10.2.8 Incident Reporting

Manual Transmittal

July 25, 2019

Purpose

(1) This transmits revised Internal Revenue Manual (IRM) 10.2.8, Incident Reporting.

Material Changes

(1) References to Watch Commander roles and functions have been removed. Role has been made obsolete.

(2) As of January 1, 2017, the Internal Revenue Service (IRS) instituted a requirement that the IRM address relevant internal controls. This will inform employees about the importance of and context for internal controls by describing the program objectives and officials charged with program management and oversight. Internal controls are the program’s policies and procedures which ensure:

  1. Mission and program objectives are clearly delineated and key terms defined.

  2. Program goals are established and performance is measured to assess the efficient and effective mission and objective accomplishment.

  3. Program and resources are protected against waste, fraud, abuse, mismanagement and misappropriation.

  4. Program operations are in conformance with applicable laws and regulations.

  5. Financial reporting is complete, current and accurate.

  6. Reliable information is obtained and used for decision making and quality assurance.

Effect on Other Documents

This IRM supersedes IRM 10.2.8 dated May 31, 2016.

Audience

Servicewide

Effective Date

(07-25-2019)

Richard L. Rodriguez
Chief
Facilities Management and Security Services

Program Scope and Objectives

  1. This IRM section discusses the Situation Awareness Management Center (SAMC) and provides guidance on reporting physical security incidents and conditions or situations to appropriate authorities and a process for recording incidents.

  2. Purpose: This IRM provides policy and guidance to be used by IRS personnel and organizations including, contractors, vendors, and outsourcing providers when reporting physical security incidents to the SAMC. Physical security incidents are incidents and/or threats (direct, indirect, implied), office closures, loss of identification (ID) media, disruptive/disgruntled taxpayers and personnel.

  3. Audience: Servicewide

  4. Policy Owner: Chief, Facilities Management and Security Services (FMSS)

  5. Program Owner: FMSS Associate Director (AD), Security Policy

  6. Primary Stakeholders: Senior Commissioner’s Representatives (SCR), Administrative Officers (AO), FMSS AD, FMSS Field Operations Territory Managers (TM), Security Section Chiefs (SSC), Physical Security Specialists (PSS), and FMSS Security Policy personnel.

  7. Program Goals: To ensure the safety and security of IRS personnel, facilities and infrastructure by providing interactive, proactive and reactive solutions to threats or actions against the IRS through the Incident Reporting system.

Background

  1. SAMC was created and tasked with promptly reporting all physical security incidents and/or threats. SAMC mission is to document, archive and report incidents, threats, and emergencies. SAMC does this by supporting the Services' law enforcement partners to ensure the safety of IRS personnel, facilities, and infrastructure. Additionally, SAMC disseminates, documents, and responds to inquiries from the Department of the Treasury, governmental agencies and other federal law enforcement partners. This is important as SAMC must be kept apprised of situations that could require the immediate assistance and/or attention, of the IRS Commissioner, Chief, FMSS, and/or other IRS Executives.

  2. SAMC is a 24/7 operation center and is the focal point for incident reporting. SAMC monitors and routes incident reports to the appropriate key IRS personnel.

Authority

  1. Treasury Directive, TD P 85-01, Treasury Cyber Security Program, November 4, 2015

  2. TD P 85-01, Appendix G, (TCIO M 15-05), Department of the Treasury Incident Response Guidelines and Procedures, October 28, 2015

Responsibilities

  1. Chief, FMSS is responsible for oversight of security policy and guidance.

  2. AD, Security Policy is responsible for oversight of planning, developing, implementing, evaluating, and controlling security policy.

  3. Chief, Facilities Protection Management (FPM) is responsible for planning, developing, implementing, evaluating, and controlling security policy.

  4. Each FMSS Operations AD and TM are responsible to ensure each SSC follows the IRS policy and provides oversight in the implementation and enforcement of the SAMC program.

  5. SAMC Watch Standers (WS) are responsible for:

    1. Promptly reporting all incidents and emergencies that result in the need to respond to inquiries from the Department of the Treasury or the news media to the SAMC Program Manager (PM) and the SSC.

      Note:

      Notifications to the Commissioner of the IRS, Chief, FMSS, and/or other IRS executives are sent to ensure that these individuals are kept apprised of situations that could require their immediate assistance and/or attention.

    2. Documenting, reporting and sending notifications for all incidents and threats Servicewide within the Threat Response Center (TRC) application.

