IRS Logo
Print - Click this link to Print this page

Section 9.18.14 – Protecting FTI in a Cloud Computing Environment

To utilize a cloud computing model to receive, transmit, store, or process FTI, the agency must be in compliance with all Publication 1075 requirements and meet the following mandatory requirements with regards to the CCE:

Notification Requirements

  • The agency must notify the IRS Office of Safeguards 45 days prior to putting FTI in a cloud environment.
  • If the agency’s approved SPR is less than six years old and reflects the agency’s current process, procedures and systems, the agency must submit the Cloud Computing Notification (see Exhibit 16), which will serve as an addendum to their SPR.
  • If the agency’s SPR is more than six years old or does not reflect the agency’s current process, procedures and systems, the agency must submit a new SPR and the Cloud Computing Notification (see Exhibit 16).

Technical Requirements

  • Data Isolation. Software, data, and services that receive, transmit, process, or store FTI must be isolated within the cloud environment so that tenants sharing physical space cannot access their neighbors’ physically co-located data and applications.
  • Service Level Agreements (SLA). The agency must establish security policies and procedures based on IRS Publication 1075 for how FTI is stored, handled, and accessed inside the cloud through a legally binding contract or Service Level Agreement (SLA) with their third party cloud provider.
  • Data Encryption in Transit. FTI must be encrypted in transit within the cloud environment. All mechanisms used to encrypt FTI must be FIPS 140-2 compliant, and operate utilizing the FIPS 140-2 compliant module. This requirement must be included in the SLA.
  • Data Encryption at Rest. FTI must be encrypted while at rest in the cloud. All mechanisms used to encrypt FTI must be FIPS 140-2 compliant, and operate utilizing the FIPS 140-2 compliant module. This requirement must be included in the SLA. 
  • Security Control Validation. Agencies must validate security control implementation claims made by cloud providers through a security plan and security control assessments.

References/Related Topics

Page Last Reviewed or Updated: 08-Apr-2014