Section 6.4 of Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, requires agencies receiving federal tax information (FTI) to establish a review cycle as follows:

  • Local offices receiving FTI: at least every three years
  • Headquarters office facilities housing FTI and the agency computer facility: at least every 18 months
  • All contractors with access to FTI, including a consolidated data center or off-site storage facility: at least every 18 months

In addition, the agency must:

  • Complete a documented schedule (internal inspection implementation report) detailing the timing of all internal inspections in the current year and next two years (three-year cycle) and
  • Develop and monitor a Plan of Action and Milestones (PO&AM), which includes all corrective actions identified and the actions the agency plans to take to resolve the findings.

The templates below assist agencies in meeting the Internal Inspections requirements. The use of these templates is not a requirement if the agency has developed documents that meet the requirements in Publication 1075, Section 6.4.

Resources