- 10.2.11 Basic Security Concepts
- 10.2.11.1 General
- 10.2.11.2 Basic Security Concepts
- 10.2.11.2.1 Responsibilities
- 10.2.11.2.2 Facility Security Committee (FSC)
- 10.2.11.2.3 Facility Security Level Determinations
- 10.2.11.2.4 Photography and Video Recordings Prohibition
- 10.2.11.2.5 Facility Security Risk Management
- 10.2.11.2.6 Facility Security Plan
- 10.2.11.2.7 Limiting and Controlling Access
- 10.2.11.2.8 Safeguard Functions
- 10.2.11.3 Building Structure and Location
- 10.2.11.4 Interior Space Planning - Open Office Concept
- 10.2.11.5 Alternative Duty Stations - Telework
- 10.2.11.6 Sensitive Areas
- 10.2.11.7 Facility Security Level (FSL) IV Protective Measures
- 10.2.11.7.1 Perimeter Security
- 10.2.11.7.2 Vehicle Identification
- 10.2.11.7.3 Interior Security and Control
- 10.2.11.7.3.1 Security Assurance and Maturity Access Levels
- 10.2.11.7.4 Limited Area
- 10.2.11.7.5 Controlled Area
- 10.2.11.7.6 Remittance Processing Areas
- 10.2.11.8 Facility Security Level (FSL) V Protective Measures
- 10.2.11.9 Post of Duty (POD) Protective Measures
- 10.2.11.9.1 Teller Operations
- 10.2.11.9.2 Protection of Mail
- 10.2.11.9.3 Handling of Suspicious Mail and Packages
- 10.2.11.9.4 Computer Rooms
- 10.2.11.10 Off-Site Facilities
- Exhibit 10.2.11-1 Categories of Vulnerability Levels
- Exhibit 10.2.11-2 Vulnerability Ratings
- Exhibit 10.2.11-3 SAFEGUARDS and Their Related Protection Functions
Part 10. Security, Privacy and Assurance
Chapter 2. Physical Security Program
Section 11. Basic Security Concepts
August 04, 2016
(1) This transmits revised Internal Revenue Manual (IRM) 10.2.11, Security, Privacy and Assurance, Physical Security Program, Basic Security Concepts.
(1) On October 1, 2014, Real Estate and Facilities Management (REFM) merged with Physical Security and Emergency Preparedness (PSEP) to create Facilities Management and Security Services (FMSS). This IRM was updated to reflect current organizational titles, scope, definitions and terminology.
(2) Revised to update Interagency Security Committee (ISC) and National Institute of Standards and Technology (NIST) terminology.
(3) Added context from interim guidance memorandum, AWSS-10-0815-0001, which updated policy for handling suspicious mail and packages procedures found in IRM 10.2.11.11.3, “Handling of Suspicious Mail and Packages”. Included the requirements to post site-specific suspicious mail handling procedures.
(4) The re-designation of security areas (formally referred to by the IRS as" 'Restricted" or "Secured" areas/space to "Limited" and "Controlled" areas/space) which is consistent with the NIST designations.
(5) Changed IRM 10.2.11.2.5 name from “Risk Management” to “Facility Security Risk Management”. Revised to reference current ISC standards for conducting risk assessments and to reinforce to employees that all ISC standards should be addressed in the risk assessment reports.
(6) Removed IRM 10.2.11.2.2, “Security Concepts”. The information is outlined in the ISC.
(7) Added context from interim guidance memorandum, AWSS-10-0815-0002, which updated policy for visitors entering a child care facility. Updated policy for the risk assessment program to distinguish which facilities, such as child care centers, parking lots and storage facilities, require a FPS risk assessment and which ones, such as IRS employee-occupied facilities, require a FMSS office risk assessment found in IRM 10.2.11.8, “Sensitive Areas”.
(8) Added context from interim guidance memorandum, AWSS-10-0815-0003, which updated policy for the risk assessment program found in IRM 10.2.11.2.5, “Facility Security Risk Management”. Revised to require all IRS Risk Assessment reports will be retained until such time as a new report is completed by FMSS Physical Security staff.
