10.2.8 Incident Reporting

Manual Transmittal

May 31, 2016

Purpose

(1) This transmits revised Internal Revenue Manual (IRM) 10.2.8, Incident Reporting.

Background

The Facilities Management and Security Services (FMSS) Situational Awareness Management Center (SAMC) Watch Commanders have been given the responsibility for ensuring reports on facility closures, due to natural disasters or acts of nature occurring outside of the National Capital Region (NCR), be submitted to the Department of the Treasury, Office of Emergency Programs (OEP) via Treasury. SAMC Watch Standers have been given the authority to document incidents that impact IRS employees and facilities and report incidents to ensure proper mitigation and countermeasures are implemented to ensure the safety of IRS personnel and facilities.

Material Changes

(1) On October 1, 2014 Physical Security and Emergency Preparedness (PSEP) merged with Real Estate and Facilities Management (REFM) to become FMSS. This IRM was updated to reflect current:

  1. organizational titles.

  2. roles and responsibilities.

  3. reporting requirements for all employees, contractors, FMSS SAMC Watch Commanders and Watch Standers.

  4. incidents to be reported to SAMC.

  5. contact information for SAMC.

Effect on Other Documents

This IRM supersedes IRM 10.2.8, Physical Security Program, Incident Reporting, dated September 30, 2008.

Audience

Servicewide

Effective Date

(05-31-2016)

Related Resources

IRM 10.2.9, Occupant Emergency Planning

IRM 10.5.4, Privacy and Information Protection, Incident Management Program

IRM 10.8.1, Information Technology, Policy and Guidance

IRM 21.3.4, Taxpayer Contacts, Field Assistance

Steven M. Artise
Acting Director
Facilities Management and Security Services

Purpose

  1. This IRM provides policy and guidance to be used by IRS personnel and organizations when reporting physical security incidents to the Situational Awareness Management Center (SAMC). Physical security incidents are incidents and/or threats (direct, indirect, implied), office closures, loss of ID media, disruptive/disgruntled taxpayers and employees.

  2. This IRM provides guidance on reporting physical security incidents and conditions or situations to appropriate authorities and a process for recording incidents.

Overview

  1. The federal tax administration system is of vital importance to the economy of the United States. As such, its protection must be assured at all times. In order to provide adequate response measures, it is necessary to develop sound incident reporting procedures that will ensure immediate and effective response to physical incidents. At a minimum, incidents and emergencies that are to be reported include any situation or condition in or around an IRS facility that could deny access, cause harm to employees or damage to IRS facilities and property.

  2. Proper and timely incident reporting helps afford leadership the capability to make operational decisions on how to best respond to physical incidents and/or emergency situations reducing the effects of threats to IRS personnel, facilities, and property.

Scope

  1. It is the policy of the IRS to establish and manage a process for properly identifying, protecting, processing, handling, and analyzing all incidents and threats within the IRS.

  2. This IRM provides policy guidance to all IRS employees reporting incidents to the SAMC. It also provides security guidance information of roles and responsibilities to ensure the safety of Service employee and facilities.

  3. This IRM implements IRS standards incident reporting within the Service for classification, safeguarding, and analyzing security related events to aid in FMSS Leadership when developing policy and procedures to ensure appropriate mitigation and countermeasures are implemented when responding to security related matters.

  4. The IRS Security, Policy, and Assessment Office for incident and threat information reporting will:

    1. Ensure there are sufficient protective measures (including proper response, physical, and personnel control measures) in place to safeguard employees and facilities.

    2. Ensure security personnel entrusted to respond to incidents and/or threats (Security/Guard) information are properly trained and aware of their responsibilities when reporting security information.

    3. Ensure proper follow up when required and provide recommendations when existing countermeasures require modification to ensure the safety of personnel and facilities.

  5. The provisions in this IRM apply to all offices, business, operating, and functional units within the IRS. This manual also applies to individuals and organizations having contractual arrangements with the IRS, including employees, contractors, vendors, and outsourcing providers.

