1.4.6 Managers Security Handbook

Manual Transmittal

August 02, 2016

Purpose

(1) This transmits revised IRM 1.4.6, Resource Guide for Managers, Managers Security Handbook.

Material Changes

(1) On October 1, 2014 Physical Security and Emergency Preparedness (PSEP) merged with Real Estate and Facilities Management (REFM) to become Facilities Management and Security Services (FMSS).

(2) The information previously contained in IRM 10.4.1, Managers Security Handbook was consolidated into IRM 1.4.6.

(3) This IRM was updated to reflect current organizational titles, roles and responsibilities.

(4) Changed the title of IRM 1.4.6.5 from “Protection of Information, Facility, Property and Personnel” to “Protection of Personnel, Information, Facility and Property”.

Effect on Other Documents

This IRM text supersedes IRM 1.4.6, Managers Security Handbook, dated January 1, 2003 and IRM 10.4.1, Managers Security Handbook, dated October 7, 2008. IRM 10.4.1 is effectively obsolete with the issuance of revised IRM 1.4.6.

Audience

Servicewide

Effective Date

(08-02-2016)

Related Resources

IRM 1.2.49, Delegation of Authorities for Communications, Liaison and Disclosure Activities

IRM 1.2.49.2, Servicewide Polices and Authorities, Delegation Order 11-1, Administrative Control of Documents and Material

IRM 1.15, Records and Information Management

IRM 1.15.1, Records and Information Management, The Records and Information Management Program

IRM 1.15.2, Records and Information Management, Types of Records and Their Life Cycles

IRM 1.15.3, Records and Information Management, Disposing of Records

IRM 1.17, Publishing

IRM 1.22.5, Mail and Transportation Management, Mail Operations

IRM 10.2.1, Physical Security

IRM 10.2.4, Overview of ID Media

IRM 10.2.5, Identification Card

IRM 10.2.6, Non-Enforcement Pocket Commissions

IRM 10.2.8, Incident Reporting

IRM 10.2.9, Occupant Emergency Planning

IRM 10.2.11, Basic Security Concepts

IRM 10.2.13, Information Protection,

IRM 10.2.14, Methods of Providing Protection

IRM 10.2.15, Minimum Protection Standards (MPS)

IRM 10.5, Privacy and Information Protection

IRM 10.5.1, Privacy and Information Protection, Privacy Policy

IRM 10.5.2, Privacy and Information Protection, Privacy Compliance and Assurance (PCA) Program

IRM 10.5.4, Privacy and Information Protection, Incident Management Program

IRM 10.5.7, Privacy and Information Protection, Use of Pseudonyms by IRS Employees

IRM 10.5.8, Privacy and Information Protection, Sensitive But Unclassified (SBU) Data Policy: Protecting SBU in Non-Production Environments

IRM 10.5.7, Privacy and Information Protection, Use of Pseudonyms by IRS Employees

IRM 10.6.1, Continuity Operations, Continuity Planning Requirements

IRM 10.8, Information Technology (IT) Security

IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance

IRM 10.9.1, National Security Information

IRM 10.23.2, Personnel Security, Contractor Investigations

IRM 11.3, Disclosure of Official Information

IRM 11.3.14, Disclosure of Official Information, Privacy Act General Provisions

IRM 25.2, Information and Whistleblower Awards

Document 12990, Records and Information Management - Records Control Schedules

Document 12829, General Records Schedules

Steven M. Artise
Acting Director
Facilities Management and Security Services
Agency-Wide Shared Services

Scope of the Managers Security Handbook

  1. The risks to security which the IRS faces vary greatly with the type, size and location of a particular facility or operation. It is impractical, therefore, to require rigid security procedures for risk based situations applicable to only a few locations or procedures that are designed to deal with problems, which occur infrequently and have minimal impact when they do occur.

  2. This IRM section is designed to provide management and security officials with the basic minimum security standards which gives flexibility and allows management to incorporate additional security measures as approved by the FMSS Security Section, when necessary, to meet the demands of the local geographic and demographic conditions and day to day operations. In addition, this IRM section includes:

    1. the minimum security standards for the entire federal tax administration as administered within the IRS.

    2. requirements for the protection of employees, facilities, equipment and infrastructure, as well as, tax returns, return information, cash, negotiable instruments and other sensitive information and documents.

  3. The following are helpful resources in managing your physical security requirements:

    1. IRM 10.2.1, Physical Security Programhttp://irm.web.irs.gov/Part10/Chapter2/Section1/IRM10.2.1.asp

    2. IRM 10.2.4, Overview of ID Mediahttp://irm.web.irs.gov/Part10/Chapter2/Section4/IRM10.2.4.asp

    3. IRM 10.2.5, Identification Cardhttp://irm.web.irs.gov/Part10/Chapter2/Section5/IRM10.2.5.asp

    4. IRM 10.2.6, Non-Enforcement Pocket Commissions http://irm.web.irs.gov/Part10/Chapter2/Section6/IRM10.2.6.asp

    5. IRM 10.2.8, Incident Reportinghttp://irm.web.irs.gov/Part10/Chapter2/Section8/IRM10.2.8.asp

    6. IRM 10.2.11, Basic Security Conceptshttp://irm.web.irs.gov/Part10/Chapter2/Section11/IRM10.2.11.asp

    7. IRM 10.2.13, Information Protectionhttp://irm.web.irs.gov/Part10/Chapter2/Section13/IRM10.2.13.asp

  4. The following are helpful resources in managing information security:

    1. IRM 1.15, Records and Information Managementhttp://irm.web.irs.gov/indexes/numerical/default.asp?partno=1&anchor=#chapter15

      Note:

      Managers are responsible for ensuring their employees comply with records and files management lifecycle (hardcopy and electronic), including creation, maintenance, retrieval, preservation and disposition of all records to avoid unlawful destruction of records.

    2. IRM 10.5.1, Privacy and Information Protection, Privacy Policyhttp://irm.web.irs.gov/Part10/Chapter5/Section1/IRM10.5.1.asp

    3. IRM 10.5.2, Privacy and Information Protection, Privacy Compliance and Assurance (PCA) Programhttp://irm.web.irs.gov/Part10/Chapter5/Section2/IRM10.5.2.asp

    4. IRM 10.5.4, Privacy and Information Protection, Incident Management Programhttp://irm.web.irs.gov/Part10/Chapter5/Section4/IRM10.5.4.asp

    5. IRM 10.5.7, Privacy and Information Protection, Use of Pseudonyms by IRS Employeeshttp://irm.web.irs.gov/Part10/Chapter5/Section7/IRM10.5.7.asp

    6. IRM 10.5.8, Privacy and Information Protection, Sensitive But Unclassified (SBU) Data Policy: Protecting SBU in Non-Production Environmentshttp://irm.web.irs.gov/Part10/Chapter5/Section8/IRM10.5.8.asp

    7. IRM 10.8, Information Technology (IT) Securityhttp://irm.web.irs.gov/indexes/numerical/default.asp?partno=10&anchor=#chapter8

    8. IRM 10.9.1, National Security Informationhttp://irm.web.irs.gov/Part10/Chapter9/Section1/IRM10.9.1.asp

    9. IRM 11.3, Disclosure of Official Informationhttp://irm.web.irs.gov/indexes/numerical/default.asp?partno=11&anchor=#chapter3

Responsibilities of Facilities Management and Security Services

  1. The Chief, Agency-Wide Shared Services (AWSS), is authorized to prescribe this Managers Security Handbook for use within the IRS.

  2. The Director, FMSS, is responsible for oversight of this IRS program.

  3. The Associate Director (AD), Security Policy, is responsible for:

    1. planning, developing, evaluating, and controlling this IRS program.

    2. reviewing and updating the minimum physical security standards, and other instructions provided in the physical security IRM sections.

    3. conducting physical security program evaluations to ensure compliance with the minimum physical security standards.

    4. reviewing all functional security procedures for implementation Servicewide to ensure compliance and coordination with prescribed physical security standards.

Responsibilities of Managers

  1. Managers are responsible for ensuring the continued operation of the federal tax administration system by taking all reasonable actions to prevent the loss of life and property, the disruption of services and functions, and the unauthorized disclosure of documents and information. Every manager in the IRS is responsible for ensuring compliance with the minimum standards and policies contained herein. Managers must ensure employees have knowledge and understanding of roles and requirements within the physical security programs.