(9) Updated the risk assessment completion time lines.
(10) Revised Level IV and V to remove specific facility names in favor of Level IV and V requirements.
(11) Changed IRM 10.2.11.2.4 name from “Photography and Audio Recordings Prohibition” to “Photography and Video Recordings Prohibition”. Revised to clarify procedures regarding the use of cameras in IRS space.
(12) Added IRM 10.2.11.2.2, “Facility Security Committee (FSC)”.
(13) Removed IRM 10.2.11.2.7.2, “Methods of Dissemination”, information is no longer relevant.
(14) Removed IRM 10.2.11.3, “Physical Security Planning Guidelines”.
(15) Removed IRM 10.2.11.4, “External Environment”.
IRM 1.15, Records and Information Management
IRM 1.4.6, Managers Security Handbook
IRM 10.2.5, Identification Card
IRM 10.2.9, Occupant Emergency Planning
IRM 10.2.12, Security Guard and Explosive Detector Dog Services
IRM 10.2.14, Methods of Providing Protection
IRM 10.2.15, Minimum Protection Standards (MPS)
IRM 10.23.2, Personnel Security
IRM 6.800.2, Employee Benefits, IRS Telework Program
Steven M. Artise
Facilities Management and Security Services
Agency-Wide Shared Services
Security protection should be provided through design, technology and procedural controls and must also incorporate physical, data, and space management requirements during the development, and planning phases of a facility. There are many security safeguards from which a viable security program may be developed to protect the property and personnel within a site or facility.
Due to physical, operational, and financial limitations, absolute security is neither possible or practical. Therefore, the approach to physical security offered herein is a practical approach to protect information, facilities, property and personnel by employing a combination of measures to Deter, Detect, Deny, Delay, Defend/Respond to unauthorized entrants and to preserve the environment in which the IRS mission may be carried out without disruption.
In addition to providing safeguards to control unauthorized access, a well balanced security program must provide measures to protect IRS facilities and personnel from threats that may cause property damage or risk to life. Such measures are included in IRM 10.2.9, Occupant Emergency Planning.
The options available to Deter, Detect, Deny, Delay, Defend/Respond to unauthorized entrants and the required Minimum Protection Standards (MPS) for certain types of IRS facilities and operations are contained in IRM 10.2.11.2.8, Safeguard Functions.
Interagency Security Committee (ISC) standards should be applied as a minimum security standard. IRS protection requirements may exceed the ISC minimum standards if appropriate.
This IRM establishes security guidelines for the reasonable protection of employees, tax information, infrastructure, property, and facilities against disclosure, loss, damage, or destruction without unnecessarily restricting or interfering with operations. It also provides instructions on the minimum security standards for the IRS and serves as a procedural and technical guide for security personnel. It includes optional methods for providing security under varying local conditions, provides for specific items requiring protection and identifies the various methods for protection.
This IRM includes the physical security requirements for the federal tax administration system as administered within the IRS. This includes all IRS facilities (National Office, posts of duty, processing centers, computing centers and other IRS offices or space).
The Chief, Agency Wide Shared Services (AWSS), is authorized to prescribe the basic security concepts for use within the IRS.
The Director, Facilities Management and Security Services (FMSS), is responsible for oversight of this IRS program.
The FMSS Associate Director, Security Policy, is responsible for planning, developing, implementing, evaluating, and controlling this Physical Security program.
FMSS Associate Directors, Operations, are responsible for ensuring that offices are in compliance with IRS policy and for providing guidance, oversight and assistance to their territory offices on the security program.
FMSS Territory Managers (TM) are responsible for implementing, evaluating and managing the local physical security program and for providing guidance, oversight and assistance to client sites.
The Business Units are responsible for implementing, in accordance with policy requirements, the effective physical security programs within their functional areas and for notifying the local FMSS staff of any proposed physical security program changes within their functional areas.
