1.4.6 Managers Security Handbook

Manual Transmittal

May 04, 2020

Purpose

(1) This transmits revised IRM 1.4.6, Resource Guide for Managers, Managers Security Handbook.

Material Changes

(1) This IRM was updated to reflect current organizational titles, scope, definitions and authorized use.

(2) IRM 1.4.6.2, Responsibilities of Facilities Management and Security Services has moved into IRM 1.4.6.1, Scope and Objectives.

(3) IRM 1.4.6.3, Responsibilities of Managers has moved into IRM 1.4.6.1, Scope and Objectives.

(4) Removed IRM 1.4.6.7.8, Calling Cards. Calling cards are no longer considered a form of authorized ID media, per IRM 10.2.18, Physical Access Control (PAC).

(5) Removed IRM 1.4.6.7.3, Issuance of ID Cards to Non-Federal Personnel.

(6) Removed IRM 1.4.6.7.4, Issuance of Visitor ID Cards.

(7) Removed IRM 1.4.6.7.5, Escort Only ID Cards.

(8) Removed Exhibit 1.4.6-1, Protection Alternative Chart. Refer to IRM 10.2.15, Minimum Protection Standards (MPS).

(9) Removed Exhibit 1.4.6-2, Protectable Items. Refer to IRM 10.2.15, Minimum Protection Standards (MPS).

(10) Added Background to IRM 1.4.6.1, Program Scope and Objectives.

(11) Added Authority to IRM 1.4.6.1, Program Scope and Objectives.

(12) Added Responsibility to IRM 1.4.6.1, Program Scope and Objectives.

(13) Added Management and Review to IRM 1.4.6.1, Program Scope and Objectives.

(14) Added Definitions and Acronyms to IRM 1.4.6.1, Program Scope and Objectives.

(15) Added IRM 1.4.6.6, Facility Access.

(16) Added IRM 1.4.6.6.1, Unescorted Facility Access.

(17) Added IRM 1.4.6.6.2, Escorted Facility Access.

(18) Revised Identification (ID) Media requirements throughout this handbook. For ID Media policy guidance, see IRM 10.2.5, Identification Media.

(19) Revised Physical Access Control (PAC) requirements throughout this handbook. For PAC policy guidance, see IRM 10.2.18, Physical Access Control (PAC).

(20) Revised Privacy and Information Protection requirements throughout this handbook. For policy guidance, see IRM 10.5.1, Privacy and Information Protection, Privacy Policy

(21) If the section’s modification date changed, but the section is not listed, then that section had minor edits, clarifications, name changes, updated hyperlinks, or additional examples.

(22) This IRM incorporates Interim Guidance FMSS-01-0418-0001 to clarify the occupational series eligible for the issuance of enforcement pocket commissions.

Effect on Other Documents

This IRM supersedes IRM 1.4.6, Managers Security Handbook, dated August 2, 2016.

Audience

Servicewide

Effective Date

(05-04-2020)

Richard L. Rodriguez
Chief
Facilities Management and Security Services

Program Scope

  1. This section contains manager and security official requirements for enforcing and applying IRS minimum security standards.

  2. Purpose: This IRM section provides management and security officials with:

    1. The minimum security standards and flexibility to incorporate additional necessary security measures to meet the demands of the local geographic and demographic conditions and day-to-day operations for the entire federal tax administration as administered within the IRS.

    2. Requirements for the protection of employees, facilities, equipment, and infrastructure, as well as, tax returns, return information, cash, negotiable instruments, and other sensitive information and documents.

  3. Audience: Servicewide.

  4. Policy Owner: Chief, Facilities Management and Security Services (FMSS).

  5. Program Owner: Associate Director (AD), Security Policy.

  6. Primary Stakeholders: FMSS Field Operations, Business Unit Executives, Senior Managers, Chief Counsel Executives, Managers, and Employees.

  7. Program Goals: To provide IRS managers and security officials with policy and procedures to enforce and apply security standards.

Background

  1. IRS security risks can vary in nature with the type, size, and location of a facility or operation. This guidance was developed to provide managers and security officials with minimum-security standard requirements with flexibility to enhance security, as necessary.

Authority

  1. Executive Order 13526, National Security Information

  2. The Privacy Act of 1974

  3. Tax Reform Act of 1976

  4. IRC 6103, 7213, 7217, and 7431

  5. Federal Managers' Financial Integrity Act of 1982 (FMFIA)

  6. Government Accountability Office (GAO) Standards

  7. OMB Circular A–123 (Management’s Responsibility for Internal Control)

  8. OMB Circular A–130 (Managing Information as a Strategic Resource)

  9. Treasury Security Manual 71–10

  10. Federal Information Security Management Act of 2002 (FISMA)

  11. National Institute of Standards and Technology (NIST) SP 800-53 Rev. 4

Responsibilities

  1. Chief, FMSS prescribes and is responsible for oversight of managers security handbook resource guide policy.

  2. FMSS AD, Security Policy is responsible for oversight of planning and developing managers security handbook resource guide policy and guidance.

  3. FMSS Physical Security Protection Program (PSPP) Section Chief is responsible for planning, developing, implementing, evaluating, and controlling managers security handbook resource guide policy and guidance.

  4. IRS managers are responsible for:

    1. Taking all reasonable actions to prevent the loss of life and property, disruption of services and functions, and unauthorized disclosure of documents and information to safeguard the continued operation of the federal tax administration system.