  2. Managers may find that in order to accommodate the unique needs of their organization, it is necessary to develop security measures that exceed the minimum standards. Managers are responsible for reviewing internal management documents that provide additional physical security measures for the unique needs of their organization. They must ensure that originators of physical security procedures for their function's manual refer to the instructions in IRM 10.2.1, Physical Security, and ensure that instructions of physical security procedures are routed through FMSS AD, Security Policy for review and coordination before issuance.

  3. All managers are responsible for ensuring that the level of protection provided to prevent unauthorized disclosure of sensitive information is commensurate with the information's level of sensitivity. Managers are also responsible for ensuring that the level of protection afforded to the media containing the information is commensurate with the value of the media. The minimum standards may provide adequate security for one functional area, while in another area management may determine a need to develop safeguards which exceed the minimum standards. These safeguards would not become the IRS standard, but rather would be applied only to the functional area. This added flexibility requires continuing analysis in order to ensure the adequacy of security measures.

  4. Exhibit 1.4.6-2, Protectable Items, describes specific safeguards for the protection of particular items. Managers must notify FMSS AD, Security Policy of any changes to Exhibit 1.4.6-2 for which they are responsible.

  5. Managers must ensure that the physical security measures required for protecting life, information, property and all government assets are applied within their area of supervision and that those measures meet the established minimum security standards. Consultation with the physical security section staff is necessary.

  6. Management at all levels will maintain effective controls to prevent fraud, waste, or abuse of government resources and mismanagement of IRS programs. The control systems will provide reasonable assurance that all resources are safeguarded from unauthorized use or disposition. The basic standards and principles of the control system for all managers are:

    1. Documentation — Clearly written instructions for all financial transactions, accounting for resources and internal control requirements will be readily available.

    2. Accountability — Transaction registers will be maintained and reviewed periodically for the purpose of determining whether or not the transactions were properly authorized. Exceptions must be investigated and corrective action must be taken.

    3. Separation of Duties— Duties such as authorizing, recording, issuing, receiving, making payments and reviewing or auditing will be assigned to separate individuals to minimize the possibility of fraud, waste, or abuse going undetected.

    4. Supervision — Qualified and continuous supervision will be provided to ensure compliance with procedures. Periodic reviews will be conducted by responsible managers.

    5. Access to Resources — Direct physical access to resources and indirect access by preparation or processing of documents will be limited to authorized personnel.

    6. Competent Personnel — Care will be taken that key personnel are of high integrity and are competent by education, training, or experience to accomplish their duties.

    7. Reasonable Assurance — Internal control systems will provide reasonable assurance that the objectives of the systems are met. The cost of controls must not exceed the benefits.

    8. Reporting Violations — All managers will ensure that possible violations of the internal control systems will be expeditiously reported according to established procedures.

  7. Managers must ensure that employees are aware of and comply with established security procedures for protecting information, records, property and documents with which they are entrusted and for reporting loss, as well as, any security violations to the proper authority.

Limiting Access

  1. A guiding principle of security within IRS is "limiting access to assets based on need." This principle is the basic premise for most of our security programs. When applied to information security, this translates into limiting access to documents on a need-to-know basis. With regard to physical security, it means restricting entrance to rooms, areas, or facilities based on the individual's duties or responsibilities.

  2. The need to maintain reasonable security at all IRS facilities at all times requires that only authorized visitors be permitted to enter the facility. Providing tours for interested, non-tax related individuals, or groups for purposes of orienting them with facility operations is NOT authorized.

  3. Official visits by individual tax preparers, tax accountants, news media representatives and other professional tax oriented individuals and groups may be permitted at the discretion of the director of the facility or Senior Commissioner Representative (SCR), in coordination with Communication and Liaison (C&L), the local Physical Security staff and in keeping with security requirements.

  4. For additional guidance see IRM 10.2.11, Basic Security Concepts.

Determining Need

  1. Determining the need to access information, documents, rooms, areas or facilities is based on whether or not an individual needs access to perform assigned duties and responsibilities. Does the individual need to know? Does the individual need to enter a secured area?

  2. The determination of needs and the subsequent decision to grant access to an asset is a function of management. Once the determination is made, local Physical Security staff should be consulted to assist in selecting the appropriate means to achieve the desired level of control.

  3. While the safeguards presented in this handbook provide protection against environmental threats (fire, power failures, etc.) and natural disasters (hurricanes, floods, etc.), most of the protection methods are designed to protect against such human threats as:

    1. acts of violence

    2. accidental/deliberate alteration or destruction of information or property

    3. bomb threats

    4. demonstrations/riots

    5. fraud

    6. sabotage

    7. theft

    8. unauthorized disclosure

    9. unauthorized entry

    10. vandalism

  4. The methods of protection are designed for protection after normal duty hours or at any time the assets to be protected are not under the personal custody of authorized IRS employees. The methods of protection are also designed to limit access by non-IRS individuals who may require access to IRS facilities.

  5. Because any single safeguard is often insufficient protection for any asset, the concept of layering of safeguards was developed to provide in-depth security. To facilitate understanding of in-depth security, it is important to have some understanding of what must be considered before a decision can be reached regarding the appropriate safeguard, or combination of safeguards, required for a particular asset. The value of the asset and any applicable laws are the primary considerations. Once these are determined, then the problem of unauthorized access is approached by one or all of these methods:

    1. Deter

    2. Detect

    3. Deny

    4. Delay

    5. Defend/Respond

    Exhibit 10.2.11-3, Safeguards and Their Related Protection Functions, found in IRM 10.2.11, Basic Security Concepts, provides additional information on safeguards and their related protection functions.

Protection of Personnel, Information, Facility and Property

  1. Ideally, physical security measures must provide a facility with absolute protection from a host of threats. However, due to physical, operational, and financial limitations, absolute security is neither possible nor practicable. Therefore, a practical approach to physical security is essential and will protect personnel, information, facilities and property by employing a combination of measures to deter, detect, deny, delay, defend against unauthorized entrants without being so restrictive that security itself becomes a disruption.

  2. Information such as training material, statistical files and various internal communications may require protection from disclosure and undesired dissemination. The manager of the function originating the information will determine the degree of protection required, based upon policy requirements, and will work with the local Physical Security staff to implement appropriate protective measures.

  3. It is incumbent upon managers to ensure employees are trained to operate Physical Security systems installed in their space as necessary to aid in the protection of IRS assets.

Minimum Protection Standards (MPS)

  1. The Minimum Protection Standards (MPS) system establishes a uniform method for protecting data and items which require safeguarding. This system contains minimum standards which will be applied on a nationwide basis. The MPS system has been designed to provide management with a basic framework of minimum physical security requirements which will provide greater flexibility in dealing with local conditions. Since local factors may require additional physical security measures, management must analyze local circumstances to determine space, container and other physical security needs at individual facilities. For additional guidance see IRM 10.2.15, Minimum Protection Standards (MPS), and IRM 10.2.11, Basic Security Concepts.

  2. Standard — All protectable items must be afforded a minimum of locked container, perimeter, interior or secured area of protection. Exhibit 1.4.6–1 Protection Alternative Chart, identifies protective requirements and Exhibit 1.4.6–2 Protectable Items, provides a list of protectable items and their security designations. Items and data to be protected are divided into three groups as outlined and defined in IRM 10.2.15, Minimum Protection Standards (MPS):

    1. Normal Security (NS) — All information which has not been identified as requiring High Security or special protection,

    2. High Security (HS) — Items which require greater than normal security due to their sensitivity and/or the potential impact of their loss or disclosure,

    3. Special Security (SP) — Items which require a specific type of containerization, regardless of the area in which security is provided, due to special access control needs.

  3. Containers — Containers are grouped into three categories:

    1. Lockable container — any metal container with riveted or welded seams which is locked and to which keys and combinations are controlled per IRM 10.2.14, Methods of Providing Protection.

    2. Security container — lockable metal container that has a tested resistance to penetration and is approved by the FMSS Security Policy office for storage of high security items (e.g. metal lateral key lock file w/security modifications, metal lateral file equipped w/lock bars on both sides, etc.).