Managers are responsible for providing security for all information, documents, and property with which they are entrusted, for complying with all minimum security standards in IRM 1.4.6, Managers Security Handbook, all local physical security requirements, and for reporting any violations to the local FMSS Physical Security staff. Managers must ensure that the security measures required for protecting information, property, and life are applied within their area of supervision and that those measures meet the established minimum security standards.
All employees are responsible for providing security for all information, documents and property with which they are entrusted, for complying with established security procedures, all local security requirements, and for reporting any violations to their manager or to their local FMSS Physical Security staff.
The Facility Security Committee (FSC), is a committee consisting of representatives of all federal tenants in the facility, the security organization (for example: Federal Protective Service for General Services Administration (GSA) owned and operated facilities). An IRS FMSS physical security representative must be appointed to and participate as a member of the FSC established for each building.
The FSC is responsible for addressing the facility-specific security issues outlined in the facility security assessment and approving the implementation of security countermeasures and practices recommended by the security organization. The implementation may be a combination of operational, procedural and/or physical security measures based on the Facility Security Level (FSL) determination, and the Level of Protection (LOP) that are deemed appropriate and achievable.
As outlined in the ISC FSC standards, if a single federal tenant occupies a facility, they have the option to use this standard or other internal procedure to determine what security countermeasures are implemented, how funding is provided and what risk is accepted.
Minimum security levels must be established for each facility. The FSL is based on the characteristics of each facility and the federal occupant. The initial FSL determination for newly leased or owned space will be made as soon as practical, after the identification of a space requirement (including succeeding leases). Each facility will be designated Level I, II, III, IV, or V in accordance with the ISC Standards, and appropriate security measures must be implemented.
The five factors quantified to determine the FSL are mission criticality, symbolism, facility population, facility size, threat to tenant agencies, and includes intangible factors.
To determine the FSL the ISC FSL Matrix should be utilized. The FSL matrix is comprised of five equally weighted security evaluation factors with corresponding points of 1, 2, 3, or 4 allocated for each factor.
A Level V designation necessitates implementation of extensive security measures. IRS facilities identified as critical infrastructure and those housing critical infrastructure and key resources must be designated and protected as Level IV, at a minimum.
Taking photographs within or recording images of the inside of Treasury bureau facilities is prohibited except when specifically authorized by FMSS Physical Security. Taking photographs of external features of a facility or other property which provides information not accessible to the public must be reported to local FMSS Physical Security staff, the Treasury Inspector General for Tax Administration (TIGTA), and Federal Protective Service (FPS). Photography means any physical or electronically recorded image, including still photographs, x-ray images, video or recordings.
In compliance with ISC and Treasury requirements, the IRS has established minimum security standards and requirements for the protection of IRS facilities, personnel and information. These standards are based on possible threats and identified countermeasures that could minimize the impact of an occurrence. Periodic risk management assessments provide Physical Security staff and management officials with information on the effectiveness and appropriateness of existing standards and countermeasures, identifies risks, recommends additional upgrades, as needed, and provides guidance on how best to implement approved recommendations.
Evaluation of the risk is the first step in determining the degree of security required for a particular facility. Security measures should be relative to the type of risks to which the facility and its contents are exposed, the probability that these risks will occur, and the impact that an occurrence would have on the organization.
As directed in the ISC standards, risk assessments will be conducted at the following intervals, at a minimum: Level III, IV and V facilities, every three (3) years; and Level I and II facilities, every five (5) years. If the security posture has been enhanced by the addition of security countermeasures, those enhancements should be noted in the succeeding report based on recurring cycle. All facilities will follow the ISC recurring cycle for completing subsequent Risk Assessments (RAs) of every three or five years or more frequently, if circumstances warrant and/or when the following conditions have occurred:
Change in location
Major building renovation
Increase in significant incidents and/or
Change in the mission of the businesses located at the facility
FMSS Physical Security staff will perform an RA at all locations where IRS employees are assigned. The RA must be performed within 6 months of occupying the facility or space. IRS will not conduct assessments for child care centers, credit unions or parking lots not within IRS controlled perimeter and/or facility access. FMSS will perform an RA in accordance with ISC criteria. All IRS RA reports will be retained by the local Physical Security office until such time as a new report is completed by Physical Security staff.