    2. Enforcing compliance with minimum security standards and policies contained herein.

    3. Confirming employees have knowledge and understanding of physical security program roles and requirements

    4. Consulting with FMSS Security Section Chief (SSC) for above-standard physical security countermeasures.

    5. Confirming the level of protection provided to prevent unauthorized disclosure of sensitive information is commensurate with the information's level of sensitivity.

    6. Confirming the level of protection afforded to the media containing the information is commensurate with the value of the media.

    7. Confirming physical security measures required for protecting life, information, property and all government assets are:
      i. applied within their area of supervision and
      ii. those measures meet the established minimum-security standards.

    8. Maintaining effective controls to prevent fraud, waste, or abuse of government resources and mismanagement of IRS programs. The control systems will provide reasonable assurance that all resources are safeguarded from unauthorized use or disposition. The basic standards and principles of the control system for all managers are:
      i. Documentation - Clearly written instructions for all financial transactions, accounting for resources and internal control requirements will be readily available.
      ii. Accountability - Transaction registers will be maintained and reviewed periodically for the purpose of determining if transactions were properly authorized. Exceptions must be investigated, and corrective action must be taken.
      iii. Separation of Duties - Duties such as authorizing, recording, issuing, receiving, making payments and reviewing or auditing will be assigned to separate individuals to minimize the possibility of fraud, waste, or abuse going undetected.
      iv. Supervision - Qualified and continuous supervision will be provided to ensure compliance with procedures. Periodic reviews will be conducted by responsible managers.
      v. Access to Resources - Direct physical access to resources and indirect access by preparation or processing of documents will be limited to authorized personnel.
      vi. Competent Assurance - Key personnel staff are of high integrity and are competent by education, training, or experience to accomplish their duties.
      vii. Reasonable Assurance - Internal control systems will provide reasonable assurance that system objectives are met. The controls cost must not exceed the benefits.
      viii. Reporting Violations - All managers will verify that potential violations of the internal control systems are expeditiously reported according to established procedures.

    9. Verifying employees are aware of and comply with established security procedures for protecting information, records, property and documents and for reporting loss, and any security violations to the proper authority.

    10. Verifying employees are trained to operate physical security systems installed in their space as necessary to aid in the protection of IRS assets.

Program Management and Review

  1. Program Reports: The authoritative data source for monitoring Resource Guide for Managers, Managers Security Handbook will be:

    1. FMSS Physical Security Briefing completion reports

    2. Situation Awareness Management Center (SAMC) reports

  2. Program Effectiveness: FMSS PSPP Section Chief will evaluate this program’s effectiveness by:

    1. Assessing the completion rate of all IRS employees for the mandatory annual Facilities Management and Security Services Physical Security Briefing located on ITM.

    2. Reviewing and assessing SAMC reports for security incident trends.

Definitions

  1. Controlled Area - Is not a Limited Area; however, it requires controlled entry access with one-part authentication (access card or manual combination).

  2. Countermeasures - An action or device that can prevent or mitigate the effects of threats.

  3. Criminal Investigation (CI) - An IRS organization that is the law enforcement arm of the IRS with investigative jurisdiction.

  4. Employee - A federal employee, employed by the IRS.

  5. Escorted Access - A situation where a contractor employee not yet granted staff-like access that needs to be accompanied by a "qualified escort" during work performance and movement throughout the facility. Extended definition: a situation where an individual (i.e., contractor, visitor, or vendor) is not approved for staff-like access and requires escorted access.

    Note:

    For additional information, see IRM 10.23.2, Personnel Security, Contractor Investigations.

  6. Facility Access - Controlled entry into a facility based on access status, role or function and employment category.

  7. Incident - Any event affecting the safety, security, or protection of property, a facility, or occupant that requires a response, investigation, or other follow-up.

  8. Limited Area - An area to which access is limited to authorized personnel only. Limited Area space can be identified by the FMSS Physical SSC based on critical assets.

    Note:

    For additional information, see IRM 10.2.14, Methods of Providing Protection.

  9. Qualified Escort - An authorized (designated) IRS employee or a contractor employee approved for final staff-like access at the same or higher position risk level as the contractor employee who requires escorting, and with knowledge of the task or activity to be performed.

    Note:

    For additional information on escort/escorted ratio, see IRM 10.2.18.5.2, Escorted Access.

  10. Routine Access - Access to facilities on a consistent basis, generally multiple times a week.

  11. Security Section Chief (SSC) - An FMSS Operations manager responsible for physical security within a geographical area.

  12. Staff-like Access - Authorized unescorted access to Treasury-owned or controlled facilities, IT systems, security items and products, and/or to areas storing/processing SBU data, as determined by Treasury/bureau officials. Staff-like access may be interim or final.

    Note:

    For additional information, see IRM 10.23.2, Personnel Security, Contractor Investigations.

  13. Unescorted Access - Staff-like access granted to a contractor employee to IRS facilities, IT systems, and SBU data without escort. Extended definition: authority granted to individuals to gain access/entry and be present without an escort. Unescorted access is an element of staff-like access authorization.

    Note:

    For additional information, see IRM 10.23.2, Personnel Security, Contractor Investigations.