    3. Safes and vaults — safes which have been accepted for general use by the IRS can be identified by General Services Administration (GSA) approval as Class I, II, IV or V or Underwriters Laboratories Listings of TL-30, TRTL-30, TRTL-60 or TXTL-60. Vaults must have been constructed to specifications approved jointly by IRS and GSA.

  4. All space can be classified as either secured or non-secured. Secured areas are perimeter and/or internal areas which have been designed to prevent undetected entry by unauthorized persons.

Space Planning

  1. It is imperative that security considerations be addressed whenever IRS space is designed, acquired, altered or redesigned. Failure to consider adequate security during the early phases of space planning generally will result in costly modifications. In open floor plans (large open areas with no walls), design planners must ensure that acoustical planning is considered in order to minimize the potential for inadvertent, unauthorized disclosures and to achieve an acceptable level of ambient noise. In addition, with the increased use of automated systems, it is important to consider placement of computer terminals in IRS open space in order to avoid unauthorized disclosures. Additional information regarding space design and planning is outlined in the IRS National Workspace Standardshttps://portal.ds.irsnet.gov/sites/REFM/Shared%20Documents/Project%20Management/Furniture%20Acquisition/IRS_NWS.pdf.

  2. Standard — Managers and the Physical Security functions are responsible for:

    1. developing local procedures which reflect shared responsibility, necessary coordination and mutual approval in order to assure that both organizations are timely notified of plans for design or redesign of new or existing space.

    2. coordinating requests for procurement of guard services, security devices, waste destruction, and other services (keys, locks, containers).

    3. utilizing sensor/detection devices or making sure protectable items are stored in locked containers during non-duty hours if limited areas are co-located within non-limited areas.

  3. All managers will ensure that space planning, particularly in open floor plans, provides:

    1. perimeter security commensurate with the needs of the most critical operations to be performed in the office.

    2. use of barriers, as needed, to separate operational areas and minimize traffic.

    3. aural and visual privacy to minimize inadvertent disclosures of tax and privacy data.

    4. appropriate containers for the storage of protected items during non-duty hours or when not under the control of an authorized employee.

  4. For additional guidance see IRM 10.2.11, Basic Security Concepts.

Limited Areas

  1. Under the Limited Area concept (formerly referred to as "Restricted Area" concept), entry to critical areas is controlled and access is limited to those individuals who actually work in the area or have demonstrated a legitimate need to enter the area. Limited Areas are designated and identified as Limited Space. Thus, the term Limited Area denotes an area to which entry is limited to authorized personnel only during normal working hours. The use of Limited Areas is an effective method of controlling the movement of individuals and eliminating unauthorized traffic through critical areas, thereby reducing the opportunity for unauthorized disclosure, theft or alteration of tax information. All Limited Area space will be identified by FMSS Territory Managers (TM) and/or FMSS Physical Security Specialists based on identified critical assets. Business Unit (BU) managers must ensure provisions are made to store protectable items in appropriate containers during non-duty hours.

  2. Standard — All managers will work with the local FMSS Physical Security office to determine the best method of complying with limited area physical security requirements. All managers will assure that:

    1. Limited Areas are easily identified by the presence of signs stating: "LIMITED AREA" and should be separated from non-limited areas with physical barriers (walls, monitors, etc). which controls access. Ropes or stanchions are not acceptable.

    2. the number of entrances are kept to a minimum, and each entrance will be controlled. At entrances equipped with card readers, employees assigned to the area will use his/her access card and pin number (if required) to unlock the door every time he/she enters the area. At entrances not equipped with card readers, a monitor will control access by having authorized employees display their ID card each time they enter the area.

    3. appropriately coded ID cards are worn at all times by all personnel within each Limited Area. However, in instances where the SmartID is being utilized for work processes, i.e. Mandatory SmartID Sign-On, it is allowable to not have the ID card displayed above the waist as long as it is in the employee’s physical possession at all times. Any individual in the area not wearing an appropriately coded ID will be immediately reported to the manager.

    4. at a minimum, a monitor will be located at the main entrance of each Limited Area. The monitor is responsible for assuring that only authorized personnel with an official need enter the area. If any unauthorized individual attempts to access the area, the monitor must immediately report the attempt to the manager.

    5. Form 5421, Limited Area Register,http://www.publish.no.irs.gov/cat12.cgi?request=CAT1&catnum=42517 is maintained at the main entrance of each limited area and all visitors will be directed to this entrance to sign the register, show appropriate identification and be assigned a visitor ID. Each Limited Area Register will be closed out at the end of each month, reviewed by the Limited Area front line supervisor and forwarded to their manager. The manager will review the register and retain it for at least one year. The managerial review is designed to ensure that only authorized individuals with an official need have access to the Limited Areas.

    6. the department manager of the Limited Area must approve all names added to the Authorized Access List. The Authorized Access List will be prepared monthly and will be dated and signed by the manager. Before signing the access list the manager must validate the need of individuals to access the Limited Area. If there is no change in the Authorized Access List, the manager may re-validate by signing and re-dating the list. Care must be taken to ensure that only individuals with a need are granted access. At the end of each month the manager will review the Authorized Access List and the Limited Area Register and forward to the local Physical Security office for review and to modify ID media/access as appropriate.

  3. For additional guidance see IRM 10.2.14, Methods of Providing Protection.

Secured Areas/Perimeters

  1. The standards previously presented for Limited Areas (formerly referred to as "Restricted Area" ) dealt with the need to control access to selected areas during normal work hours. Secured area/perimeters are used to control access during non-work hours. Since employees are not present during non-work hours to prevent unauthorized persons from entering the area, various safeguards are used to secure the protectable materials.

  2. Standard — Secured areas are perimeter and/or internal areas which have been designed to prevent undetected entry by unauthorized persons during non-duty hours. All managers whose operations are located in limited and secured areas will ensure that the safeguards used to protect the secured area are functioning and that all employees are familiar with these operations. The local Physical Security office will assist in determining the best method of compliance with the secured area/perimeter security.

  3. For additional guidance see IRM 10.2.11, Basic Security Concepts, and IRM 10.2.14, Methods of Providing Protection.

Controlled Areas

  1. In some offices, managers may have a need to control access between work areas during duty hours for production or other administrative reasons. The functions performed in the area do not require the constrictive measures required for Limited Areas but do require minimal control over access. Consultation with local Physical Security staff may be necessary.

  2. Standard — Local management may determine that areas under their jurisdiction require some form of access control. Controlled areas can be established as local management determines. BU managers must provide justification to the local Physical Security office for review and consideration. The local physical security office will ensure proper implementation of formal physical security controls which are policy compliant and appropriate for the controlled area. For additional guidance see IRM 10.2.11, Basic Security Concepts.

Key and Combination Control

  1. Keys, key cards and combinations to locks are a means of controlling access. Access to a locked area or container can be controlled only if the key, key card or combination is controlled. The physical security provided by a particular locking system is lost if the key, key card or combination is not strictly controlled or becomes compromised in any way.

  2. Standard — Managers must ensure that keys, key cards and combinations are issued only to persons with an official need to access the area or container and that these persons are reminded of their responsibility to safeguard these items. Individuals assigned keys, key cards and combinations may not share these with any other individual. BU managers will ensure all keys and key cards are returned when an employee or contractor separates.

    1. Combinations must be protected and not written on note pads, calendars, etc. Requests for door keys (including key cards) and door key duplications will be approved by the employee’s manager and FMSS. Groups of keys to a particular area may be issued to the responsible manager for their control and issuance. No more than three (3) keys are authorized for each locking mechanism unless approved by the local FMSS Physical Security Section Chief based upon a justified business need. The request will be made in writing and include a justification. Costs for additional keys will be borne by the requesting BU.

    2. Security containers/safe/vault keys and combinations will be recorded on a Standard Form (SF) 700, Security Container Information, which will be maintained at the next higher level of management and will be stored in a container which provides at least the same degree of protection of the item which the combination is protecting.

    3. Container/safe/vault combinations must be changed:
      1 - when an employee who knows the combination leaves on a job transfer, retires, or terminates employment and other countermeasures are not in place to prevent their access.
      2 - when the combination is compromised in any way.
      3 - at least once a year.
      4 - when the safe or lock is originally received.

