, RUP, and EUP.

    • Ensure decisions regarding the three IRS portals are executed in a timely manner.

    • Ensure that appropriate procedures, processes, and guidelines are in place for the management of the three IRS portals and other special extranets at the IRS.

    • Ensure IRS employees can access IRS data and systems and that IRS employees with LAN accounts can access Intranet sites, depending on their rights and permissions.

  3. EA is responsible for the standards and guidelines as it relates to portal web sites and will:

    • Provide standards and guidance to IRS users submitting web applications to the PUP, RUP, and EUP.

    • Ensure correct hosting environments are used based on Security standards and guidance for IRS application security levels.

    • Provide guidance to IRS users for portal environments and ensure that consistent reviews apply appropriate criteria. Support all portal standards and guideline documentation governed by MITS.

2.25.2.6  (08-15-2008)
Exception Process

  1. Waivers to portal access assignments(s) may be granted by the Enterprise Architecture Office if critical business needs cannot be met.

  2. Critical business needs and/or Congressional Mandates with schedule constraints that cannot be met by the standard mandated portal(s). Waivers with a get-well plan will be required and evaluated by EA.

  3. This exception process applies to in-flight .NET applications while there is no available hosting environment in the EUP.
    EA Office/System Integration (SI) explored and recommended enhancements to the current EUP to enable .NET hosting capabilities. However, due to budgetary constraints and directional changes, SI executive management authorized the use of "Current Production Environment with Active Directory-base authentication " as a hosting environment (hereafter referred to as CPE .NET Environment) outside of the Portals.

    The CPE .NET Environment is a temporary hosting solution for in-flight .NET applications intended for IRS-internal users. All in-flight .NET-based intranet applications (applications for internal use only) are granted temporary permission to be hosted in the CPE .NET Environment until a portal infrastructure with .NET capabilities is available. For other application hosting standards, please refer to the Application Hosting Guidance posted in PPMO web site at: http://ppmo.goportal.web.irs.gov/progress.aspx

    IA&E will implement the migration of hardware/software/application from the CPE .NET to the EUP (or new portal) after .NET capabilities in the portal infrastructure are available.
    Java-based applications must adhere to this IRM, specifically section 2.25.2.1, unless otherwise granted waiver by SI executives.
    .NET-based intranet applications hosted in the CPE .NET Environment must:

    • Complete migration or transition to the EUP (or the new portal infrastructure) in a reasonable timeframe after .NET capabilities are made available in the EUP (or the new portal infrastructure).

    • Accept and be responsible for transition costs incurred from migrating to the EUP (or the new portal infrastructure) after .NET capabilities are made available in the EUP (or the new portal infrastructure).

    • Conform to the .NET Application Design Pattern set forth by IA&E and make the transition-to-EUP (or the transition-to-new portal infrastructure) smoothly.

Exhibit 2.25.2-1  (08-15-2008)
Portal Identification and Assignment Checklist

I. Project Description
  Project Name:_________________________________________________
  Project Acronym:__________________________
  Date:___________________________________
  Submitter:____________________________________________________
  Submitter Office:_______________________________________________
  Submitter Phone Number:______________________________
  Description of Business Requirements:
 
 
 
 
 
 
  Description of Project Interface Requirements:  
   
 
 
 
 
 
II. Please check all organization/user types your proposed project supports:
  □ Individual Taxpayer
  □ Business Taxpayer
  □ IRS Employees/Contractors with IRS Equivalent Access
  □ Government Entities
  □ Third Parties
  □ Trusted Third Parties (e.g., Contractors such as CSC or Vendors such as Sun who receive a network extension to their site on a permanent or temporary basis).
  □ Other
  If you check "Other," please provide a description of the other users below:




III. How will your users or user systems access IRS systems? Please check all methods that your users will connect to IRS systems from the list below:
  □ Internet
  □ Workstations/Servers on the IRS Intranet
  □VPN over the Internet
  □ Fixed Point-to-Point Lines
  □ Dialup to IRS
  □ Other
  If you check "Other," please provide a description of the other methods below:




IV. What types of services do you expect your application to provide?
  □ Bulk Data Transfer
  □ Interactive Applications (Dynamic)
  □Static Information Presentation and Retrieval
  □ Web Services
  □ Other
  If you check "Other," please provide a description of the other services below:




V. What is the sensitivity of the data your application processes or accesses? Please check all data classifications your users will access from the list below:
  □ Taxpayer Data
  □ Other Sensitive but Unclassified (SBU) Data
  □ Access to Personal Sensitive but Unclassified (SBU) Data
  □ Non-Sensitive
VI. Are your applications and/or data mission critical to functioning of the IRS? Please check below if your system is mission critical:
  □ Non-Sensitive

More Internal Revenue Manual