  6. For the purpose of this IRM, the terms IRS, Service, and Agency are interchangeable.

Authority

  1. Treasury Directive, TD P 85-01, Treasury Cyber Security Program, November 4, 2015

  2. TD P 85-01, Appendix G, (TCIO M 15-05), Department of the Treasury Incident Response Guidelines and Procedures, October 28, 2015

Roles and Responsibilities

  1. The Chief, Agency-Wide Shared Services (AWSS) serves as the Senior Agency Official (SAO) for the Service's physical security program. The SAO responsibilities include:

    1. Demonstrate personal commitment and commit senior management to the successful implementation of the Service's security.

    2. Commit necessary resources to the effective implementation of the security program.

    3. Ensure that IRS recording of incidents and threats are designed and maintained to optimize the appropriate sharing and safeguarding of employees and facilities.

    4. Designate an agency official to direct and administer the security program.

  2. The Director of Facilities Management and Security Services (FMSS) is designated as the coordinator of all emergency and incident related information including all incidents, unusual situations, potential incidents or situations affecting or which may impact the operations of the IRS.

  3. The FMSS Associate Director (AD), Security Policy serves as the Agency Official (AO) for the Service's physical security program. The AO responsibilities include:

    1. Overseeing the physical security program;

    2. Designating a physical security program manager;

    3. Promulgating implementing directives and regulations;

    4. Establishing and maintaining security and training programs;

    5. Establishing procedures to protect employees and facilities while also satisfying operational and physical security requirements and needs;

    6. Developing special contingency plans for the safeguarding employees and facilities;

    7. Assigning in a prompt manner, physical security personnel to respond to any request, appeal, challenge, complaint, or incident;

    8. Establishing a secure capability to receive information, allegations, or complaints regarding over-classification or incorrect classification within the Service and to provide guidance to personnel on proper classification as needed;

    9. Taking appropriate and prompt corrective action when an imminent incident or threat occurs.

  4. SAMC is a 24/7 operation center and is the focal point for incident reporting. SAMC monitors and routes incident reports to the appropriate key IRS personnel such as:

    1. FMSS Headquarters staff

    2. Treasury Inspector General for Tax Administration (TIGTA)

    3. Senior Executive Team (SET)

    4. Threat Information and Critical Incident Response Initiative Stakeholders (TIRC)

    5. Other IRS designated officials

  5. The SAMC promptly reports all incidents and emergencies that result in the need to respond to inquiries from the Department of the Treasury or the news media to the Watch Commanders (WC) and TIRC/SAMC Program Manager (PM) so that they may be kept apprised of situations that could require their immediate assistance and/or attention, the notification of the Commissioner of the IRS, the Chief, Agency-Wide Shared Services (AWSS), the Director of FMSS, and/or other IRS executives.

  6. The WC serves as the security personnel monitoring all incidents and threats Servicewide, to (aid) assist in identifying the validity of the data reported. Access incidents to ensure reported incidents are properly addressed.

  7. Watch Standers (WS) are responsible for documenting, reporting and notification of all incidents and threats Servicewide.

  8. The TIRC/PM develops policy and procedures for the purpose of implementing proper mitigation and countermeasures to ensure that all incidents and threats Servicewide have proper mitigation and countermeasures are in place to ensure the safety of IRS employees and/or facilities.

  9. All employees and managers and/or their designated representatives should be familiar with the physical security incident and emergency reporting procedures.

  10. Through the Occupant Emergency Plan (OEP) as outlined in IRM 10.2.9, Occupant Emergency Planning, the impacted FMSS Physical Security Section Chief will provide managers and designated officials a list of officials and phone numbers for reporting incidents at their location. The list should include appropriate authorities such as Federal Protective Services (FPS), Criminal Investigation (CI), TIGTA, local FMSS physical security point of contact (POC), etc. This list must be updated at least annually or more frequently, when necessary, to maintain accuracy.

