Read cybersecurity requirements, policies and guidance before you bid on an IRS contract.
- Access, Use or Operation of IRS Information Technology (IT) Systems by Contractors PDF (July 20, 2004)
- IRM 10.5.1, Privacy and Information Protection – Privacy Policy (Sep. 15, 2023)
- IRM 11.3.24, Disclosure of Official Information – Disclosures to Contractors (Aug. 31, 2023)
- Cybersecurity requirements contract language (June 27, 2024)
- Publication 4465-A, Protecting Federal Tax Information for Contractors PDF (June 2022)
- Publication 4812, Contractor Security and Privacy Controls: Handling and Protecting Information and Information Systems PDF (Dec. 2023)
- Scanning, compliance and vulnerability requirements (May 2024)
- Cybersecurity Directives
- BOD 19-02, Vulnerability Remediation Requirements for Internet-Accessible Systems (April 29, 2019)
- BOD 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities (Nov. 3, 2021)
- BOD 23-02, Implementation Guidance for Mitigating the Risk from Internet-Exposed Management Interfaces (June 13, 2023)
- Known Exploited Vulnerabilities (KEV) Catalog
- Secure Software Development Attestation Form
- Software Bill of Materials (SBOM)
- Trusted Internet Connections (TIC) 3.0 Core Guidance Documents (Dec. 22, 2023)
- FAQ
- Laws, Regulations, Standards, and Guidance Reference (June 30, 2023)
- FIPS 140-3, Cryptographic Module Validation Program (CMVP): Security Requirements for Cryptographic Modules (Mar. 22, 2019)
- FIPS 199, Standards for Security Categorization of Federal Information and Information Systems (Feb. 1, 2004)
- SP 800-40r4, Guide to Enterprise Patch Management Planning – Preventive Maintenance for Technology (April 2022)
- SP 800-53r5, Security and Privacy Controls for Information Systems and Organizations (July 1, 2023)
- SP 800-53Ar5, Assessing Security and Privacy Controls in Information Systems and Organizations (Jan. 25, 2022)
- SP 800-57, Recommendation for Key Management: Part 1 – General (May 4, 2020)
- SP 800-63-3, Digital Identity Guidelines (March 2, 2020)
- SP 800-63A, Digital Identity Guidelines: Enrollment and Identity Proofing (March 2, 2020)
- SP 800-63B, Incorporating Syncable Authenticators into NIST SP 800-63B: Digital Identity Guidelines — Authentication and Lifecycle Management (April 22, 2024)
- SP 800-63C, Digital Identity Guidelines: Federation and Assertions (March 2, 2020)
- SP 800-70r4, National Checklist Program for IT Products: Guidelines for Checklist Users and Developers
- SP 800-161r1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (May 2022)
- SP 800-207, Zero Trust Architecture (Aug. 2020)
- SP 800-207A, A Zero Trust Architecture Model for Access Control in Cloud-Native Applications in Multi-Location Environments (Sept. 2023)
- SP 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities (Feb. 2022)
- M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices (Sept. 14, 2022)
- M-23-16, Update to Memorandum M-22-18 (June 9, 2023)
- Office of Federal Procurement Policy (OFFP)