    4. Criminal Investigation (CI) will maintain their own key and combination control, complying with the above standards, except no approval for duplicate keys is required by the local Physical Security office and control of SF 700 will remain in CI only.

  3. For additional guidance see IRM 10.2.14, Methods of Providing Protection, "Control and Safeguarding of Keys and Cipher Lock Combinations" .

Information Protection

  1. The protection of information is of vital concern to the IRS. All employees of the IRS that have or have had access to tax returns or return information and privacy information are prohibited by statute from disclosing such information except as authorized by applicable law or regulation. For additional guidance see IRM 11.3, Disclosure of Official Information. Information security includes information stored on handheld communication devices, external storage devices, computers, laptops or hard copy documents. In addition to tax data there are many other documents that require protection from disclosure.

  2. Standard — Every effort must be made to ensure that all documents are provided protection commensurate with the information therein. Tax data and privacy information will be properly protected during duty and non-duty hours, transmitted in a traceable manner, and protected from inadvertent disclosure when in use. Documents containing information that require protection must be stored in accordance with minimum protection standards whenever they are not in the custody of an authorized IRS employee. For additional guidance see Exhibit 1.4.6–2, Protectable Items, and IRM 10.2.13, Information Protection.

Privacy Act Information

  1. The Privacy Act of 1974, 5 USC 552a, provides comprehensive statutory recognition of an individual's right to privacy. Recorded information which is retrieved by reference to a name or other personal identifier, such as a social security number, is privacy information. The purpose of the act is to give citizens more control over what information is collected about them by federal agencies and how that information is used. The act specifies that agencies will establish appropriate administrative, technical, and physical safeguards to ensure the security of records and protect records against any anticipated threats or hazards to their security or integrity which could cause substantial harm, embarrassment, inconvenience, or unfairness to any individual about whom information is maintained. For additional guidance see IRM 11.3, Disclosure of Official Information.

  2. Standard — Managers will ensure privacy information is protected from inadvertent disclosure when in use, stored in a manner that will prevent unauthorized access during non-duty hours, and destroyed by an approved method (i.e. shredding, pulping, disintegration or burning). For additional guidance see IRM 11.3.14, Privacy Act General Provisions. Any disclosure of information must be reported to Privacy, Governmental Liaison and Disclosure (PGLD) in accordance with IRM 10.5.4, Privacy and Information Protection, Incident Management Program.

Informant Information

  1. Persons furnishing information on tax violations expect and deserve to have their identity kept secret. All employees must, therefore, handle such information in strict confidence. Such information must be given special handling to avoid disclosure to other than those employees having a need to know. In order to maintain maximum security, informant communications, claims for rewards, reward reports, memorandums or other documents which identify informants will be afforded containerized protection at all times, except when such documents are being processed. Access to such storage containers will be limited to the person/persons responsible for the security of the documents. For additional guidance see IRM 25.2, Information and Whistleblower Awards.

National Security Information

  1. National security information is any information, regardless of form, pertaining to the national defense or foreign relations of the United States, that is owned by, produced by/for, or is under the control of the U.S. Government. Executive Order 12958, Classified National Security Information, prescribes a uniform system for classifying, safeguarding, and declassifying national security information. Classified national security information, commonly referred to as classified information, is information that requires protection against unauthorized disclosure. Classified information is marked Top Secret, Secret or Confidential to indicate its classified status when in documentary form. For additional guidance see IRM 10.9.1, National Security Information.

Sensitive But Unclassified (SBU) Information

  1. Sensitive But Unclassified (SBU) information is any information which the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled to under Section 552a of Title 5 (the Privacy Act) or other laws. SBU is also known as Official Limited Information. Unauthorized disclosure of SBU may reduce the effectiveness of the federal tax administration system, violate law or adversely affect the national interest, conduct of federal programs, or the privacy to which individuals are entitled under the Privacy Act. SBU can be in paper, electronic or material form. Regardless of its form or markings, SBU information requires special handling to prevent its loss, misuse, alteration or unauthorized disclosure. For additional guidance see IRM 10.2.13, Information Protection.

  2. Previous designations to label sensitive information such as Limited Official Use, For Official Use Only, Market Sensitive, Close Hold, Eyes Only, Privileged or Proprietary, et al., will be discontinued in identifying SBU information produced within IRS unless a particular term is authorized by law, statute, or agency regulation. For additional guidance see IRM 10.2.13, Information Protection. Information so marked is not meant for public release but controlled or restricted in conducting official IRS business. Access to SBU will be based on a determination that an employee, contractor personnel or consultant requires access to specific SBU information in order to perform or assist in lawful, authorized, governmental functions. A security clearance is not required to access SBU information.

  3. Standard — Managers at all levels are responsible for security of information under their control regardless of its form and for ensuring the information is properly safeguarded. For additional guidance see Delegation Order 11-1, Administrative Control of Documents and Material, in IRM 1.2.49, Delegation of Authorities for Communications, Liaison and Disclosure Activities, IRM 11.3, Disclosure of Official Information, IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, and IRM 10.5.8, Sensitive But Unclassified (SBU) Data Policy: Protecting SBU in Non-Production Environments.

Records and Documents

  1. Records and documents created or received by the IRS in connection with operational and administrative activities are official information and the property of the United States Government. In accordance with 18 USC 2071, Concealment, Removal, or Mutilation Generally, it is unlawful to remove records or documents from the custody of the IRS except in accordance with prescribed procedures. The Tax Reform Act of 1976 provides that returns and return information are to be confidential and not subject to disclosure, except as specifically provided in IRC 6103, Confidentiality and Disclosure of Returns and Return Information, or other sections of the Internal Revenue Code. IRM 11.3, Disclosure of Official Information, contains guidelines governing the release of data included on tax returns and other information contained in IRS files.

  2. Standard — Records and documents in the custody of IRS employees will not be disclosed to the public, except through approved disclosure procedures, and will be protected from disclosure to other employees that do not have a need to know the information. In addition to guarding against unauthorized disclosure of tax information by IRS employees, steps must be taken to prevent the possibility of such disclosures by non-IRS personnel. Care must be taken to deny unauthorized non-IRS personnel access to areas other than those which have been established for serving the public. All those persons with a "need to know" , such as certain government contractors and vendor personnel, must be informed of the protection requirements under the law to prevent unauthorized disclosure. This can be best accomplished in writing, citing the prohibitions, restrictions and penalties for unauthorized disclosure of tax return and return information, PII and return information. For additional guidance see IRM 1.15.1, The Records and Information Management Program.

Mail

  1. A large volume of the IRS assets such as tax returns, remittances and government checks are transmitted by mail. The theft of mail can easily occur when left unattended on receiving docks or in building lobbies without protection.

  2. Standard — Incoming mail, not being distributed or processed, will be stored in a secured area or in locked containers. Mail, incoming or outgoing, will not be left unattended in areas open to the public. For additional guidance see IRM 10.2.13, Information Protection, and IRM 1.22.5, Mail Operations.

Protection at Taxpayer's Site

  1. At times, field employees may have sensitive and/or Personal Identifiable Information (PII) at the taxpayer’s site (location where taxpayer conducts business or houses tax information) which should be stored at an IRS facility. Due to local conditions, it is not always possible to remove the information from the taxpayers site and store it at an IRS facility. Managers must ensure that employees understand the importance of securing such information at the taxpayers site in a lockable container when not in use.

  2. Standard — IRS employees are responsible for securing sensitive tax information while at the taxpayer's site. Sensitive tax information, such as agent's work papers, original returns, examination plans, fraud data, etc., which is housed at a taxpayer's site must be stored in a security container under the control of the responsible employee. The taxpayer cannot have access to this container. If a security container is not available, this data may not be stored on the taxpayer's premises during non-duty hours. During duty hours, the data must be under the personal custody of the employee when it is not containerized. Personal custody exists when a responsible IRS employee or other designated person (e.g. armored car service employee, authorized employee of a contract firm) has possession of, or visual contact with, a document or item of property. For the purpose of this definition, visual contact is limited to the person's desk or immediate work area over which he/she has physical control. For additional guidance see IRM 10.5, Privacy and Information Protection.