Federal Protective Services (FPS) will perform an RA at child care centers, credit unions or parking lots that are not within IRS controlled perimeter and/or facility access.
The RA process will include the following steps:
Evaluation of the risk - determining the degree of security required at the facility based on the likelihood of an occurrence happening
Vulnerability assessment - potential impact of an occurrence and vulnerability (attractiveness of target and level of deterrence provided by established countermeasures) of the facility to an occurrence (see Exhibit 10.2.11-1, Categories of Vulnerability Levels)
Risk analysis - evaluation of potential risk to a facility from a given threat based on the impact of loss and vulnerability ratings (see Exhibit 10.2.11-2 Vulnerability Ratings)
Recommendations – recommended countermeasures and cost (installation, operating cost, etc.)
All RA documents are considered Sensitive But Unclassified (SBU). All RA documents must be handled in accordance with requirements outlined in Treasury Directive Publication (TDP) 15-71 and IRM 1.15, Records and Information Management.
The Facility Security Plan (FSP) provides summary information used to describe all significant Safeguards and Security programs at applicable sites and facilities occupied by IRS employees and contractors. The FSP will be completed for each IRS facility, including computing centers, campuses and critical posts of duty (POD). The FSP documents the implementation of Federal Information Security Management Act (FISMA) Physical Security and Environmental (PSE) Control as prescribed within the National Institute Standards and Technology (NIST SP 800-53), TDP 15-71, and ISC criteria. Development and maintenance of the FSP is directed in TDP 15-71 Security Manual and the ISC standards.
The intent of the FSP is to outline the protection plan in place at IRS occupied facilities and provides a snapshot of the actual security measures in effect for several security disciplines - physical, IT, environmental, media protection, etc. This requires coordination and cooperation of all business units (BU) responsible for each discipline. The description of how those programs are implemented should be contained in site and facility procedures, directives, supplemental orders or other authoritative documentation.
In accordance with ISC standards, at a minimum, the FSP must be reviewed annually and revised as necessary. Documents must be marked as SBU and must identify the following:
Roles and Responsibilities of FMSS Physical Security staff
Personnel Security (PERSEC)
Physical Security Environmental Protection Policy and Procedures
Limiting Access - The basic principle of security within the IRS or anywhere, is to limit access to assets based upon need. When protecting information, for example, access to documents should be "limited" to those persons with a need to know the information. When the asset to be protected is a room, an area, a building, a computer, or other such property, access to that property should be restricted to those persons who, due to their official duties and/or responsibilities, have a need for such access.
Whether a person needs to access an asset will depend upon whether that access is necessary to enable the person to perform his/her assigned duties and responsibilities. Management is responsible for determining such a need and for subsequently deciding to grant or deny access. Once this determination has been made, management should consult the servicing FMSS Physical Security staff for assistance in selecting the appropriate method of achieving the desired control. IRS officials, managers, and Contracting Officers' Representatives (COR) who have responsibility for programs and operations within a facility are authorized to have card access to the facility and interior space where their employees and/or contractors would be performing work. This enables the oversight and management of employees, contractors and processes to include unannounced site visits and inspections. Managers and COR should be placed and remain on the daily access roster as long as they are responsible for business functions within the facility/campus.
Controlling Access - Access will be controlled by ensuring that employees, contractors, and visitors entering IRS facilities are screened in accordance with ISC standards.
Visitors are restricted from entering into IRS space unless they have a justified business need approved by the local FMSS Physical Security office. Visitors and federal employees employed by other agencies must meet all access requirements as outlined in IRM 10.2.5, Identification Card and IRM 10.23.2, Personnel Security.