  14. Acronyms

    Acronym Definition
    AD Associate Director
    DO Designated Official
    FMSS Facilities Management and Security Services
    FOIA Freedom of Information Act
    ISC Interagency Security Committee
    LOP Level of Protection
    SAMC Situational Awareness Management Center
    SBU Sensitive But Unclassified
    SSC Security Section Chief
    TDP Treasury Directive Publication
    TIGTA Treasury Inspector General for Tax Administration
    TM Territory Manager(s)
    VAR Visitor Access Register

     

Related Resources

  1. IRM 1.15, Records and Information Management

  2. IRM 10.2.1, Physical Security Program

  3. IRM 10.2.5, Identification Media

  4. IRM 10.2.6, Civil Enforcement and Non-Enforcement Pocket Commissions

  5. IRM 10.2.8, Incident Reporting

  6. IRM 10.2.11, Basic Physical Security Concepts

  7. IRM 10.5.1, Privacy and Information Protection, Privacy Policy

  8. IRM 10.5.2, Privacy and Information Protection, Privacy Compliance and Assurance (PCA) Program

  9. IRM 10.5.4, Privacy and Information Protection, Incident Management Program

  10. IRM 10.5.7, Privacy and Information Protection, Use of Pseudonyms by IRS Employees

  11. IRM 10.5.8, Privacy and Information Protection, Sensitive But Unclassified (SBU) Data Policy: Protecting SBU in Non-Production Environments

  12. IRM 10.8, Information Technology (IT) Security

  13. IRM 10.9.1, National Security Information

  14. IRM 11.3, Disclosure of Official Information

Limiting Access

  1. A guiding principle of security within IRS is "limiting access to assets based on need" . When applied to information security, this translates into limiting access to documents on a need-to-know basis. With regard to physical security, it means restricting entrance to rooms, areas, or facilities based on the individual’s duties or responsibilities.

  2. To maintain reasonable security at all IRS facilities at all times only authorized visitors will be permitted to enter the facility. Providing tours for interested, non-tax related individuals, or groups for purposes of orienting them with facility operations is NOT authorized.

  3. Official visits by individual tax preparers, tax accountants, news media representatives and other professional tax-oriented individuals and groups may be permitted at the discretion of the director of the facility or Senior Commissioner Representative (SCR), in coordination with Communication and Liaison (C&L), the local FMSS Physical Security staff.

    Note:

    For additional information on limiting access control, see IRM 10.2.18, Physical Access Control (PAC).

Determining Need

  1. Determining the need to access information, documents, rooms, areas or facilities is based on whether an individual needs access to perform assigned duties and responsibilities. Does the individual need to know? Does the individual need to enter a secured area?

  2. Management determines of need and the subsequent decision to grant access to an asset. Consult with the local FMSS Physical Security staff to select the appropriate means to achieve the desired access control.

  3. The safeguards presented in this handbook are designed to protect against such human threats as:

    1. acts of violence

    2. accidental/deliberate alteration or destruction of information or property

    3. bomb threats

    4. demonstrations/riots

    5. fraud

    6. sabotage

    7. theft

    8. unauthorized disclosure

    9. unauthorized entry

    10. vandalism

  4. The methods of protection are designed for comprehensive protection of IRS assets at all times. The methods of protection are also designed to limit access by non-IRS individuals who may require access to IRS facilities.

  5. Because any single safeguard is often insufficient protection for any asset, the concept of layering of safeguards was developed to provide in-depth security. To understand in-depth security, it is important to know what must be considered before choosing the appropriate safeguard, or combination of safeguards, required for a particular asset. The value of the asset and any applicable laws are the primary considerations. Once these are determined, the problem of unauthorized access is approached by one or all of these methods:

    1. Deter

    2. Detect

    3. Deny

    4. Delay

    5. Defend/Respond

Protection of Personnel, Information, Facility and Property

  1. Ideally, physical security measures must provide a facility with absolute protection from a host of threats. Although absolute protection is unachievable, a practical approach to physical security is essential to protect personnel, information, facilities, and property by employing a combination of measures to deter, detect, deny, delay, defend against unauthorized entrants without being so restrictive that security itself becomes a disruption.

  2. Management will:

    1. Verify information such as training material, statistical files, and various internal communications requiring disclosure and undesired dissemination is protected.

    2. Determine the degree of protection required, based upon policy requirements.

    3. Work with the FMSS Physical Security staff to implement appropriate protective measures.

    4. Confirm employees are trained to operate physical security systems installed in their space, as necessary, to aid in the protection of IRS assets.

Minimum Protection Standards (MPS)

  1. The Minimum Protection Standards (MPS) system establishes a uniform method for protecting assets that require safeguarding. The MPS system is designed to provide managers with a basic framework of minimum physical security requirements with flexibility to deal with local conditions.

    Note:

    For additional guidance, see IRM 10.2.15, Minimum Protection Standards (MPS), and IRM 10.2.11, Basic Physical Security Concepts.

Space Planning

  1. Security must be addressed whenever IRS space is designed, acquired, altered, or redesigned. Failure to consider adequate security during the early phases of space planning can result in costly modifications. Additional information regarding space design and planning is outlined in the IRS National Workspace Standards.

    Note:

    For additional guidance, see IRM 10.2.11, Basic Physical Security Concepts.