Protection Outside of IRS Offices

  1. While on official travel it is often necessary for employees to carry tax data, laptops, taxpayer's checks and money orders, etc. Employees are held responsible for the loss, theft or disappearance of IRS property when attributable to negligence. Recovery of documents may not necessarily be a mitigating circumstance after the loss.

  2. Standard — All sensitive information must be provided adequate safeguards. Employees in custody of sensitive information or IRS property while outside of an IRS office must protect such items to the maximum extent possible. Managers will caution employees against leaving PII or IRS property in automobiles, motel/hotel rooms, public conveyances, taxpayer's offices, etc. If there is no alternative, and PII must be left in a vehicle, it must be locked in the trunk. However, the vehicle must be locked and the material unattended for only a short period of time. It may not be stored in a vehicle overnight. For additional guidance see IRM 10.5.1, Privacy and Information Protection, Privacy Policy.

Transmission

  1. The IRS routinely ships tax returns and return information between IRS locations, as well as to other federal and state agencies. Such data in transit is especially vulnerable to loss, destruction and disclosure. Such loss could result in irreparable damage to the government or taxpayers, delay tax processing, and damage the public image of the IRS. For additional guidance see IRM 10.2.13, Information Protection.

  2. Standard — All shipments of tax returns and return information from any processing or computing center, area office, posts of duty, or other agencies and jurisdictions will be documented and monitored to ensure accountability and receipt for each shipment. Every IRS facility engaged in the shipment of tax returns and tax information will designate individuals to be responsible for monitoring the shipments.

Disposition and Destruction

  1. The purpose of destroying waste material generated in the processing of tax documents or other related documents is to prevent the information from being disclosed to unauthorized personnel. Disposition and destruction of tax information must be in accordance with IRM 1.15.2, Records and Information Management, Types of Records and Their Life Cycles. Refer to Document 12990- Records and Information Management - Records Control Schedules, Document 12829-General Records Schedules, and IRM 1.15, Records and Information Management for records retention and disposition requirements before documents can be destroyed.

  2. Standard — Although IRS employees may know the proper methods of destroying tax data, management must reinforce this knowledge by including document destruction as a topic in orientation sessions, periodic group meetings and other awareness sessions. Managers will ensure that waste material generated in the processing of tax documents, protected data or other related documents are destroyed by shredding, pulping, disintegrating, burning or any other manner which in the judgement of the responsible security official renders the information contained in such material as irrecoverable.

Clean Desk Policy

  1. To improve the level of protection provided tax (PII) and privacy data, the IRS has adopted a clean desk policy. This initiative particularly lends itself to non-secure areas.

  2. Standard — All tax (PII) and privacy data when not in the custody of an authorized IRS employee must be stored in locked containers. Protected data must be locked in containers in areas where non-IRS personnel may have access during non-duty hours. FMSS Directors and other executive official levels of Submission Processing Centers, Computing Centers, and Customer Service Sites may exempt certain mass processing areas (pipeline type operations), but the exemption must be justified (e.g. containerizing will be so disruptive as to cause critical delays in processing) and documented. An exemption will not be granted just as a matter of convenience. Exceptions must be sent through the local FMSS Physical Security office for review and approval annually. Items identified as requiring Special Security (SP) may not be exempted from the clean desk policy. Due to special access control needs these require a specific type containerization regardless of the area security provided. For additional guidance see IRM 10.2.14, Methods of Providing Protection.

Security Awareness

  1. A security program is enhanced when all managers and all employees are aware of security requirements, including the reasons for each of the security requirements they are expected to follow or enforce. Security awareness is encouraged and strengthened by the attitudes and actions of managers. If managers can explain the need for security in various situations, the employees will usually accept the need as an integral part of their responsibilities. The key to an awareness program is to show how the requirements relate to the work in which an employee is involved. For example, awareness efforts directed toward computer room employees must relate to security requirements in a computer room, while those efforts directed toward a tax auditor must relate to protecting the privacy of the taxpayer and the sensitivity to the tax return and return information.

  2. Standard — To ensure that all employees and managers are made aware of security requirements, a security awareness program will be implemented. Every security awareness program will include:

    1. the annual Physical Security Mandatory Briefing contained in ELMS.

    2. security as a regular topic at periodic managerial meetings.

    3. a security orientation of all new employees within the first week following employment. All seasonal employees will be given a refresher orientation during their first week or if they have been in non-work status for at least nine months. Local management will determine who will provide the orientation.

    4. periodic security briefing sessions conducted throughout the year by all processing/computing center supervisors. Security briefing sessions will also be provided at the beginning of each filing season.

    5. a briefing to each employee of special security requirements pertaining to their particular work area will be provided by managers. The briefing will occur within the first 30 days of the date the employee reports for duty.

Protection During Office Moves

  1. When it is necessary for an office to move to another location, plans must be made to properly protect and account for all tax data and other information, as well as government property. The circumstances of the move must be carefully considered (e.g., the distance involved and the method to be used in making the move).

  2. Standard — Managers will make sure that tax documents and other sensitive information is kept in locked cabinets or sealed in packing cartons while in transit. Accountability will be maintained to ensure that cabinets or cartons do not become misplaced or lost during the move. This can be accomplished by numbering the cabinets or cartons and maintaining a corresponding list of the numbered cabinets/cartons and what each contains. Throughout the move, sensitive material will remain in the custody of an IRS employee with the appropriate clearance and need to know. The precautions taken to protect government property during the move will be commensurate with the type and value of property involved. Small items of high value will be packed in cartons or moved in locked cabinets. Accountability will be maintained throughout the move. For additional guidance see IRM 10.2.13, Information Protection.

Emergency Planning

  1. The federal tax administration system is of vital importance to the economy of the United States and its protection must be assured at all times. To provide adequate protection, it is necessary to develop plans and procedures that will reduce the affect of incidents and emergencies.Incidents and emergencies are any situation or condition at the global, national, or local level, that threatens or has the potential to threaten the safety and security of employees, information, systems, equipment, facilities and/or infrastructure. For additional guidance see IRM 10.2.9, Occupant Emergency Planning.

Reporting Incidents

  1. One aspect of emergency management is the timely reporting of significant conditions or situations. Prompt reporting of incidents is essential in order to advise all levels of management of conditions that affect the operation of the IRS. Trends or patterns detected as a result of the analysis will assist in development of effective countermeasures to minimize the effect of future disruptions. Incidents must be reported to the Situation Awareness Management Center (SAMC), http://gdi.web.irs.gov/archibus/schema/ab-products/gdi/samc/csi_samc_reporter_report_incident.axvw or 1-866-216-4809; any privacy issues will be routed to PGLD at 267-941-7777. All Cybersecurity incidents will be routed to Computer Security Incident Response Center (CSIRC) to executive levels so that they may be aware of situations that could require their immediate assistance or that result in the need to respond to inquiries from Treasury, other federal agencies or the news media. For additional guidance see IRM 10.2.8, Incident Reporting, for specific policy. In accordance with IRM 1.15.3, Records and Information Management, Disposing of Records, employees should report, in writing to their Records Specialist or the IRS Records Officer, any unauthorized, unlawful, or accidental destruction, defacing, or alteration, of records in their custody or the IRS custody. Also see 36 CFR Section 1228.104.

  2. Standard— Managers are responsible for making sure that incidents, unusual situations, potential incidents or situations affecting or which may affect the operations of the IRS are reported as quickly as possible. Managers must make sure that all employees are familiar with incident reporting procedures and have access to the names and numbers of authorities charged with responding to incidents.

Occupant Emergency Plans

  1. Occupant Emergency Plans (OEP) are an essential part of a security program. Properly developed plans can reduce the threat to personnel, property, and other assets while minimizing work disruption. For additional guidance see IRM 10.2.9, Occupant Emergency Planning.

  2. Standard — GSA requires an OEP to be prepared for all federally occupied space. If the IRS is the primary occupant agency (the agency with the largest population in the facility) the designated official will develop, maintain and test the occupant emergency plan. The designated official is the highest ranking official of the primary occupant agency. Emergency situations must be addressed so that personnel will know what procedures to follow. Situations and incidents which should be included in the OEP are: bomb threats, explosions, demonstrations, Shelter in Place (SIP), utility disruptions or failures, natural disasters, disruptive weather, fires, accidents, Code Adam/Amber, Active Threats, etc. Managers are responsible for ensuring that employees are familiar with the OEP, evacuation procedures and SIP procedures.