Other Federal Agencies - Federal employees employed by agencies other than IRS, sometimes have a need to enter IRS space (e.g. GSA, FPS, and Treasury). Federal agency personnel other than the IRS (e.g. GSA, FPS, and Treasury) who have a business need to enter IRS space may either be escorted or apply for and receive favorable adjudication through the IRS Personnel Security office as determined by the local FMSS Security Section Chief. All official emergency response agencies (Law Enforcement, Fire, EMT, HazMat, etc) are not required to be escorted.
Most of the methods of protection are designed for protection after normal duty hours or at any time the assets to be protected are not under the personal custody of authorized IRS employees.
Because any single safeguard is often insufficient protection for any asset, the concept of layering of safeguards was developed to provide security-in-depth. To facilitate understanding of security-in-depth, the following functions of safeguards are presented.
Deter - The psychological effect which a safeguard or a system of safeguards has upon the potential perpetrator or human originated threat is difficult to measure. One can determine the effectiveness of an alarm by the number of bona fide "catches" it makes, but we can only guess the effectiveness of a safeguard which is designed only or primarily to deter a human being. The best example of a pure deterrent is a sign which identifies a Limited Area. While it would be ideal to have effective security simply by the use of such inexpensive means as signs or lights, it is not practical. A good security program will not rely solely upon safeguards which are only deterrents.
Detect - Many safeguards will automatically provide detection of an unauthorized act. For example, a door may show signs of a forced entry. However, an alarm might give evidence of an attempted surreptitious or forced entry. Depending once again upon the value of the asset, the timing of detection is crucial. Perimeter alarms and alarm activated cameras will help achieve this goal. Such a goal will also require a response by IRS Police Officer (IRPO), internal security personnel, IRS Contract Security Guards, FPS/FPS guards, or local police which will monitor detection devices and respond to them as appropriate. The functions of assessing, identifying, and tracking can be accomplished by closed circuit television (CCTV) systems, alarm systems and entry control systems. The most important of these functions is assessment, since the nature of the unauthorized act (e.g. unauthorized access, theft, robbery, assault, etc.) will influence the nature of the response to that act. In some cases, we may only be able to respond to a threat as it is occurring. While the act has not been prevented, identification of the perpetrator enables the IRS to take appropriate action. The tracking function is most useful for the response force to focus on the current location of the problem or perpetrator.
Deny - The only real way to accomplish this function is to destroy an asset to prevent unauthorized personnel from obtaining it. Clearly, for the IRS, this only pertains to information on paper, microfilm, or magnetic media, etc. which is no longer needed or which is a waste by-product of a tax administration function.
Delay - Ideally, the IRS should be able to deny access to its assets to separate them from human originated threats. But this is not practical since to perform its mission the IRS must allow access to its assets. The objective then is to limit access to authorized personnel at approved times for official reasons. At times when the assets are not in the personal custody of an authorized IRS employee, they should be protected by means which delay as long as practical access by unauthorized persons. Safeguards such as locks, containers and walls will withstand (depending on the type of lock, container, etc.) forced entry and surreptitious entry attempts for a given period of time. This time is, hopefully, enough to discourage most would-be thieves, saboteurs, etc. However, given enough determination and resources (i.e., time, tools, and money) all such safeguards can be breached. If the asset being protected merits more than a deterring and delaying effort, the next function we would add is detection.
Defend/Respond - Ideally, response to a threat in progress is to detect it and to take appropriate action soon enough to prevent it from causing any harm or loss. To achieve this ideal, the delaying safeguard, the detection devices, and the response force must be designed to ensure that the safeguard delays the perpetrator long enough for a detection device to alert the response force and long enough to allow the response force to arrive in time to intervene to prevent access or to prevent a perpetrator from leaving the area with stolen government property or information. An onsite contract security force should respond to a threat condition within 5 minutes and at other buildings (protected with central station alarm systems) within 15 minutes. If this is not possible, then compensating measures must be included in the protective system design to delay an adversary until an effective response can be executed.