Limited Areas

  1. The designation of a Limited Area is a method of controlling the movement of individuals and eliminating unnecessary traffic through critical security areas, thereby reducing the risk for unauthorized disclosure or theft of tax information. Limited Area space can be identified by the FMSS Physical SSC based on critical assets. All Limited Areas must meet secured area requirements.

    Note:

    For additional information on Limited Areas, see IRM 10.2.11, Basic Physical Security Concepts.

Secured Areas/Perimeters

  1. Secured areas are designed to prevent undetected entry by unauthorized persons.

  2. The local FMSS Physical Security Specialist will assist in determining the best method of meeting minimum protection standards for the secured area/perimeter security.

    Note:

    For additional guidance, see IRM 10.2.15, Minimum Protection Standards (MPS).

Controlled Areas

  1. A controlled area requires controlled entry access with one-part authentication (access card or manual combination). Only authorized personnel and other personnel designated by the responsible business unit are authorized unescorted access into a controlled area. All visitors entering a controlled area must be escorted by personnel with authorized unescorted access to that controlled area.

  2. Controlled Areas include, but are not limited to:

    1. Alarm Panel room/closet

    2. Central Security Control Console (CSCC)

    3. Other similar facilities designated for controlled access by the responsible business unit

    Note:

    For additional information on access for a Controlled Area, see IRM 10.2.18, Physical Access Control (PAC).

Key and Combination Control

  1. Keys, key cards and combinations to locks are a means of controlling access. If the key, key card or combination is not strictly controlled or becomes compromised, the physical security is lost.

    Note:

    For additional guidance, see IRM 10.2.14, Methods of Providing Protection

  2. The local on-site FMSS Physical Security staff will retain keys to IRS space, in the event of inadvertent office lockouts. Spare keys may be retained by a designated off-site business function for use in catastrophic situations where local personnel are available to provide access to IRS space.

  3. No more than two keys are authorized for each locking mechanism FMSS budgets for and funds maintenance and replacement of office access controls, locks and keys.

  4. Combinations to security containers storing classified NSI must be protected at the level of the information being stored in the containers. This includes ensuring that the combinations are never discussed outside of a secure area, that they are never written down and that the combinations are changed by a cleared, knowledgeable employee when individuals who had access no longer require it.

    Note:

    For additional guidance, see IRM 10.9.1, National Security Information.

  5. Criminal Investigation (CI) will maintain their own key and combination control, complying with the above standards, except no approval for duplicate keys is required by the local Physical Security staff and control of SF 700 will remain in CI.

Information Protection

  1. Information protection is a vital matter to the IRS. All IRS employees having access to tax returns or return information and privacy information are prohibited by statute from disclosing official information except as authorized by applicable law or regulation. Information security includes information stored on handheld communication devices, external storage devices, computers, laptops or hard copy documents. In addition to tax data there are many other documents that require protection from disclosure.

    Note:

    For additional guidance, see IRM 11.3, Disclosure of Official Information.

    Note:

    Protection of information discussed in this section is vital to the business of the IRS, however, it must not be confused with classified NSI.

    Note:

    For additional guidance, see IRM 10.5.1, Privacy and Information Protection, Privacy Policy.

Privacy Act Information

  1. The Privacy Act of 1974, 5 USC 552a, provides comprehensive statutory recognition of an individual's right to privacy. Recorded information which is retrieved by reference to a name or other personal identifier, such as a social security number, is privacy information. The act specifies that agencies will establish appropriate administrative, technical, and physical safeguards to ensure the security of records and protect records against any anticipated threats or hazards to their security or integrity which could cause substantial harm, embarrassment, inconvenience, or unfairness to any individual about whom information is maintained.

    Note:

    For additional guidance, see IRM 11.3.14, Privacy Act General Provisions.

  2. Disclosure of Information must be reported to Privacy, Governmental Liaison and Disclosure (PGLD) in accordance with IRM 10.5.4, Privacy and Information Protection, Incident Management Program.

Informant Information

  1. Persons furnishing information on tax violations expect and deserve to have their identity protected. All employees must, therefore, handle such information in strict confidence. In order to maintain maximum security, informant communications, claims for rewards, reward reports, memorandums or other documents which identify informants will be afforded contained protection at all times, except when such documents are being processed. Access to such storage containers will be limited to the person/persons responsible for the security of the documents.

    Note:

    For additional guidance, see IRM 25.2, Information and Whistleblower Awards.

National Security Information (NSI)

  1. Classified NSI is any information, regardless of form, pertaining to the national defense or foreign relations of the United States, that is owned by, produced by/for, or is under the control of the U.S. Government and, if not properly protected, could cause damage to National Security. Executive Order 13526, Classified National Security Information, or replacement, prescribes a uniform system for classifying, safeguarding, and declassifying national security information. NSI, commonly referred to as classified information, is information that requires protection against unauthorized disclosure and should only be accessed by those with a clearance at or higher than the information to be accessed, a need-to-know to perform their duties, and a signed SF-312, Classified Information Nondisclosure Agreement. NSI is marked Top Secret, Secret or Confidential to indicate its need for protection regardless of the form it’s in. NSI must be transported in a particular manner and cannot be processed on unclassified systems, it must also be destroyed using the latest National Security Agency/Central Security Service (NSA/CSS) Evaluated Products List (EPL) shredder.

    Note:

    For additional guidance, see IRM 10.9.1, National Security Information.