    3. Reporting facility closures reported to SAMC to the FMSS SSC and the Department of Treasury Operations Center (TOC).

      Note:

      This is for all reported facility closures due to any major equipment failures, natural disasters, and acts of nature or severe weather. Reports of closures to SAMC must include:
      a) Description of the incident
      b) Facility impacted by the incident
      c) Number of personnel affected
      d) Amount of time the facility is expected to be closed
      e) Actions taken by IRS

  6. SAMC PM is responsible for:

    1. Developing policy and procedures for implementing proper mitigation and countermeasures.

      Note:

      This ensures that all incidents and threats Servicewide have the proper mitigation and countermeasures in place to ensure the safety of IRS personnel and/or facilities.

    2. Serving as the Threat and Incident Response Center (TIRC) Chair.

    3. Maintaining Internal Controls for the SAMC Program.

    4. Reviewing and approving the daily Leadership View (LV) report that outlines the Level 1 and Level 2 Physical Security Incidents along with any Office Closures that occurred on the prior day.

    5. Ensuring that SAMC program documentation and procedures are up-to-date and current (i.e. IRM).

    6. Establishing and maintaining SAMC processes and training programs.

    7. Establishing a secure process to receive physical security incidents, and to provide guidance to WS on proper classification, as needed.

    8. Taking appropriate and prompt corrective action when an imminent incident or threat occurs.

    9. Reviewing and providing recommendations when existing countermeasures require modification to ensure the safety of personnel and facilities and follow up when required.

    10. Maintaining and updating procedures and communications for the following programs:
      i. 911 Notification
      ii. "See Something, Say Something"
      iii. Emergency Information Hotline Card

  7. The SSC is responsible for:

    1. Serving as the physical security personnel monitoring all incidents and threats within their geographical coverage area, to (aid) assist in identifying the validity of the data reported.

    2. Accessing incidents to ensure reported incidents are properly addressed through established protocols and countermeasures.

    3. Submitting the Follow Up Incident Report (FUIR).

      Note:

      All incidents that have been classified as a level 1 incident and/or threat requires a FUIR.

      Note:

      The FUIR must be submitted to SAMC within 24 hours of occurrence.

      Note:

      All incidents classified as a Level 2 or 3 incident and/or threat requires a FUIR report at the discretion of the AD of Security Policy within 72 hours.

    4. Completing and ensuring their assigned PSS and Physical Security Assistants are required to complete ELMS Course 71555, SAMC Incident Reporting, annually.

    5. Providing updates on incidents to the FMSS TM, FMSS AD, Operations, TIRC/SAMC PM, and the SAMC WS until the incidents are completed and/or terminated.

      Note:

      Any incident requiring the evacuation or closing of an IRS facility due to an impending threat, either natural or man-made is considered significant. In addition to SAMC, the SSC must also report significant incidents immediately to the FMSS TM, and Operations AD by telephone. This initial notification is intended to provide forewarning of impending threats and/or situations.

  8. SCR/AO is responsible for reporting facility closures affected by any major equipment failures, natural disasters, acts of nature or severe weather.

    Note:

    Reports of closures to SAMC must include:
    a) Description of the incident
    b) Facility impacted by the incident
    c) Number of personnel affected
    d) Amount of time the facility is expected to be closed

  9. All IRS Personnel are responsible for:

    1. Familiarizing themselves with the physical security incident and emergency reporting procedures.

      Note:

      All physical security incidents must be reported to the SAMC within 30 minutes of incident discovery, or when it is safe to do so.

      Note:

      For additional information, see ELMS Course 71555, SAMC Incident Reporting.

Program Objectives and Review

  1. Program Reports:

    1. Analysis of reported incident data conducted monthly, quarterly and annually. Data is derived from the TRC database.

    2. Quarterly performance reviews to assess WS accuracy and timeliness in processing incident notifications.

    3. Prepare Daily LV reports of high level incidents reported the previous workday.

  2. Program Effectiveness: Accurate and complete notifications to appropriate personnel as outlined in training materials.

Program Controls

  1. Internal Control - Random Sampling Process – ensures that the WS are complying with the 15-minute timeframe for incident processing within the TRC application.

Terms/Definitions/Acronyms

  1. Criminal Investigation - An IRS organization that is the law enforcement arm of the IRS with investigative jurisdiction.

  2. Direct Threat - A direct expression of intention to inflict evil, injury, or damage at the IRS.

  3. Federal Protective Service (FPS) - An organization within the Department of Homeland Security (DHS) that protects federal facilities, their occupants, and visitors by providing law enforcement and protective security services.

  4. Follow Up Incident Report (FUIR) - Report generated and prepared by the Impacted SSC and used by the TIRC-IRC to outline the actions taken to mitigate the reported incident/threat.