  3. Managers must ensure proper OEP Cadre team coverage at all times. Managers should consider telework schedules of their employees when assigning OEP Cadre roles as identified in the OEP. For additional guidance see IRM 10.2.9, Occupant Emergency Planning.

Continuity Plan

  1. A Continuity Plan is a guide to the orderly re-establishment of operations after an incident. The objective of the plan is to resume processing of critical functions as quickly as possible and eventually resumption of full, normal operations.

  2. Standard — A properly developed plan requires coordination with all IRS organizations located at the facility. Each function will participate in the development of the plan by identifying critical needs (i.e. critical personnel and equipment needs, etc.) and will assign personnel to participate in the planning process. Emergency management planning must include not only recovery of critical information systems and applications but must also address issues such as human resources, vital records, telecommunications, security, environmental concerns and the facility which houses the work environment. For additional guidance see IRM 10.6.1, Continuity Operations, Continuity Planning Requirements, and IRM 1.15.2, Records and Information Management, Types of Records and Their Life Cycles when planning and developing continuity of operations for Vital Records, which are those records considered essential to the continued operation of the IRS before, during and after an emergency or disaster.

Identification Media

  1. IRS identification media is issued solely for use by authorized employees in the performance of official duties. Seek additional guidance from Identity Credential and Access Management (ICAM) for the issuance of ID cards related to their established eligibility requirements for non-federal (contractor) ID cards. The only authorized forms of identification for official business purposes are:

    1. SmartID —Personal Identification Verification (PIV) is issued to all employees for visual identification.

    2. Non-Enforcement Pocket Commissions — designed to show proof of authority and issued only to authorized employees.

    3. Enforcement Pocket Commissions — designed to show proof of authority and issued only to CI and IRS Federal Law Enforcement in the 1811 and 0083 occupational series.

    4. Enforcement Shield — designed to provide an outward, visible sign of authority and issued only to CI and IRS Federal Law Enforcement in the 1811 or 0083 occupational series.

    5. Calling Cards — designed to provide a ready reference for contact with non-IRS individuals.

  2. Standard — Managers will ensure that IRS employees possess and display only authorized identification media and that such media be used and displayed properly. Identification media not officially authorized by the FMSS Security Policy office may not be produced, procured or displayed.

    1. Section 499, Title 18 of the U.S. Code, prescribes a penalty of $2,000 or five years imprisonment or both for "Whoever falsely makes, forges, counterfeits, alters, or tampers with any naval, military, or official pass or permit issued by or under the authority of the United States, or with intent to defraud uses or possesses any such pass or permit, or personates or falsely represents himself to be or not to be a person to whom such permit has been duly issued or willfully allows any other person to have or use any such pass or permit issued for his use alone."

    2. Section 701, Title 18 of the U.S. Code prescribes a penalty of $250 or six months imprisonment or both, for "Whoever manufactures, sells or possesses any badge, identification card or other insignia of the design prescribed by the head of any department or agency of the United States for use by any officer or employee thereof, or any colorable imitation thereof, or photographs, prints, or in any other manner makes or executes any engraving, photograph, print or impression in the likeness of any such badge, identification card, or other insignia, or any colorable imitation thereof, except as authorized under the regulations made pursuant to law" . For additional guidance see IRM 10.2.4, Overview of ID Media.

Identification Card

  1. SmartID cards will be issued to all IRS employees and contractors who require systems access. The SmartID will be worn above their waist (on the torso) in such a manner that the photo is clearly visible from the front while in IRS facilities. In order to preserve the integrity and reliability of the ID card, all ID cards must be recovered from personnel who separate from the IRS. For additional guidance see IRM 10.2.5, Identification Card.

  2. Standard — All managers have responsibility for:

    1. ensuring that employees under their supervision are issued ID cards and wear them properly at all times.

    2. recovering, properly securing and sending to the local physical security function all ID cards from their employees who leave the IRS or who are no longer authorized to have ID media.

    3. reporting any lost or stolen ID cards to the local FMSS Physical Security function (if restricted area ID or if the employee is on an access list, also notify the restricted area manager).

    4. reminding employees of their responsibility to safeguard their ID card.

    5. requesting replacement of ID cards for their employees, as necessary.

    6. ensuring that employees under their supervision follow all IRS and local procedures when in IRS facilities.

Access by Other Federal and Contractor Personnel

  1. Because of the need for other federal personnel and non-federal personnel (e.g. GSA, contractors, vendors) to have access to IRS facilities, procedures have been established to meet this need while still providing appropriate safeguards. While these individuals may have a need to be in an IRS work area, they are not IRS employees and may not be provided the same privileges and access levels. When visitors are in the work area, care must be taken to prevent unauthorized disclosures.

  2. Standard — Managers are responsible for ensuring that other federal personnel and non-federal personnel follow all IRS and local procedures while in IRS facilities. Managers are responsible for advising employees when visitors are in the work area and reminding them that sensitive information is not to be discussed or left in view of visitors.

  3. All persons entering or requesting access to a government building are subject to the provisions of the rules and regulations governing public buildings and grounds. This includes Federal Property Management Regulations (FPMR), Title 41, Code of Federal Regulations (CFR), Subpart 101-20.3 Conduct on Federal Property; and Title 18, United States Code (USC), Section 930, Possession of Firearms and Dangerous Weapons in Federal Facilities. These regulations apply to IRS employees, persons not employed by the IRS and persons employed by tenant agencies.

Issuance of ID Cards to Non-Federal Personnel

  1. With the growing use of outside expertise, the demand for staff-like access (unescorted access in IRS facilities or work areas) by non-federal personnel to IRS facilities has greatly increased. In order to meet this demand, non-federal personnel who have a daily need to be at a facility on a continuing basis over a period of time (usually 30 days or more) may be issued a Personnel Access Card (PAC) for use at that facility - after a favorable adjudication for staff-like access. Any issued Non-photo ID cards must not be removed from the issuing facility.

  2. Standard — Managers in organizations utilizing non-federal personnel are responsible for ensuring that these individuals are properly badged and are aware of and follow all IRS and local procedures. In order to be badged properly, the local physical security function must be notified in writing of the impending visit, length of the visit, names of the individuals, Social Security Number (SSN) and whether a "background investigation has been conducted and favorably adjudicated by IRS Personnel Security" . A copy of the adjudication letter issued from IRS Personnel Security stating there has been a completed and approved interim or final check must be attached to the request. IRS may issue non-federal PAC photo ID cards which may be removed from the issuing facility only with the approval of the FMSS TM in accordance with local policy and facility levels but may not, be used as authorization to access other IRS facilities. Without a copy of the final or interim adjudication letter, no photo ID card will be issued. Non-federal visitors and contractors without an approved, completed background adjudication letter from IRS personnel security must be escorted at all times. For additional guidance see IRM 10.2.4, Overview of ID Media, IRM 10.2.5, Identification Card, and IRM 10.23.2, Personnel Security, Contractor Investigations.

Issuance of Visitor ID Cards

  1. Other federal personnel and non-federal personnel may have a need to visit IRS facilities. These individuals do not require staff-like access but may need periodic access on a regular basis. These individuals may be issued a non-photo, "VISITOR" ID card.

  2. Standard — Managers are responsible for ensuring that individuals visiting an IRS facility are placed on a visitors register and upon arrival are made aware of and follow all IRS and local procedures. These individuals may not be given staff-like access but rather should, in most instances, be limited to a specific work area and be escorted to that work area by an IRS employee or approved IRS contractor who holds a final background adjudication from IRS at or above the appropriate risk level required for the area or work. Contractors belonging to government agencies other than the IRS may not serve as an escort within IRS space. Visitors must be on a visitors register, show an official, valid picture ID such as a drivers license or other federal, state, city or local government issued photo identification card to verify identity, sign the visitor's register, and be issued an appropriate visitor ID card. Employees are to be notified that there is a visitor in the work area and that sensitive information is not to be discussed or left in view of visitors. The "VISITOR" ID card may not be removed from the facility but must be recovered upon exiting, and be reconciled to ensure 100% recovery at the end of each day. For additional guidance see IRM 10.2.4, Overview of ID Media, and IRM 10.2.5, Identification Card.