Sensitive But Unclassified (SBU) Information

  1. SBU data is any information which if lost, stolen, misused, or accessed or altered without proper authorization, may adversely affect the national interest or the conduct of federal programs (including IRS operations), or the privacy to which individuals are entitled under the Privacy Act.

  2. SBU data includes, but is not limited to:

    1. Tax information (Federal Tax Information (FTI) protected by IRC § 6103), Personally Identifiable Information (PII), Protected Health Information (PHI), certain procurement information, system vulnerabilities, case selection methodologies, system information, enforcement procedures, investigation information.

    2. Live data, which is defined as production data in use. Live means that when changing the data, it changes in production. The data may be extracted for testing, development, etc., in which case, it is no longer "live". Live data often contains SBU data (including PII and tax information); however, tax information (FTI) remains tax information (FTI) whether it is live in a production environment or is removed to a non-production environment.

      Note:

      For additional guidance, see IRM 10.5.8, Sensitive But Unclassified (SBU) Data Policy: Protecting SBU in Non-Production Environments.

Records and Documents

  1. Records and documents created or received by the IRS in connection with operational and administrative activities are official information and the property of the United States Government. In accordance with 18 USC 2071, Concealment, Removal, or Mutilation Generally, it is unlawful to remove records or documents from the custody of the IRS except in accordance with prescribed procedures. The Tax Reform Act of 1976 provides that returns and return information are to be confidential and not subject to disclosure, except as specifically provided in IRC 6103, Confidentiality and Disclosure of Returns and Return Information, or other sections of the Internal Revenue Code.

    Note:

    For additional guidance, see IRM 1.15.1, Records and Information Management, The Records and Information Management Program.

Mail

  1. A large volume of the IRS assets such as tax returns, remittances and government checks are transmitted by mail. Unattended mail is an easy target for theft.

  2. Mail, not being distributed or processed, must be:

    1. stored in a secured area or in locked containers.

    2. not left unattended in areas open to the public.

      Note:

      For additional guidance, see IRM 10.5.1, Privacy and Information Protection, Privacy Policy and IRM 1.22.5, Mail and Transportation Management, Mail Operations.

Protection at Taxpayer’s Site

  1. Field employees may, at times, have sensitive and/or Personal Identifiable Information (PII) at the taxpayer’s site (location where taxpayer conducts business or houses tax information). Since it is not always possible to remove the information from the taxpayer’s site and store it at an IRS facility, managers must confirm that employees understand the importance of securing such information at the taxpayer’s site in a locked container when not in use.

    1. Sensitive tax information, such as agent's work papers, original returns, examination plans, fraud data, etc., which is housed at a taxpayer's site must be stored in a security container under the control of the responsible employee. The taxpayer cannot have access to this container.

    2. Data will not be stored on the taxpayer’s premises during non-duty hours if a security container is not available. During duty hours, the data must be under the personal custody of the employee when it is not contained. Personal custody exists when a responsible IRS employee or other designated person (e.g. armored car service employee, authorized employee of a contract firm) has possession of, or visual contact with, a document or item of property. For the purpose of this definition, visual contact is limited to the person's desk or immediate work area over which he/she has physical control.

      Note:

      For additional guidance, see IRM 10.5.1, Privacy and Information Protection, Privacy Policy and IRM 10.2.15, Minimum Protection Standards (MPS).

Protection Outside of IRS Offices

  1. While on official travel it is often necessary for employees to carry tax data, laptops, taxpayer's checks and money orders, etc. Employees are responsible for the loss, theft or disappearance of IRS property when attributable to negligence. Employees in custody of sensitive information or IRS property while outside of an IRS office must protect such items to the maximum extent possible.

    Note:

    For additional guidance, see IRM 10.5.1, Privacy and Information Protection, Privacy Policy.

Transmission

  1. The IRS routinely ships tax returns and return information between IRS locations, as well as to other federal and state agencies. Data in transit is especially vulnerable to loss, destruction and disclosure. Such loss could result in irreparable damage to the government or taxpayers, delay tax processing, and damage the public image of the IRS.

  2. All shipments of tax returns and return information from any processing or computing center, area office, posts of duty, or other agencies and jurisdictions must be documented and monitored to safeguard accountability and receipt for each shipment.

    Note:

    For additional guidance, see IRM 10.5.1, Privacy and Information Protection, Privacy Policy.

Disposition and Destruction

  1. The purpose of destroying waste material generated in the processing of tax documents or other related documents is to prevent the information from being disclosed to unauthorized personnel. Disposition and destruction of tax information must be in accordance with IRM 1.15.2, Records and Information Management, Types of Records and Their Life Cycles.

Clean Desk Policy

  1. To improve the level of protection provided tax and privacy data, the IRS has adopted a clean desk policy. The IRS Clean Desk Policy and containerization objectives are designed to address the protection of SBU data (including PII and tax information) throughout the privacy lifecycle. The Clean Desk Policy requirements apply to data left out in work areas (including those in telework and offsite locations) and non-secured containers, on credenzas, desktops, fax/copy machines, conference rooms, and in/out baskets.

  2. All SBU data (including PII and tax information) in non-secured areas must be containerized during non-duty hours.

  3. For some pipeline activities and processing conducted at Submission Processing centers, campuses, and computing centers, the volume of the tax information processed and the disruption to these operations might prevent containerization and Clean Desk implementation.

