Section 9.18.14 – Protecting FTI in a Cloud Computing Environment
To utilize a cloud computing model to receive, transmit, store, or process FTI, the agency must be in compliance with all Publication 1075 requirements and meet the following mandatory requirements with regards to the CCE:
- The agency must notify the IRS Office of Safeguards 45 days prior to putting FTI in a cloud environment.
- If the agency’s approved SPR is less than six years old and reflects the agency’s current process, procedures and systems, the agency must submit the Cloud Computing Notification (see Exhibit 16), which will serve as an addendum to their SPR.
- If the agency’s SPR is more than six years old or does not reflect the agency’s current process, procedures and systems, the agency must submit a new SPR and the Cloud Computing Notification (see Exhibit 16).
- Data Isolation. Software, data, and services that receive, transmit, process, or store FTI must be isolated within the cloud environment so that tenants sharing physical space cannot access their neighbors’ physically co-located data and applications.
- Service Level Agreements (SLA). The agency must establish security policies and procedures based on IRS Publication 1075 for how FTI is stored, handled, and accessed inside the cloud through a legally binding contract or Service Level Agreement (SLA) with their third party cloud provider.
- Data Encryption in Transit. FTI must be encrypted in transit within the cloud environment. All mechanisms used to encrypt FTI must be FIPS 140-2 compliant, and operate utilizing the FIPS 140-2 compliant module. This requirement must be included in the SLA.
- Data Encryption at Rest. FTI must be encrypted while at rest in the cloud. All mechanisms used to encrypt FTI must be FIPS 140-2 compliant, and operate utilizing the FIPS 140-2 compliant module. This requirement must be included in the SLA.
- Security Control Validation. Agencies must validate security control implementation claims made by cloud providers through a security plan and security control assessments.
- Technical Assistance Memorandum
- Exhibit 16: Mandatory Notification Requirements and Technical Requirements
- Publication 1075 Tax Information Security Guidelines for Federal, State and Local Agencies and Entities
- Safeguards Program
- Additional Requirements for Publication 1075