Incident Report

  1. All incidents that have been classified as a level 1 incident and/or threat requires a Follow Up Incident Report (FUIR). The impacted Physical Security Section Chief is the responsible party for submitting the FUIR. FMSS requires FUIR reports as required directed by the Agency Official and Threat Information and Critical Incident Response Initiative. The FUIR must be submitted to SAMC within 24 hours of occurrence. All incidents classified as a level 2 or 3 incident and/or threat requires a FUIR report at the discretion of the Associate Director within 72 hours.

  2. Incidents involving the inadvertent unauthorized disclosure of Personally Identifiable Information (PII) or of Privacy Act information must be reported to Privacy, Governmental Liaison and Disclosure (PGLD). See IRM 10.5.4, Privacy and Information Protection, Incident Management Program, for detailed information.

  3. Incidents involving the loss or theft of IT assets must be reported to the Cyber Security division as outlined in IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance.

Notification and Response

  1. Facility closures reported to SAMC will be reported to the FMSS WC and the Department of Treasury Operations Center (TOC) for all reported facility closures due to equipment failure, natural disasters, and acts of nature or severe weather. Reports of closures to SAMC must include a description of the incident, facility impacted by the incident, number of employees affected, the amount of time the facility is expected to be closed, and actions taken by IRS.

  2. Local procedures must be developed at all facilities for notification of appropriate authorities for response, (i.e. FPS, local law enforcement authorities, CI). When feasible, incidents must also be immediately reported to SAMC, the appropriate Senior Commissioner’s Representative (SCR) or designated official, and the local Security Section Chief as soon as the incident is under control, (i.e. appropriate emergency response personnel are notified and the safety of employees is assured). Managers or their designated representative will ensure the incident was reported to the SAMC and the local FMSS physical security office. For those offices located in a US Postal Service building, the Postal Inspector must also be notified.

    1. FMSS WC and/or local FMSS Physical Security Section Chief will provide updates on incidents to the FMSS Territory Manager, FMSS Associate Director, TIRC/SAMC PM, and the SAMC WS until the incidents are completed and/or terminated.

  3. All physical security incidents must be reported to the SAMC within 30 minutes of incident discovery, or when it is safe to do so. SAMC operates 365 days a year, 24 hours a day, seven days a week. Incidents may be reported to the SAMC through any of the following methods:

    1. Incident Reporting Form (SAMC website portal) at http://gdi.web.irs.gov/archibus/schema/ab-products/gdi/samc/csi_samc_reporter_report_incident.axvw

    2. telephone at 202-317-6124 or

    3. toll free hotline at 1-866-216-4809

    4. fax at 202-317-6129

    5. e-mail at samc@irs.gov

      Note:

      Although it is not always possible, the web site portal is the preferred method for reporting incidents to the SAMC.

      Note:

      When using the web portal, select the actual incident type from the category list.

  4. Threats against, or assaults upon IRS employees and facilities are also required to be reported to TIGTA. TIGTA is the only investigative agency with jurisdiction to investigate internal and external attempts to interfere with tax administration as outlined in RRA 98, 26 USC 7608 (b), and (Public Law 105-206) or The Internal Revenue Service Restructuring and Reform Act of 1998.

  5. Facility closures reported to SAMC will be reported to the FMSS WC who will report facility closures due to equipment failure, natural disasters, acts of nature or severe weather to the Department of the Treasury, Office of Emergency Programs (OEP) through the Treasury portal. Reports must include a description of the incident, facility impacted by the incident, number of employees affected, the amount of time the facility is expected to be closed, and actions taken by IRS.