    Note:

    For additional guidance, see IRM 10.5.1, Privacy and Information Protection, Privacy Policy.

Security Awareness

  1. A security program is more effective when all managers and employees are aware of security requirements, including the reasons for each security requirement they are expected to follow or enforce. Security awareness is promoted by the attitudes and actions of managers. If managers can explain security requirements in various situations and show how these requirements apply to their work area, employees will usually accept the need as an integral part of their responsibilities.

  2. Management will implement a security awareness program and include:

    1. ITM Physical Security Mandatory Briefing.

    2. security as a regular topic at periodic managerial meetings.

    3. a security orientation of all new employees within the first seven business days following employment. All seasonal employees will be given a refresher orientation during their first seven business days or if they have been in non-work status for at least nine months. Local management will determine who will provide the orientation.

    4. recurring security briefing sessions conducted throughout the year by all processing/computing center supervisors. Security briefing sessions will also be provided at the beginning of each filing season.

    5. a briefing to each employee of special security requirements pertaining to their particular work area within 30 business days of hiring.

Protection During Office Moves

  1. Plans must be made to properly protect and account for all tax data and other information, as well as government property when an office moves to another location. The circumstances of the move must be carefully considered (e.g., the distance involved and the method to be used in making the move).

  2. Tax documents and other sensitive information must be kept in locked cabinets or sealed in packing cartons while in transit.

    Note:

    For additional guidance, see IRM 10.5.1, Privacy and Information Protection, Privacy Policy.

Emergency Planning

  1. The federal tax administration system is crucial to the economy of the United States and must be protected at all times. To provide adequate protection, it is necessary to develop policy, plans and procedures that will reduce the effect of incidents and emergencies. Incidents and emergencies are any situation or condition at the global, national, or local level, that threatens or has the potential to threaten the safety and security of employees, information, systems, equipment, facilities and/or infrastructure.

    Note:

    For additional guidance, see IRM 10.2.9, Occupant Emergency Planning.

Reporting Incidents

  1. Prompt incident reporting is essential to advise all levels of management of conditions that affect the operation of the IRS. Analyzing these trends or patterns detected will assist in effective countermeasures development to minimize the effect of future disruptions.

  2. Employees will contact one of the following offices to report an incident based on what was lost, stolen, or disclosed:

    1. Privacy, Governmental Liaison and Disclosure Incident Management Office. If the breach involves an inadvertent unauthorized disclosure of SBU data, including PII and tax information, that is not taxpayer correspondence (see OTC in IRM 1.4.6.4.1 (3) b), such as a verbal disclosure, or an electronic disclosure such as SBU data or PII or FTI in an IRM section, Training Materials, PowerPoints, IRWeb, live test data uploaded to a system, etc., or lost/stolen/destroyed hardcopy records or documents, or packages lost/stolen during UPS or FedEx shipment, or lost/stolen remittances, report it to PGLD/IM using the PII Breach Reporting Form.

    2. The Office of Taxpayer Correspondence. If the breach involves taxpayer correspondence generated in any of the following formats: notices, letters, transcripts, faxes, EEFaxes, and other electronic transmissions such as e-mail, report it to OTC using the Servicewide Notice Information Program (SNIP) Erroneous Taxpayer Correspondence Reporting Form.

    3. The Computer Security Incident Response Center (CSIRC). If the incident/breach involves the loss or theft of an IRS IT asset, e.g., an IRS issued computer, laptop, router, printer, cell phone, BlackBerry, etc., or removable media (CD/DVD, flash drive, floppy, etc.) or a non-government furnished/personally owned mobile device that accesses, processes, transmits, or stores IRS information, in support of the Bring Your Own Device (BYOD) program, report it to CSIRC using the Computer Security Incident Reporting Form, or by calling CSIRC at 240-613-3606.

    4. The Situational Awareness Management Center (SAMC). If the incident involves lost or stolen Smart-ID cards or lost or stolen pocket commissions (credentials), report it to SAMC (within 30 minutes) using SAMC Incident Reporting Link and selecting the button, “Report a New Physical Incident”.

    5. The Treasury Inspector General for Tax Administration. If the incident/breach involves a loss or theft (including BYOD devices), report it to TIGTA at 800-366-4484.

      Note:

      For additional guidance, see IRM 10.2.8, Incident Reporting.

Occupant Emergency Plans

  1. Occupant Emergency Plans (OEP) are an essential part of a security program. Properly developed plans can reduce the threat to personnel, property, and other assets while minimizing work disruption. GSA requires an OEP for all federally occupied space. If the IRS is the primary occupant agency (the agency with the largest population in the facility) the designated official will develop, maintain and test the occupant emergency plan. The designated official is the highest ranking official of the primary occupant agency. Emergency situations must be addressed so that personnel will know what procedures to follow. Typical situations and incidents included in the OEP are: bomb threats, explosions, demonstrations, Shelter in Place (SIP), utility disruptions or failures, natural disasters, disruptive weather, fires, accidents, Code Adam/Amber, Active Threats, etc.

    Note:

    For additional guidance see IRM 10.2.9, Occupant Emergency Planning.

