IRS Logo
Print - Click this link to Print this page

Safeguards Program

The Safeguards Program and staff are responsible for ensuring that federal, state and local agencies receiving federal tax information protect it as if the information remained in IRS’s hands.

These agencies and their contractors receiving federal tax information must protect the confidentiality of return information and are periodically reviewed by Safeguards personnel to ensure they meet the safeguarding requirements of IRC 6103(p)(4). These requirements include employee awareness programs, proper disposal, secure storage and computer security among others.

Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies (PDF)
This document contains specific requirements for safeguarding federal tax information. This revision becomes effective on Jan. 1, 2014.

Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies (PDF)
This revision of 1075 became effective on Aug. 24, 2010 and is superceded by the Jan. 1, 2014 version.

Comments and suggestions on the revised Publication 1075 can be forwarded to the safeguards mailbox at: safeguardreports@irs.gov.

Additional Requirements for Publication 1075
Safeguarding requirements may be supplemented or modified between editions of Publication 1075 by guidance issued by the Office of Safeguards.
 

ALERTS

See “Safeguards Alert Memorandums” below for trending security concerns.


Publication 1075

Recommendations on How to Become Compliant with the New Requirements
Given the significant changes in technical safeguards requirements found in Sections 4, 5 and 6, the IRS has some recommendations for agencies to become compliant with the new requirements.

Reporting Requirements
Publication 1075 requires agencies to use approved report templates and to transmit the reports electronically. These reports must be encrypted and submitted to the safeguardreports@irs.gov mailbox.

Reporting Unauthorized Accesses, Disclosures or Data Breaches
Local, state and federal agencies receiving federal tax information must follow the revised provisions of Section 10 of Publication 1075 (PDF) upon discovering a possible improper inspection or disclosure of FTI, including breaches and security incidents. Agencies must contact Treasury Inspector General for Tax Administration and the IRS Office of Safeguards immediately, but no later than 24-hours after identification of a possible issue involving federal tax information. Agencies are not to wait until after their own internal investigation as been conducted.

Contacting TIGTA is critical to expedite the recovery of compromised data and identify potential criminal acts. The IRS Office of Safeguards investigation focuses on identifying processes, procedures or systems within the agency with inadequate security controls which led to the incident.

Internal Inspections Reports
Section 6.3 of Publication 1075, Tax Information Security guidelines for Federal, State and Local Agencies and Entities, requires that agencies receiving federal tax information (FTI) establish a review cycle for internal inspections of headquarters offices and all local/field offices that receive FTI. The Internal Inspections Report – Headquarters Office and Internal Inspections Report – Field Office are for these inspections. 

In addition, these agencies must also include an internal inspection of IT operations, using the Internal Inspections Report – IT Operations. Internal inspections of contractors with access to FTI and any off-site storage facilities must also be completed. All scheduled and completed internal inspections should be provided to the IRS Office of Safeguards on the Internal Inspections Implementation Report.

Child Support Disclosure Matrix 

IRS and OCSE have been working together to clarify several FTI disclosure questions. The Disclosure Matrix is meant to provide state Child Support agencies a detailed explanation of what types of disclosures are appropriate in several circumstances.

Safeguards Technical Assistance by Topic
The IRS has recommendations and discussions on various Safeguards Program topics available for agencies to help stay in compliance. These documents may assist with preparation of reports, protecting federal tax information, and knowing the legalities of the Safeguards Program.

IRS Disclosure Awareness Videos
IRS Disclosure Awareness training videos are available for local, state and federal governmental agencies that receive federal tax information (FTI). The IRS Office of Safeguards created videos (with captions in English and Spanish) to help explain several key concepts in protecting the confidentiality of FTI.

References/Related Topics

Physical Security and Disclosure References/Related Topics
Publication 1075 requirements pertaining to the protection of FTI in a physical environment and the disclosure of FTI to other persons are available in the Safeguard Disclosure Security Evaluation Matrix.

Document

Version

Release Date

Safeguard Disclosure Security Evaluation Matrix (SDSEM) (XLS)

3.0

9/12/2012


Safeguards Alert Memorandums
The following resources address recent security trends regarding the protection of FTI.