  5. Guard - A Protective Security Officer (PSO) who is contracted to protect personnel and IRS facilities in addition to deter security incidents.

  6. Incident - An occurrence of an action or situation, such as an act of human intervention or an act of nature (i.e. storm or fire) that requires a physical security response.

  7. Indirect Threat - An implied threat with expression of intention to inflict evil, injury, or damage and is not directly aimed at the IRS.

  8. Individual - The person who is the subject of an incident with no known nexus to the IRS.

  9. Information Technology (IT) CyberSecurity - IT security service provider responsible for ensuring IRS compliance with federal statutory, legislative and regulatory requirements governing confidentiality, integrity and availability of IRS electronic systems, services and data.

  10. Infrastructure - The basic equipment and structures (such as phones, desks, electricity and buildings) that are needed for the IRS to function properly.

  11. Level 1 Incident - Incidents involving a direct threat of an imminent physical assault action against identifiable IRS personnel (in relation to a known or implied nexus to their employment, facilities, or infrastructure).

  12. Level 2 Incident - Incidents involving an indirect threat against IRS personnel, facilities, or resources. These are generally not imminent threats but may have potential for triggering future actions and/or elevating to a Level 1 Incident.

  13. Level 3 Incident - Incidents involving minimal security or management involvement, security exercises, and loss or stolen ID media.

  14. Personnel - refers to IRS employees and contractors.

  15. Privacy, Governmental Liaison and Disclosure (PGLD) - An IRS organization whose mission is to protect the sensitive information and privacy of taxpayers and personnel.

  16. Protective Security Officer - PSO (i.e. Guards) who are contracted to monitor offices for threats and to deter incidents from occurring within IRS facilities.

  17. Situation Awareness Management Center (SAMC) Program Manager - FMSS employee responsible for establishing program objectives and providing technical direction for SAMC operations.

  18. Security Section Chief (SSC) - An FMSS Operations manager responsible for physical security within a geographical area.

  19. Security Exercises - Security awareness drills such as Shelter-in-Place, Fire Drill, and Active Shooter.

  20. SAMC - A 24/7 program within FMSS responsible for incident and threat reporting servicewide. The SAMC also serves as the central point for all incident communications and notifications.

  21. Stakeholder - IRS business unit or individual responsible for security oversight and/or with a need to know.

  22. Taxpayer Assistance Center (TAC) - An IRS location that provides taxpayers with tax assistance face-to-face.

  23. Threat - A person or thing likely to cause damage or danger.

  24. Treasury Inspector General for Tax Administration - A Treasury organization that is committed to the prevention and detection of fraud, waste, and abuse within the IRS and related entities.

  25. TIGTA Incident Notification Submittal (TINS) - Incidents submitted by TIGTA to SAMC.

  26. Threat and Incident Response Center (TIRC) - Group that monitors and reviews incidents and threats to the IRS. Stakeholder organizations, including: FMSS, TIGTA, Criminal Investigation (CI), PGLD, IT Cyber Security, and FPS.

  27. Threat Response Center (TRC) - Database software application used by the Watch Standers to manage all incident and threats reported to SAMC.

  28. Watch Stander (WS) - The SAMC individual responsible for documenting and updating incidents servicewide.

  29. WS Lead - Supervisor of the WS.

  30. Acronyms

    Acronym Definition
    AD Associate Director
    AO Administrative Officer
    CI Criminal Investigation
    COGCON Continuity of Government Readiness Condition
    COOP Continuity of Operations
    DHS Department of Homeland Security
    FMSS Facilities Management and Security Services
    FPM Facility Protection Management
    FPS Federal Protective Service
    FUIR Follow Up Incident Report
    HAZMAT Hazardous Material
    HCO Human Capital Office
    ID Identification
    IT Information Technology
    LV Leadership View
    OEP Occupant Emergency Plan
    PGLD Privacy, Governmental Liaison and Disclosure
    PII Personally Identifiable Information
    POC Point of Contact
    PSO Professional Security Officer
    PSS Physical Security Specialist(s)
    SAMC Situation Awareness Management Center
    SCR Senior Commissioner’s Representative
    SSC Security Section Chief(s)
    TAC Taxpayer Assistance Center
    TD Treasury Directive
    TIGTA Treasury Inspector General for Tax Administration
    TINS TIGTA Incident Notification Submittal
    TIRC Threat and Incident Response Center
    TM Territory Manager(s)
    TOC Treasury Operations Center
    TRC Threat Response Center
    USC United States Code
    WS Watch Stander(s)

     

Related Resources

  1. IRM 10.2.9, Occupant Emergency Planning

  2. IRM 10.5.4, Privacy and Information Protection, Incident Management Program

  3. IRM 10.8.1, Information Technology, Policy and Guidance

  4. IRM 21.3.4, Taxpayer Contacts, Field Assistance

Incident Report

  1. All IRS personnel must report any physical security incidents to the SAMC within 30 minutes of incident discovery/identification, or when it is safe to do so.