Continuity Plan

  1. A Continuity Plan is a guide to reestablishing orderly operations after an incident. The plan’s objective is to resume processing of critical functions as quickly as possible and eventually resume full, normal operations.A properly developed Continuity plan requires coordination with all IRS organizations located at the facility. Each function will participate in the development of the plan by identifying critical needs (i.e. critical personnel and equipment needs, etc.) and will assign personnel to participate in the planning process. Emergency management planning must include recovery of critical information systems human resources, vital records, telecommunications, security, environmental concerns, and the facility which houses the work environment.

    Note:

    For additional guidance, see IRM 10.6.1, Continuity Operations, Overview of Continuity Planning, and IRM 1.15.2, Records and Information Management, Types of Records and Their Life Cycles when planning and developing continuity of operations for Vital Records, considered essential to the continued operation of the IRS before, during and after an emergency or disaster.

Identification Media

  1. The authorized forms of ID media approved for use by IRS employees, contractors and visitors are as follows:

    1. ID cards (photo and non-photo) as prescribed in IRM 10.2.5, Identification Media.

    2. Civil Enforcement and Non-Enforcement Pocket Commissions as prescribed in IRM 10.2.6, Civil Enforcement and Non-Enforcement Pocket Commissions.

    3. Enforcement Pocket Commissions as prescribed in IRM 9.11.3, Fiscal and Personnel Matters, Investigative Property.

    4. Parking permits to IRS controlled parking areas.

    5. Insignia provided to IRS personnel for attachment to issued apparel.

      Note:

      For additional guidance, see IRM 10.2.5, Identification Media.

Photo ID Cards

  1. Authorized photo ID cards are the SmartID and Physical Access Card (PAC) cards.

  2. SmartID cards may be issued to individuals who meet the eligibility requirements for staff-like access and require routine access to IRS controlled facilities and/or information systems.

  3. PAC cards may be issued to individuals who meet the eligibility requirements for staff-like access and require routine access to IRS controlled facilities only.

  4. The SmartID will be worn above the employee’s waist (on the torso) with the photo clearly visible from the front while in IRS facilities. SmartID cards must be carried in an IRS issued holder to safeguard the ID card certificate. All ID cards must be recovered from employees who separate from the IRS.

    Note:

    For additional guidance, see IRM 10.2.5, Identification Media.

Issuance of Non-Photo ID Cards

  1. Visitors and federal or non-federal personnel who have met the eligibility requirements for staff-like access as set forth in IRM 10.2.18, Physical Access Control (PAC) will be issued non-photo "Visitor" ID cards by the local FMSS Physical Security staff for unescorted access.

  2. Non-photo ID cards are issued by the local FMSS Physical Security staff to:

    1. Visitors, to include federal and non-federal personnel who met the eligibility requirements for staff-like access, as set forth in IRM 10.2.18, Physical Access Control (PAC).

    2. Visitors, to include contractors and federal or non-federal personnel who have not met the eligibility requirements for staff-like access. These ID cards will be clearly marked "ESCORT ONLY" .

    3. Employees reporting to IRS facilities without their photo ID card.

  3. Visitors who have not met the eligibility requirements must:

    1. be escorted by an IRS employee, who must request his/her placement on the facility visitor access list.

    2. present a valid photo ID card for identity verification card and submit to facility entry screening procedures.

    3. be issued a non-photo "Visitor Escort Only" ID card.

  4. Non-photo ID cards cannot be removed from the issuing facility and should never be used as access authorization to a facility. Non-photo ID cards must be returned to local FMSS Physical Security staff or guard post by the individual assigned the card when the individual departs the facility or security area.

  5. Limited Area Non-photo ID cards are issued by designated business unit limited area monitors.

Pocket Commissions

  1. Pocket commissions are used to present proof of authority in the performance of official duties. They are primarily intended to identify IRS personnel to the public when dealing with tax matters and may not be issued merely to identify employees for transaction of routine business. There are three categories of pocket commissions: enforcement, civil enforcement and non-enforcement. Enforcement pocket commissions are issued only to individuals in Criminal Investigation 1811 occupational series. Civil enforcement and non-enforcement pocket commissions are issued to all other authorized employees.

    Note:

    For additional guidance see IRM 10.2.6, Civil Enforcement and Non-Enforcement Pocket Commissions.

ID Media for Pseudonym Holders

  1. Section 3706 of the IRS Restructuring and Reform Act of 1998 (RRA 98) from 26 USC 7804, dated July 22, 1998, provides that any employee of the Internal Revenue Service may use a pseudonym only if adequate justification for the use of a pseudonym is provided by the employee, including protection of personal safety; and such use is approved by the employee’s supervisor before the pseudonym is used. Verbatim text of Section 3706 of IRS RRA 98 is provided in Exhibit 10.5.7-1, Verbatim Text of Section 3706 (RRA 98) from 26 USC 7804, dated July 22, 1998.

  2. The PC and SmartID card must contain the same name, legal or pseudonym. The SmartID should be obtained before the PC.

  3. No employee may have more than one active SmartID or PC in their possession. If an employee is issued a PC using a registered pseudonym, that individual may not be issued any other PC. If an employee is already in possession of a PC, the manager of the employee must recover the PC prior to issuance of a PC using a pseudonym and return it to the PC team using the shipping requirements. The same process for issuance of a PC using a pseudonym applies.

  4. A PC issued in a registered pseudonym may not be used as a retirement memento, for an honorary presentation, or for similar purpose. A registered pseudonym PC holder may not be reissued a PC in their legal name for memento purposes. The PC must be recovered by the employee's manager and sent to the PC team for destruction.