Document

Version

Release Date

Alert Memo - Windows XP End of Life

N/A

04/09/2013

Alert Memo – Multi-factor Authentication Implementation N/A 6/17/2013
Alert Memo – Protecting FTI On Mainframes with Open Port 23

N/A

6/17/2013


Computer Security Compliance References/Related Topics
The following Computer Security Evaluation Matrix (SCSEM) downloads are available for use in preparing an IT environment that will receive, process, or store FTI.

Document

Version

Release Date

Application – Generic Application SCSEM (XLS)

1.3

9/26/2013

Application – GenTax SCSEM (XLS)

1.3

9/26/2013

Application – Internet Explorer SCSEM (XLS)

1.2

9/26/2013

Database – DB2 SCSEM (XLS)

1.2

2/12/2013

Database – Oracle 11g SCSEM (XLS)

1.1

9/26/2013

Database – Oracle 10g SCSEM (XLS)

1.3

9/26/2013

Database – Oracle 9i SCSEM (XLS)

1.2

2/12/2013

Database – SQL Server 2000 SCSEM (XLS)

1.2

2/12/2013

Database – SQL Server 2005 SCSEM (XLS)

1.2

2/12/2013

Mainframe – ACF2 SCSEM (XLS)

1.3

9/26/2013

Mainframe – i5 OS SCSEM (XLS)

1.3

9/26/2013

Mainframe – RACF SCSEM (XLS)

1.3

9/26/2013

Mainframe – Top Secret SCSEM (XLS)

1.3

9/26/2013

Mainframe – UNISYS SCSEM (XLS)

2.4

9/26/2013

Management, Operational and Technical (MOT) (XLS)

2.0

9/27/2013

MOT Appendix – Data Warehouse SCSEM (XLS)

1.3

2/12/2013

MOT Appendix – Multi-functional Device SCSEM (MFD) (XLS)

2.2

2/12/2013

Network – Cisco IOS SCSEM (XLS)

1.2

9/26/2013

Network – Firewall SCSEM (XLS)

1.2

9/26/2013

Network – Network Assessment SCSEM (XLS)

1.2

9/26/2013

Network – Storage Area Network SCSEM (SAN) (XLS)

1.2

9/26/2013

Network – Virtual Private Network (VPN) SCSEM (XLS)

1.2

9/26/2013

Network – Voice Over Internet Protocol (VoIP) SCSEM (XLS)

1.2

9/26/2013

Network – Wireless Local Area Network (LAN) SCSEM (XLS)

1.2

9/26/2013

Other – Cloud Computing SCSEM (XLS)

1.0

4/1/2013

Other - Oracle Public Sector Revenue Management (PSRM) (formerly Enterprise Taxation and Policy Management (ETPM))

1.1

2/5/2014

Other – Generic Operating System SCSEM (XLS)

1.3

2/12/2013

Other – Mobile Devices SCSEM (XLS)

1.0

4/1/2013

Other – OpenVMS SCSEM (XLS)

1.2

9/26/2013

Other - RSI Revenue Premier

1.0

9/23/2013

Other - Teradata

1.0

9/23/2013

Other – Web Server SCSEM (XLS)

1.3

9/26/2013

UNIX and Linux – Solaris, HP-UX, AIX, Red Hat, SuSE SCSEM (XLS)

1.4

2/12/2013

Virtualization – VMWare ESX 4.x SCSEM (XLS)

1.2

2/12/2013

Virtualization – VMWare ESXi 5.x SCSEM (XLS)

1.1

3/7/2013

Microsoft Windows 7 SCSEM (XLS)

1.2

2/12/2013

Microsoft Windows Server 2003 SCSEM (XLS)

1.2

2/12/2013

Microsoft Windows Server 2008 and 2008 R2 SCSEM (XLS)

1.2

2/12/2013

Microsoft Windows Vista SCSEM (XLS)

1.2

2/12/2013

Microsoft Windows XP SCSEM (XLS)

1.2

2/12/2013

 

Page Last Reviewed or Updated: 14-Apr-2014