  2. Incidents involving the inadvertent unauthorized disclosure of PII or of Privacy Act information must be reported to PGLD.

    Note:

    For additional information, see IRM 10.5.4, Privacy and Information Protection, Incident Management Program, for detailed information.

  3. Incidents involving the loss or theft of IT assets must be reported to CyberSecurity.

    Note:

    For additional information, see IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance.

  4. Any incident requiring the evacuation or closing of an IRS facility due to an impending threat, either natural or man-made is considered significant. In addition to SAMC, FMSS TM and/or SSC must also report significant incidents immediately to the Chief, FMSS by telephone. This initial notification is intended to provide forewarning of impending threats and/or situations.

  5. Threats against or assaults on IRS personnel and facilities are also required to be reported to the Treasury Inspector General for Tax Administration (TIGTA). TIGTA is the only investigative agency with jurisdiction to investigate internal and external attempts to interfere with tax administration as outlined in RRA 98, 26 United States Code (USC) 7608 (b), and (Public Law 105-206) or The Internal Revenue Service Restructuring and Reform Act of 1998.

  6. Threats must also be reported to FPS. FPS protects the buildings, grounds, and property that are owned, occupied, or secured by the Federal Government (including any agency, instrumentality, or wholly owned or mixed-ownership corporation thereof) and the persons on the property.

    Note:

    For additional information, see Homeland Security Act of 2002 and 40 USC 1315.

  7. A list of incidents that must be reported to SAMC is provided in Exhibit 10.2.8-1, Incidents to be Reported to SAMC. The list of incidents is not all inclusive but will help provide a basis for determining which incidents must be reported.

    Note:

    For additional guidance, contact SAMC if you are unsure as to whether to report an incident. When there is doubt as to whether an incident should or should not be reported, the incident should be reported to the SAMC. It is the employee’s obligation and responsibility to report security incidents through the prescribed IRS incident reporting process, even if instructed not to report by an investigative agency.

  8. There may be incidents not listed in Exhibit 10.2.8-1, but may be considered sensitive or high profile. When there is doubt as to whether an incident should or should not be reported, the incident should be reported to the SAMC. The WS will consult with the TIRC/SAMC Program Manager for guidance.

  9. When reporting incidents to the SAMC or to the local FMSS physical security staff, at a minimum, the following information must be provided:

    1. Time and date of incident

    2. Name of facility/office

    3. Address of facility/office

    4. Details of what occurred (who, what, when, where, how, and if possible why)

    5. Who was notified (FPS, TIGTA, local authorities, senior management, etc.)

    6. Approximate number of IRS personnel affected

    7. Whether the facility has been evacuated or closed (including the number of downtime minutes/hours)

    8. POC or an individual at the facility in the event there are follow up questions

  10. Incident Reporting Form (SAMC website portal) at:

    1. https://tscc.enterprise.irs.gov/irc/

    2. telephone at 202-317-6124

    3. toll free hotline at 1-866-216-4809

    4. fax at 202-317-6129

    5. e-mail samc@irs.gov

      Note:

      Although it is not always possible, the website portal is the preferred method for reporting incidents to the SAMC.

Notification

  1. Various types of incident notifications will be sent to local FMSS physical security staff, and designated response personnel with responsibilities to receive incident and threat notifications from SAMC identified by their business unit. Designated response personnel will be responsible for forwarding the incident/threat to the responsible party within their business unit, if applicable.

  2. Requests for SAMC reports and incident information is based on a need to know. Due to the sensitivity of some information, incidents will not be disseminated or disclosed from SAMC outside of FMSS and/or TIGTA/Law Enforcement. Email requests for incident information must be sent to the SAMC Program Managers.

  3. Personnel identified for their role in security matters or Human Capital Office (HCO) Continuity of Operations Program (COOP) organization within the IRS will be notified of incidents and/or threats as warranted to ensure the safety of IRS personnel, facilities and infrastructure.

  4. Daily notification of Level 1 and 2 physical security incidents with an impact to the service from the previous work day will be distributed through the LV Report. The LV report is distributed to designated personnel (executives, managers and other personnel).