    1. Facility closures affected by equipment failure, natural disasters, acts of nature or severe weather for the NCR is reported by the SCR. Any other incidents requiring submission of a report to the OEP office must be submitted by the Continuity Operations Program Office and SAMC.http://gdi.web.irs.gov/archibus/schema/ab-products/gdi/samc/csi_samc_reporter_report_incident.axvw

Incidents

  1. A list of incidents that must be reported to SAMC is provided in Exhibit 10.2.8-1, Incidents to be Reported to SAMC. The list of incidents is not all inclusive but will help provide a basis for determining which incidents must be reported. Contact SAMC for further guidance if you are unsure as to whether report an incident. When there is doubt as to whether an incident should or should not be reported, the incident should be reported to the SAMC. It is the employee’s obligation and responsibility to report security incidents through the prescribed IRS incident reporting process, even if instructed not to report by an investigative agency.

  2. All physical security incidents must be reported to the SAMC within 30 minutes of incident discovery, or when it is safe to do so. Through coordination with the SAMC, a written report must follow the initial report.

  3. Any incident requiring the evacuation or closing of an IRS facility due to an impending threat, either natural or man-made is considered significant. In addition to SAMC, FMSS Territory Managers and/or WC must also report significant incidents immediately to the FMSS Director by telephone. This initial notification is intended to provide forewarning of impending threats and/or situations.

  4. There may be incidents not listed in Exhibit 10.2.8-1, but may be considered sensitive or high profile. When there is doubt as to whether an incident should or should not be reported, the incident should be reported to the SAMC. The WS will consult with the WC and the TIRC/SAMC Program Manager for guidance.

  5. When reporting incidents to the SAMC and to the local FMSS office, at a minimum, the following information must be provided:

    1. time and date of incident

    2. name of facility/office

    3. address of facility/office

    4. details of what occurred (who, what, when, where, how, and if possible why)

    5. who was notified (FPS, TIGTA, local authorities, senior management, etc.)

    6. approximate number of IRS employees affected

    7. whether the facility has been evacuated or closed (including the number of downtime minutes/hours)

    8. point of contact or a person's name in the event there are follow up questions

Incident Notifications

  1. Personnel identified for their role in security matters or continuity of operations responsibilities within the IRS will be notified of incidents and/or threats to ensure the safety of IRS employees, facilities and infrastructure.

  2. Any incident requiring the evacuation or closing of an IRS facility due to an impending threat, either natural or man-made is considered significant. In addition to SAMC, FMSS Territory Managers and/or WC must also report significant incidents immediately to the FMSS Director by telephone. This initial notification is intended to provide forewarning of impending threats and/or situations.

Notification Lists

  1. Notifications will be sent to the Senior Executive Team (SET), local FMSS physical security personnel, and designated response personnel with responsibilities to receive incident and threat notifications from the Situational Awareness Management Center identified by their Agency Official. Designated response personnel will be responsible for forwarding the incident/threat to the responsible party within their division if applicable.

  2. Due to law enforcement data collected, some incident information will not be disseminated or disclosed outside of FMSS and/or TIGTA. Any use, interference with, disclosure or copying of this material is unauthorized and prohibited.