Escort Only ID Cards

  1. Federal or non-federal personnel, visiting an IRS facility, who do not have a verified background check, do not have or require unescorted access or who are not on a visitor list, must be issued an "Escort Only" ID card. This is a non-photo ID card that will be issued only after the individual shows a picture ID, such as a drivers license or other federal, state, city or local government issued photo identification card, signs the visitor register and is verified by an IRS employee assigned to the facility. The visitor will be escorted at all times by an IRS employee or IRS contractor with final staff-like access who is assigned to the area(s) accessed. Escorts must have knowledge of systems and operations sufficient to determine when the escorted person's actions could cause damage or harm to systems or unauthorized disclosure. One authorized person may escort a maximum of two persons. Escorts must maintain control and sight contact at all times.

  2. Standard — Managers are responsible for ensuring that individuals issued "Escort Only" ID cards are escorted at all times by an IRS employee or IRS contractor with final staff-like access who is assigned to the area(s) accessed. Escorts must have knowledge of systems and operations sufficient to determine when the escorted person’s actions could cause damage, harm to systems or unauthorized disclosure, and that these individuals follow all IRS and local procedures. Managers will ensure that the visitor's need to access has been validated by an IRS employee assigned to the facility. Managers are responsible for notifying employees that there is a visitor in the work area and that sensitive information is not to be discussed or left in view of the visitor. For additional guidance see IRM 10.2.4, Overview of ID Media, and IRM 10.2.5, Identification Card.

Pocket Commissions

  1. Pocket commissions are used to present proof of authority in the performance of official duties. They are primarily intended to identify IRS personnel to the public when dealing with tax matters and may not be issued merely to identify employees for transaction of routine business. There are two categories of pocket commissions: enforcement and non-enforcement. Enforcement commissions are issued only to individuals in the 1811 and 0083 occupational series. Non-enforcement commissions are issued to all other authorized employees. For additional guidance see IRM 10.2.6, Non-Enforcement Pocket Commissions.

  2. Standard — Managers are responsible for ensuring that only authorized employees are issued pocket commissions and that pocket commissions will only be displayed as prescribed in IRM 10.2.6, Non-Enforcement Pocket Commissions. Managers will identify employees who are required to present proof of authority during taxpayer contacts and will initiate requests for pocket commissions for authorized employees.

Pseudonyms

  1. In accordance with the IRS Restructuring and Reform Act of 1998, Section 3706, IRS employees are authorized to utilize a pseudonym if adequate justification for the use is provided by the employee and its use is approved by the employee’s manager. IRS employees authorized to hold a non-enforcement pocket commission may use a registered pseudonym, in lieu of their legal name, to protect themselves from potential harassment by taxpayers. For additional guidance see IRM 10.2.6, Non-Enforcement Pocket Commission, and IRM 10.5.7, Privacy and Information Protection, Use of Pseudonyms by IRS Employees.

  2. Standard — Employees may be issued a single ID card and/or pocket commission in an approved pseudonym name. In addition, employees authorized name tags may have the name tag issued in an approved pseudonym name. Managers are responsible for generating requests for issuance of ID media in a pseudonym name. If an employee already has a pocket commission and/or ID card issued in their legal name, that ID media must be recovered prior to issuance of identification media in the pseudonym name. Managers must make sure that employees do not have more than one ID card and/or pocket commission in their possession.

Calling Cards/Business Cards

  1. Calling cards (business cards) may be used by IRS personnel who have a continuing need to leave their name, unique identifying number and telephone number with non-IRS individuals or companies as a ready reference for contact by telephone or at an office address. For additional guidance see IRM 1.17, Publishing.

    1. The IRS provides business cards at no cost to eligible (with significant public contact) employees per Treasury.

  2. Standard— Personalized business cards will conform to a standard design for uniformity and quality control and must conform to the standards specified by the IRS. All requests must be approved by an authorized official or his/her designated representative. Management will make sure that employees use business cards for official business only and do not independently generate business cards associating them with the IRS. Business cards are considered ID media and must be approved by the IRS and comply with IRS standards.

Employee Name Tags

  1. Employees assigned to walk-in areas may be provided name tags as an alternate form of identification in order to meet requirements of the Restructuring and Reform Act of 1998, Section 3705(a), IRS Employee Contacts.

  2. Standard — Employee names tags will be issued only to those individuals assigned to taxpayer walk-in areas and will include the employee's name (or pseudonym name) and unique identifying number. The design and size of the name tag will meet IRS standards and will be ordered through the employee's manager.

Reviews

  1. The IRS has established minimum security standards and requirements for which IRS managers are responsible. Periodic assessments and reviews assist security personnel and management officials in determining the effectiveness and appropriateness of existing safeguards and security guidelines.

Functional Reviews

  1. Functional reviews measure adherence to security requirements and procedures that apply to each manager's office or functional area. Functional reviews allow managers to ensure that existing security procedures and requirements are being followed on a daily basis.

  2. Standard — First line managers or their designated representative are recommended but not mandated to conduct functional reviews on at least an annual basis or more frequently. The review must be documented and a copy of the report should be provided to the next level of management. Review criteria may be based on local concerns but, they should evaluate their area on:

    1. Clean Desk Policy

    2. Disposition of waste material

    3. ID Media

    4. Locks and keys

    5. Protection of sensitive information

    6. Security awareness

After Hours Review

  1. An after hours review allows managers to determine whether documents, property and monies are being adequately protected when not in the custody of authorized IRS personnel. Managers can accomplish this by being the last to leave a work area and checking the area after the close of the business day. Managers could also accomplish after hours reviews by periodically arriving early to work ahead of the staff to review the work space for compliance.

  2. Standard — Managers must periodically review functional areas after hours to determine if sensitive information is appropriately containerized, disposed of, whether cabinets, safes and other containers are appropriately secured and whether limited areas, secure areas and office doors are secured. If weaknesses are identified, managers must take immediate action to safeguard information, property or rooms/facility, counsel employees as appropriate, and/or request assistance from appropriate local FMSS Physical Security staff in developing corrective measures.

Contractor Site Surveys and Reviews

  1. Contracts for services or property which involve the disclosure of sensitive information to a contractor (e.g. return or return information, personnel information and administrative or internal management information critical to mission of the IRS), must include appropriate protective measures in accordance with applicable laws, regulations and procedures. IT Cybersecurity and FMSS, can assist in the review and provide their respective expertise.

  2. Standard — Managers must ensure requests for contracted services involving disclosure of tax data or other protected information are reviewed by PGLD and where appropriate, IT Cybersecurity, as well as FMSS Physical Security. The request must include a:

    1. narrative statement of work describing all intended requirements and applications.

    2. statement identifying the data to be disclosed.

    3. narrative of proposed security safeguards to protect the data which must be disclosed to the vendor/contractor, or a statement that additional safeguards are not a requirement.

    4. statement that a pre-award site survey is or is not required.

  3. In order to ensure that a contractor facility provides required security safeguards, an on-site contractor review may be required. Contractor reviews are conducted at the contractor sites that perform work on behalf of IRS. If it has been determined that a site survey will be required of a federal/state agency, the site review is coordinated and led by PGLD, with involvement and support from FMSS Security Section, IT, Personnel, etc., as appropriate. The Contracting Officer will require the vendor to provide, in writing, as part of their offer:

    1. a copy of internal security review and findings conducted within the previous 12 months.

    2. a narrative description of the vendors proposal to comply with required safeguards.

    3. a copy of all of the vendor's policies and procedures relating to security.

    4. an organization listing or chart, if available.

      Note:

      If the contract is for automated information services see IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance.

  4. Standard — It is the responsibility of the requesting activity to ensure that a site survey is conducted when necessary. Assistance from FMSS Physical Security staff should be requested. The site review will usually consist of a pre-review conference, interviews, facility tour and close out conference.

    1. A pre-review conference should be held with reviewer, local Physical Security personnel, as appropriate and the contractor to determine the scope and methodology of the review.

    2. Interviews with contractor employees should be held to ascertain the level of security maintained and degrees of security awareness. The interview schedule should be arranged during the pre-review conference.

    3. A tour of the contractor's facility must be conducted and should follow the flow of IRS data from point of receipt to point of final disposition.

