10.2.1 Physical Security

Manual Transmittal

September 27, 2017

Purpose

(1) This transmits revised Internal Revenue Manual (IRM) 10.2.1, Physical Security.

Material Changes

(1) On October 1, 2014, Agency-Wide Shared Services (AWSS) Physical Security and Emergency Planning (PSEP) and AWSS Real Estate and Facilities Management (REFM) merged to create Facilities Management and Security Services (FMSS).

(2) As of January 1, 2017, the Internal Revenue Service (IRS) instituted a requirement that the IRM address relevant internal controls. This will inform employees about the importance of and context for internal controls by describing the program objectives and officials charged with program management and oversight. Internal controls are the program’s policies and procedures which ensure:

  1. Mission and program objectives are clearly delineated and key terms defined.

  2. Program goals are established and performance is measured to assess the efficient and effective mission and objective accomplishment.

  3. Program and resources are protected against waste, fraud, abuse, mismanagement and misappropriation.

  4. Program operations are in conformance with applicable laws and regulations.

  5. Financial reporting is complete, current and accurate.

  6. Reliable information is obtained and used for decision making and quality assurance.

(3) This IRM was updated to reflect current organizational titles, terminology, references, and citations.

Effect on Other Documents

This supersedes IRM 10.2.1 dated April 6, 2012.

Audience

Servicewide

Effective Date

(09-27-2017)

Richard L. Rodriguez
Director
Facilities Management and Security Services
Agency-Wide Shared Services

Program Scope

  1. Purpose: The purpose of this IRM is to establish the responsibilities for the IRS physical security programs designed to protect IRS personnel, assets and information.

  2. This IRM provides the IRS management and employees with standards to protect IRS lives, property, assets and information.

  3. Audience: IRS managers and employees.

  4. Policy Owner: Director, FMSS

  5. Program Owner: FMSS Associate Director (AD), Security Policy

  6. Primary Stakeholders: Business Unit (BU) executives, senior managers and Chief Counsel Executives, Senior Managers and Chief Counsel.

Background

  1. The IRS processes and maintains sensitive data such as:

    1. private information of US citizens.

    2. financial information.

    3. law enforcement information.

    4. proprietary information.

    5. life and mission-critical information.

  2. Inadvertent or deliberate disclosure, alteration or destruction of this sensitive data poses such risk and high degree of harm that the IRS must protect its information resources through:

    1. physical security.

    2. data security.

    3. sensitive information and document handling procedures.

  3. Security procedures must also allow for access, use, disclosure and disposition of information in strict accordance with applicable laws, federal regulations, and Treasury Department directives.

Authority

  1. Executive Order 12356, National Security Information

  2. The Privacy Act of 1974

  3. Tax Reform Act of 1976

  4. IRC 6103, 7213, 7217, and 7431

  5. Federal Managers' Financial Integrity Act of 1982 (FMFIA)

  6. Government Accountability Office Standards

  7. OMB Circular A–123 (Internal Control System)

  8. OMB Circular A–130 (Security of Federal Automated Systems)

  9. Treasury Security Manual 71–10

  10. Federal Information Security Management Act of 2002 (FISMA)

  11. National Institute of Standards and Technology (NIST) SP 800-65

Responsibilities

  1. The Chief, AWSS, is authorized to prescribe the Physical Security Program for use within the IRS.

  2. The Director, FMSS, is responsible for oversight of this IRS Program.

  3. The AD, Security Policy, is responsible for planning, developing, implementing, evaluating, and controlling this IRS Program.

  4. The BU executives, senior managers and Chief Counsel are responsible for an effective physical security program and reasonable and adequate physical security measures. IRS officials and managers are responsible for the secure operation of the federal tax administration system and for taking actions to ensure adequate Occupant Emergency Plans, and Continuity Plans are established. These plans are essential to the Continuity of Operations, the prevention of loss of life, loss of property, and unauthorized disclosure of documents and information.

  5. FMSS Territory Managers (TM) are responsible to ensure FMSS Security Section Chiefs follow IRS policy and provide guidance, oversight, and help to client sites with the physical security program.

  6. FMSS Security Section Chiefs are responsible to plan, develop, implement, manage and evaluate physical security programs for their client sites, ensuring that IRS policy and procedures are followed and that security measures meet established minimum security standards.

Program Objectives and Review

  1. Program Goals:

    1. To establish appropriate physical security measures, processes and procedures to protect IRS personnel, assets and information.

    2. To comply with federal regulations and laws, Treasury directives and Department of Homeland Security (DHS) Interagency Security Committee (ISC) standards.

    .

  2. Program Reports: FMSS Annual Physical Security Report and Physical Security Risk Assessments.

  3. Program Effectiveness: The measures of program effectiveness are:

    1. Assess compliance with federal regulations and laws, Treasury Directives and DHS ISC standards

    2. Physical Security Risk Assessments

Acronyms

  1. Acronym Definition
    AWSS Agency-Wide Shared Services
    BU Business Unit
    DHS Department of Homeland Security
    FMFIA Federal Managers' Financial Integrity Act of 1982 (FMFIA)
    FISMA Federal Information Security Management Act of 2002, which is the short title for Title III of the E-Government Act of 2002 (Pub.L. 107-347, 116 Stat. 2899)
    FMSS Facilities Management and Security Services
    ISC Interagency Security Committee
    NIST National Institute of Standards and Technology
    OMB Office of Management and Budget
    TM Territory Manager(s)

Related Resources

  1. Facilities Management and Security Services Customer Resources site

  2. IRM 1.4.6, Managers Security Handbook

  3. IRM 10.2, Physical Security Program

Basic Security Principles

  1. Overriding principles of physical security in the IRS:

    1. Every employee is responsible for security. Managers and employees are responsible for providing reasonable security for all information, documents, and property entrusted to them.

    2. Access to sensitive information and restricted areas where sensitive information is maintained should be granted only on a need-to-know basis, determined by business unit management officials.

    3. FMSS is responsible for providing oversight, guidance and resources to business units in physical security matters.

  2. Established guidelines for minimum physical security standards are found in IRM 10.2.15, Minimum Protection Standards. It establishes a baseline for physical security measures, while allowing flexibility to develop higher standards when needed to meet local situations.