Exhibit 10.2.11-3, SAFEGUARDS and Their Related Protection Functions, shows the functions generally performed by certain security devices/techniques. No attempt is made to address the effectiveness of each, as this depends on the quality of the device selected monitoring activities and timely reactionary measures. Conversely, ID media, electronic access control systems, sign in and other audit trail procedures and task separation techniques are generally used during working hours to protect against a potential perpetrator with access.
A security program is enhanced when all managers and all employees are aware of security requirements including the reasons for each of the security requirements they are expected to follow or enforce. Each manager must know the general security requirements, as well as, the specific security measures which apply to their particular area of responsibility. The key to an effective awareness program is to show how the requirements relate to the work in which an employee is involved. For example, awareness efforts directed toward computer room employees should relate to security requirements in a computer room, while those efforts directed toward a tax auditor should relate to protecting the privacy of the taxpayer and the sensitivity to the tax return and return information.
Security awareness programs will, at a minimum, include briefings as specified below:
All employees are required to complete the annual mandatory Physical Security briefing.
All new employees will receive a security orientation within the first week following employment.
All assigned employees will be provided a refresher security orientation outlining site specific measures, protocols and procedures within the first week of returning from non-work status.
Management will inform each employee of special security requirements pertaining to their particular work area or facility when the employee reports to a new manager for duty.
One of the first considerations in establishing a security program for a particular activity is the building in which the activity is located. The number of floors, doors, windows, fire exits, roof vents, the degree of ground level access and adjacent parking facilities, all affect entry control considerations. At processing and computing centers, loading docks, kitchen entrances and boiler room doors are normally more vulnerable points in the building perimeter security; therefore, they should be given special attention and should not be used as routine recurring entrances for the building population. The material structure of the building (interior partitioning, ceilings, and doors) affects the degree of security afforded contents against destruction, theft and unauthorized disclosure. If the building is not entirely occupied by the IRS, the nature of operations conducted by other tenants will affect security in IRS occupied space. A RA must be conducted to determine minimum security requirements. A RA should be completed prior to occupying the building but if that is not possible, a RA must be completed no later than six months after occupancy.
Child Care Centers (CCC) - If CCC are co-located in facilities with IRS controlled perimeter and/or facility access, IRS will ensure that it is protected with a duress alarm capability of servicing only that space. Entry to the CCC will be through a reception room. It is recommended that entry from the reception area to the rest of the CCC will be controlled by an electric lock operated from the reception area. Penetrations from the CCC into IRS space must be mitigated, alarmed, and on an access control system. Appropriate screening of all visitors entering should be in accordance with the ISC standards for that facility FSL determination within which the CCC is located. Refer to ISC Appendix C: Child Care Centers for further requirements. Physical security staff and management must ensure that countermeasures are put in place to minimize risk and ensure that only authorized individuals are provided access.
The open office concept requires different security considerations from the traditional style individual office concept. In open office planning, an entire open area must be treated in its entirety with perimeter security provided that is commensurate with the security needs of the most sensitive operation. During operating hours, entrance areas should be arranged to control visitor access such as channeling visitors to a receptionist.
Because of the increasing costs of office space, construction/alteration and the implementation of the "open office" concept, it is imperative that security considerations be addressed whenever IRS space is designed, acquired, altered or redesigned. A failure to consider adequate security during the early phases of space planning could result in the need for costly modifications after the completion of the project. In "open office" environments, we must ensure that acoustical planning guidelines are considered in order to minimize the potential for inadvertent unauthorized disclosures and to reduce ambient noise to an acceptable level. Security personnel and operational managers must be aware of the acoustical design goals for "open office" planning, and the speech privacy considerations.
All managers will ensure that open office concept plans provide for:
perimeter security commensurate with the needs of the most sensitive operation to be performed in the office.
use of dividers, as appropriate, to separate operational areas and to minimize extraneous traffic.
functional aural and visual privacy to minimize inadvertent disclosures of tax and privacy data.
appropriate storage for items requiring protection when they are not in plain sight of the owner/user and during non-duty hours.