Incidents To Be Reported To SAMC

INCIDENTS TO BE REPORTED TO SAMC
 
This list encompasses examples of situations that should be reported to SAMC. The list includes examples of incidents and/or threats (direct, indirect, implied), office closures, loss of ID media, disruptive/disgruntled taxpayers and personnel. This list does not encompass all incidents and can change as threats to the IRS change. When there is doubt as to whether an incident should be reported to SAMC, the incident should be reported.
INCIDENT
Alarm activations (duress, fire and perimeter)
Arson or a fire with injury or a disruption of IRS operations
Attack on IRS infrastructure
Attack or assault against IRS employees
Attack or intentional destruction of an IRS facility or group of facilities
Attempted entry to a facility with a prohibited weapon
Bombing or explosion
Bomb threat (verbal, telephonic, by letter or email)
Burglary of IRS property
Civil disturbances resulting in aggression or violence on the part of the demonstrators
Continuity of Government Readiness Condition (COGCON) level change (1/2/3/4)
Communications check
Corrupt interference/harassment
Counterfeit currency
Closed Point of Dispensing (CPOD) activation
Damage or destruction (inadvertent/accidental) to government property (includes graffiti)
Death of an employee or taxpayer while on IRS property
Delayed facility openings - due to severe weather, or utility/equipment failure
Demonstrations
DHS alert level activation
Disruptive or disgruntled taxpayer (yelling/uncooperative)
Employee altercation - verbal and/or physical
Employee injury incident
Equipment failure
Exercises (fire drills, evacuation drills, SIP drills, table top exercises)
Facility closures due to equipment failure (HVAC, water, electricity, etc.)
Facility closures due to severe weather (tornados, hurricane, snow, etc.)
Facility closures not resulting in facility closure - OTHER (e.g., partial facility closure or disruption)
Fire (with or without injury/disruption of service)
Found property (IRS assets)
HAZMAT incidents (biological/chemical)
HAZMAT incidents (infectious disease) with no overt or implied threat or injury toward the safety of employees or IRS facility
HQ Continuity Operations (COOP) team activation
Ill/sick employee or taxpayer - Illness has spread to multiple people having an impact on the IRS
Incidents resulting in injuries to taxpayers
Influenza (FLU) - Illness has spread to multiple people having an impact on the IRS
Intelligence threat advisory (threat assessment)
IRS scam complaint (non-IRS employee subject)
Loss of remittance with no known PII disclosed data
(Loss of remittance with PII disclosed should be reported to PGLD. For additional information, see IRM 21.3.4, Taxpayer Contacts, Field Assistance.)
Loss or compromise of Classified Information (National Security Information)
Loss or theft of building access card, building or room keys, legacy ID card, pocket commissions, SMART ID, government property or equipment, sensitive data
Loss or theft of sensitive data (high impact and/or high risk)
Natural disaster (hurricane, tornado, severe snow, flooding, etc.)
Other - Employee reported incident when employee is acting as private citizen and there is no known nexus to their position with the IRS
Parasitic invasion (examples: bed bugs, lice, tick, mice, etc.)
Partial day facility closure - due to severe weather or equipment failure
Physical altercation (employee and/or taxpayer)
Possession (illegal)/discovery of a controlled substance
Power outages
Real world event (no impact to IRS employees or operations)
Robbery of an employee and/or of a taxpayer on IRS property
Shelter-in-Place (not a drill)
Statements by individuals of support of violence to IRS employees and/or facilities
Statements by individuals of sympathy with radical groups
Statements - Inappropriate
Suicide threats - by employee or taxpayer with no nexus to an IRS facility or concern for the safety of IRS employees or facilities
(Suicide threats by a taxpayer must also be reported to PGLD.)
Suicide threats - nexus to an IRS facility (by employee or taxpayer when an overt or implied threat is made toward the safety of employees or an IRS facility - whether they can carry out the threat or not)
Suspicious activity (photographing or surveillances of IRS property; Non-nexus related events/incidents at Federal Buildings or IRS shared locations)
Suspicious packages (resulting in a disruption of IRS operations or negative finding)
Taxpayer complaint
Theft - of government property, personal property, a lockbox, tax remittance
Threat against IRS personnel
Threat against IRS infrastructure
Threat against government property (IT)
Threat on an IRS facility or group of facilities
Unauthorized entry to a facility and/or property (trespassing)
Unsecured property or facility
Vehicle accidents on government property (with or without injuries)
Verbal/written threat (involving an employee or taxpayer)
Weapon discharge
Workplace incident - disruptive/disgruntled employee (physical and/or verbal altercations)
Workplace incident - incident requiring minimal law enforcement, FMSS or senior IRS management mitigation
Workplace violence - Physical altercation between employees or between an employee and a taxpayer