Incidents To Be Reported To SAMC

INCIDENTS TO BE REPORTED TO SAMC
This list encompasses examples of situations that should be reported to SAMC. The list includes examples of incidents and/or threats (direct, indirect, implied), office closures, loss of ID media, disruptive/disgruntled taxpayers and employees. This list is not all encompassing and can change as threats to the IRS change. When there is doubt as to whether an incident should be reported to SAMC, the incident should be reported.
INCIDENT
Alarm activations (duress, fire and perimeter)
Arson or a fire with injury or a disruption of IRS operations
Attack on IRS infrastructure
Attack or assault against IRS employees
Attack or intentional destruction of an IRS facility or group of facilities
Attempted entry to a facility with a prohibited weapon
Bombing or explosion
Bomb threat (verbal, telephonic, by letter or email)
Burglary of IRS property
Civil disturbances resulting in aggression or violence on the part of the demonstrators
Continuity of Government Readiness Condition (COGCON) level change (1/2/3/4)
Communications check
Corrupt interference/harassment
Counterfeit currency
Closed Point of Dispensing (CPOD) activation
Damage or destruction (inadvertent/accidental) to government property (includes graffiti)
Death of an employee or taxpayer while on IRS property
Delayed facility openings - due to severe weather, or utility/equipment failure
Demonstrations
DHS alert level activation (green, yellow, orange, red)
Disruptive or disgruntled taxpayer (yelling/uncooperative)
Employee altercation - verbal and/or physical
Employee injury incident
Equipment failure
Exercises (fire drills, evacuation drills, SIP drills, table top exercises)
Facility closures due to equipment failure (HVAC, water, electricity, etc.)
Facility closures due to severe weather (tornados, hurricane, snow, etc.)
Facility closures not resulting in facility closure - OTHER (e.g., partial facility closure or disruption)
Fire (with or without injury/disruption of service)
Found property (IRS assets)
HAZMAT incidents (biological/chemical)
HAZMAT incidents (infectious disease) with no overt or implied threat or injury toward the safety of employees or IRS facility
HQ Continuity Operations (COOP) team activation
Ill/sick employee or taxpayer - Illness has spread to multiple people having an impact on the IRS
Incidents resulting in injuries to taxpayers
Influenza (FLU) - Illness has spread to multiple people having an impact on the IRS
Intelligence threat advisory (threat assessment)
IRS scam complaint (non-IRS employee subject)
Loss of remittance with no known PII disclosed data
(Loss of remittance with PII disclosed should be reported to PGLD. See IRM 21.3.4, Taxpayer Contacts, Field Assistance for additional information.)
Loss or compromise of Classified Information (National Security Information)
Loss or theft of building access card, building or room keys, legacy ID card, pocket commissions, SMART ID, government property or equipment, sensitive data
Loss or theft of sensitive data (high impact and/or high risk)
Natural disaster (hurricane, tornado, severe snow, flooding, etc.)
Other - Employee reported incident when employee is acting as private citizen and there is no known nexus to their position with the IRS
Parasitic invasion (examples: bed bugs, lice, tick, mice, etc.)
Partial day facility closure - due to severe weather or equipment failure
Physical altercation (employee and/or taxpayer)
Possession (illegal)/discovery of a controlled substance
Power outages
Real world event (no impact to IRS employees or operations)
Robbery of an employee and/or of a taxpayer on IRS property
Shelter-in-Place (not a drill)
Statements by individuals of support of violence to IRS employees and/or facilities
Statements by individuals of sympathy with radical groups
Statements - Inappropriate
Suicide threats - by employee or taxpayer with no nexus to an IRS facility or concern for the safety of IRS employees or facilities
(Suicide threats by a taxpayer must also be reported to PGLD.)
Suicide threats - nexus to an IRS facility (by employee or taxpayer when an overt or implied threat is made toward the safety of employees or an IRS facility - whether they can carry out the threat or not)
Suspicious activity (photographing or surveillances of IRS property; Non-nexus related events/incidents at Federal Buildings or IRS shared locations)
Suspicious packages (resulting in a disruption of IRS operations or negative finding)
Taxpayer complaint
Theft - of government property, personal property, a lockbox, tax remittance
Threat against IRS employees
Threat against IRS infrastructure
Threat of government property (IT)
Threat on an IRS facility or group of facilities
Unauthorized entry to a facility and/or property (trespassing)
Unsecured property or facility
Vehicle accidents on government property (with or without injuries)
Verbal/written threat (involving an employee or taxpayer)
Weapon discharge
Workplace incident - disruptive/disgruntled employee (physical and/or verbal altercations)
Workplace incident - incident requiring minimal law enforcement, FMSS or senior IRS management mitigation
Workplace violence - Physical altercation between employees or between an employee and a taxpayer
This list is not all encompassing. For a real-time list of incidents, visit the SAMC reporting site: http://gdi.web.irs.gov/archibus/schema/ab-products/gdi/samc/csi_samc_reporter_report_incident.axvw