    Note:

    For additional guidance, refer to IRM 10.5.7, Privacy and Information Protection, Use of Pseudonyms by IRS Employees.

Facility Access

  1. Access to IRS facilities and work areas is provided to IRS employees, contractors and visitors on an escorted or unescorted basis. The local FMSS physical security office will determine and grant the type of access, based on the eligibility requirements.

  2. All persons entering or requesting access to a government building are subject to the provisions of the rules and regulations governing public buildings and grounds. This includes Federal Management Regulation (FMR), Title 41, Code of Federal Regulations (CFR); Part 102-74, Subpart C Conduct on Federal Property and Title 18, United States Code (USC), Section 930, Possession of Firearms and Dangerous Weapons in Federal Facilities.

    Note:

    For additional guidance, see IRM 10.2.18, Physical Access Control (PAC).

Facility Unescorted Access

  1. Only employees, IRS contractors, other federal agency employees and contractors, that meet eligibility requirements are permitted unescorted access to IRS facilities.

  2. Non-federal personnel who meet eligibility requirements can be issued a Physical Access Card (PAC) for use at that facility, after a favorable adjudication for staff-like access. Any issued Non-photo ID cards must not be removed from the issuing facility.

  3. Contractors, meeting the unescorted access requirements that do not have an IRS issued photo ID card may be placed on a VAR, approved by the local FMSS physical security office.

    Note:

    For additional guidance, see IRM 10.2.18, Physical Access Control (PAC).

Facility Escorted Access

  1. IRS contractors, other federal agency employees and contractors and visitors that do not meet the requirements for unescorted access must be escorted at all times while in IRS facilities and workspace. Escorted access does not allow for the entry and/or movement throughout the facility without a qualified escort.

  2. Escorted persons require a qualified escort. The requirements for qualified escort are authorized (designated) IRS or contractor employees approved for final staff-like access at the same or higher position risk level as the escorted person.

Facility Access Cards

  1. Employees and authorized contractors requiring routine access to IRS controlled facilities with an electronic access control system may be issued a facility access card, also known as the proxy card, where required.

  2. Employees that require a proxy card must complete and submit Form 13716, Request for ID Media and/or Access Card for IRS Employees, to the local FMSS Physical Security staff in order to obtain their proxy card.

Reviews

  1. The IRS has established minimum security standards and requirements IRS managers must safeguard. Recurring assessments and reviews assist security personnel and management officials in determining the effectiveness and appropriateness of existing safeguards and security guidelines.

Functional Reviews

  1. Functional reviews measure compliance with security policy and procedures that apply to each manager's office or functional area. Functional reviews allow managers to verify that existing security policy and procedures are being followed daily.

  2. Front line managers must conduct functional reviews on at least an annual basis or more frequently depending on their business unit’s security requirements. The review must be documented on Form 12149 and the reviewer must provide copy of the report to the next level of management. Review criteria may be based on local concerns, but managers should evaluate their area on:

    1. Clean Desk Policy

    2. Disposition of waste material

    3. ID Media

    4. Locks and keys

    5. Protection of sensitive information

    6. Security awareness

After Hours Review

  1. An after-hours review allows managers to determine if assets are adequately protected when not in the custody of authorized IRS personnel. Managers can accomplish this by checking the area after the close of the business day or before the facility opens to review the workspace for compliance.

  2. Managers:

    1. periodically review functional areas after hours to determine if sensitive information is appropriately contained, disposed of, whether cabinets, safes and other containers are appropriately secured and whether limited areas, secure areas and office doors meet security requirements.

    2. take immediate action for identified weaknesses to safeguard information, property or rooms/facility, counsel employees as appropriate, and/or request assistance from the local FMSS SSC to develop corrective measures.

Contractor Site Surveys and Reviews

  1. Contracts for services or property involving the disclosure of sensitive information to a contractor (e.g. return or return information, personnel information and administrative or internal management information critical to mission of the IRS), must include appropriate protective measures in accordance with applicable laws, regulations and procedures. IT Cybersecurity and FMSS, can assist in the review and provide their respective expertise.

    Note:

    Refer to Servicewide Records Management Guidance Regarding Contractor Records.

  2. Managers confirm requests for contracted services involving disclosure of sensitive information are reviewed by PGLD and where appropriate, IT Cybersecurity, as well as FMSS Physical Security.

  3. Managers consult with FMSS Physical Security staff to determine contractor site survey and security requirements.

  4. For automated information services, see IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance.

Recertification

  1. An existing contractor’s ability to adequately protect IRS data from unauthorized use or disclosure must be recertified annually for contracts which extend beyond a one-year period, prior to contract renewal or if the safeguards employed by the contractor become a matter of concern (e.g. suspected security breach).

  2. Contact the Privacy, Governmental Liaison, and Disclosure Incident Management Office if the recertification is conducted due to a disclosure concern to brief them about the concern.

  3. The contractor will be requested to provide a self-assessment regarding their ability to protect IRS data. If recertification status cannot be determined from the self-assessment and other documentation, a contractor facility recertification site review must be scheduled. Due to regulatory requirements, IRS security (Cybersecurity and/or FMSS) may perform site reviews annually depending on the nature of the issue (i.e., Federal Information Security Management Act (FISMA), see Pub. 4812, Contractor Security Controls).