    4. A close-out conference allows the reviewer to clarify any areas of concern and provides an opportunity to discuss deficiencies or vulnerabilities.

    Note:

    Refer to Servicewide Records Management Guidance Regarding Contractor Records https://portal.ds.irsnet.gov/sites/PGLD/RIM/Contractor-Recordkeeping.pdf .

Recertification

  1. An existing contractor's ability to adequately protect IRS data from unauthorized use or disclosure must be recertified annually for contracts which extend beyond a one year period, prior to contract renewal or if the safeguards employed by the contractor become a matter of concern (e.g. suspected security breach).

  2. Standard — The requesting function is responsible for contract recertifications. If the recertification is conducted due to a disclosure concern, local physical security personnel should be contacted and briefed on the areas of concern. The contractor will be requested to provide a self-assessment regarding their ability to protect IRS data. If it cannot be determined from the self-assessment and other documentation whether to recertify, a recertification site review of the contractor facility must be scheduled. IRS security (Cybersecurity and/or FMSS) due to regulatory requirements, may perform site reviews annually depending on the nature of the issue (ie., Federal Information Security Management Act (FISMA), see Pub. 4812, Contractor Security Controls).

Protection Alternative Chart

Alternative Chart

Protected Item Classification IRS Perimeter Type Interior Area Type Container Type
Normal Security
Alternative #1 Locked
Alternative #2 Locked
Alternative #3 Locked
High Security
Alternative #1 Secured Locked
Alternative #2 Locked Secured
Alternative #3 Locked Security
Special Security
SP-1 Locked Safe/Vault
SP-2 Locked Security
SP-3 Locked Locked

* SP-2 and High Security, Alternative #3 appear to be the same. The difference is that SP-2 items "must" be stored in a locked container, whereas High Security items may be stored in a security container, a secured room or in a locked container within a secured IRS perimeter. For further guidance and definitions on secured areas see IRM 10.2.15, Minimum Protection Standards (MPS).

Protectable Items

Designation Item
SP-3* Adverse Action and Adverse Action Appeal Files
NS** All material, not classified as requiring high security or special protection.
HS*** All portable equipment which can be stored in a standard pull drawer or lateral file cabinet. This includes laptop computers, combination padlocks, cameras and similar highly portable items.

Note:

Laptops can be secured using commercially available hardware designed to secure computers when not stored as required above.

SP-3 Annual Listing of Undelivered Refund Checks
SP-1 Ammunition - more than 60 rounds is considered SP-1 and requires a safe or vault. Up to 60 rounds can be stored in a Security Container as SP-2.
HS Assault and Threat Reports
SP-3 Bills of Lading — Blank GBL's
SP-2 Checks Drawn on U.S. Treasury (except those endorsed to the IRS for the payment of taxes).
SP-3 Checks Received for Payment — including personal checks, cashiers checks, bank draft, money orders and U.S. Treasury checks endorsed to the IRS for the payment of taxes.

Note:

In Service Center checks must be in secured area or containerized.

HS Classification Stamps — "accepted as filed"
SP-2 Combination Records (Standard Form 700, Security Information, for containers or vendors.)
SP-1 Combination Records ( Standard form 700, Security Information, for safes and vaults.)
HS Coordinated Examination Records — including all open or closed project files, case files, correspondence, activity reports, and other material which contains taxpayer data or third party information acquired in connection with a planned, open or closed case
SP-1 Currency over $1,000
SP-2 Currency up to and including $1,000
NS Currency Transaction Reports — Form 4789, Currency Transaction Report
SP-2 Director's Seal
HS Disclosure Records relative to disclosures made to Department of Justice, Executive Departments, or Congressional Committees
HS Discriminant Function (DIF) formulas, program requirements packages and related materials
SP-3 Employee Underreporter Program/Cases
HS Examination Records — those maintained at the request of Congressional Committees
HS Examination Selection, Criteria and Formulas, Cycle Variables and Volume Controls
SP-1 Firearms (over 4)
SP-2 Firearms (up to and including 4)
SP-2 Four (IV) Phase Operator's Listing
SP-2 Four (IV) Phase C-Type Audit Trial Listing
SP-2 Four (IV) Phase Master List of System Users
SP-2 Four (IV) Phase Job Directory Listing
SP-2 Four (IV) Phase Change Requests (Form 6610, IV Phase Change Request)
SP-2 Four (IV) Phase Password List
HS Fraud Referrals — all case files, correspondence, or related documents which contain information regarding items referred to CI
HS General Ledger and Subsidiary Records — revenue accounting only
SP-3 All Government issued credit cards
SP-2**** Grand Jury — Case file and information
SP-3 Grievance Files and Grievance Appeal Files
SP-2 IDRS Passwords and Password Registers
SP-3 IDRS Security Handbook
SP-2 IDRS Security Records (including PRP's, reports, control documents, audit trail records and computer tapes)
SP-2 Identification Media (IRS) — all unused stock and completed media which is not in the possession of the employee to who it is assigned
SP-3 Identification Media (IRS) — completed non-photo visitor and temporary cards
SP-2 Informant Communications File
SP-2 Informants' Claims for Reward
SP-2 Informants' Control File
SP-3 Internal Security Records — including all open or closed investigate reports, informant files, and other material that contain investigative information concerning employees and/or taxpayers, or taxpayer data, third party information, tax data, or specific information concerning IRS operations acquired in connection with a planned, open or closed case.
SP-3 Internal Audit Records — including Internal Audit Reports and workpapers, open or closed, and other material containing tax data, taxpayer information, functional records and information concerning service center operations, acquired in connection with planned, open or closed audits.
SP-3 Internal Revenue Service Employee — delinquency
NS Investigative Equipment — equipment specifically acquired and used by CI and Internal Security for carrying out investigation and enforcement functions.
SP-3 Key — to any locked container
SP-2 Key — to any room, area, secured area, or security container
SP-3 Law Enforcement Manual (LEM) (Normal Security will apply to service centers)
HS Legal Case Files and Records of Chief Counsel, Deputies Chief Counsel, and their Assistants
SP-2 LIMITED OFFICIAL USE documents
HS Magnetic Media — all discs, tapes or similar media which contain program, taxpayer or other individual data
SP-3 Medical Records — employee health records, disability retirement records, and similar files containing personal medical information
HS Microfilm — all cartridges, cassettes or other microfilm media which contain taxpayer data or account information.
SP-3 Minority Group Designator Data
SP-2 Negotiable and Non-negotiable Instruments — including stocks, bonds, securities or other collateral
SP-3 OFFICIAL USE ONLY Documents (unless otherwise increased by the originator)
SP-3 Personnel Records — including personnel folders, investigation reports, qualification statements, and other records containing privacy act or sensitive information
HS PRP 160, Section 26, Selection of Exempt Returns for Examination (SERFE)
SP-2 Receipts — unissued Form 809, Receipt for Payment of Taxes (CP-444) or Form 4733, Receipt for Special Taxes (CP-445)
NS Received Stamps
HS Received with Remittance Stamps
SP-2 Relocated Witness Files
HS Risk Analysis Final Reports and associated supporting documentation
HS Sensitive investigative equipment — devices that can be used in the interception of telephonic communications or non-telephonic communications
HS Signature Stamps or Facsimile Signature Plates
HS Statutory Notices — signature stamps or facsimile signature plates
SP-3 Form 6888, U.S. Government Purchase - Invoices - Voucher, (unissued stock)
HS Taxpayer and Privacy Act Information (due to the protection provided, service and computing centers are exempt from this requirement)
HS Tax Practitioner File — including extension files
HS Treasury Enforcement Communications Systems (TECS) Data — which contains information regarding the involvement of CI with taxpayers of third parties
SP-3 Test Materials — OPM, IRS and commercial
HS Testimony of IRS Employees in Non-tax matters
SP-3 Training Records — including individual ratings, examination record and register cards, and similar individual test result information
SP-3 Transportation Requests — blank and unissued TR's
HS Unapplied Master File Credit Records
SP-3 Undelivered Refund Check Notices
SP-3 Unidentified Remittance Record
HS Unit Ledger Cards
*SP SPECIAL SECURITY
**NS NORMAL SECURITY
***HS HIGH SECURITY
**** If volume dictates, these items may be stored in a security room.