Telework provides employees the opportunity to perform their duties at alternative duty stations remote to the conventional office site (e.g., satellite locations, employee’s residence). The policy of the IRS is to provide the highest level of protection to sensitive data, including taxpayer related information, and to assure that proper controls are in place to secure information that is being processed at satellite locations or in the residences of employees. The standards provided in IRM 10.2.11 will be applied to satellite locations and the home environment. Files containing sensitive IRS information or data will be secured when not in use or not in the possession of the telework employee. Employees are responsible for protecting all government records and data against unauthorized disclosure, access, mutilation, obliteration or destruction.
Certain areas in the IRS require more protection or are considered more sensitive due to one or more of the reasons listed below and should be given special attention during planning. The protection given sensitive areas during construction and redesign will minimize the need for costly safeguards to protect information once the areas become functional. Sensitive Areas:
contain large amounts of cash, negotiable instruments, and valuable property (which can be easily stolen or damaged).
contain large amounts of information requiring protection or in highly concentrated and easily alterable or destroyable form.
have a process or function being performed in the area that is sensitive and must be protected.
have personnel in the area that due to the positions they hold (e.g., executives), the functions they perform, or employees with disabilities that may be subject to potential threats such as assault, hostage taking, robbery, etc.
The following sensitive areas require minimum protective measures:
Computer Rooms - Computer room walls must be slab-to-slab and where feasible should be located in a central building location away from the building exterior, parking garages or top floor locations. Computer rooms will be windowless and lockable with controlled access into the area. Computer rooms are secured, Limited Areas and must meet Limited Area standards. Access must be controlled in accordance with Limited Area standards. Computer rooms must be secured with IDS systems and monitored 24/7.
Tape Libraries - Tape library walls must be slab-to-slab and where feasible should be located in a central building location away from the building exterior. Tape libraries are secured, Limited Areas and must meet Limited Area standards. Access must be controlled in accordance with standards.
Telecommunications Closet - The telecommunications closet walls must be slab-to-slab and must be lockable with access permitted only for authorized personnel.
Mechanical/Electrical Rooms - Security control and power distribution boxes and panels must be located in secured electrical closets. Doors must be key locked, keys controlled and access limited to authorized personnel only.
Armory - Weapons and ammunition storage areas require additional measures that include limiting unescorted access to authorized law enforcement, armed security personnel, authorized contract supervisors, quality control inspectors, FMSS Physical Security COR, policy office quality assurance review personnel, and those with oversight authority. In addition to all ISC protection standards, IRS policy requirements as outlined in IRM 10.2.12, Security Guard and Explosive Detector Dog Services and Programs, and IRM 10.2.15, Minimum Protection Standards (MPS), must be observed. Without exception, all Armories/Arms Rooms must be constructed of ballistic resistant material (e.g. masonry, steel or kevlar materials) including the door, ceiling and floor, that would prohibit an accidentally discharged firearm projectile from escaping the confines of the armory/arms room space endangering the lives of building occupants. Armory /arms rooms cannot be used as office space and should never be occupied by persons except those performing armory duties and functions.
ISC standards for Level IV facilities must be met as a minimum, however IRS can choose to exceed the ISC minimum standards.
Particular attention must be given to developing a well-rounded, sound security program for each Level IV facility.
To provide a minimum acceptable level of protection, the following measures will be implemented at each Level IV facility as appropriate:
Armed uniformed guards
Two-way radio communication capability for guards
Exterior protective lighting
Security glass in all main building entrance doors, sidelights, transoms, and guard houses
Electronic Intrusion Detection System (IDS)
Proprietary protection console, Central Security Control Console (CSCC) for on-site systems monitoring and response
Local emergency exit alarms
Duress alarms (or other means of communication) from console to local guards, police department, or the FPS Mega Center, from fixed posts at building entrances, vehicular entry and/or pedestrian gates to console, and from computer area to console
Computer room doors will be alarmed to detect unauthorized access and will annunciate at the protection console.
Main doors to computer areas and libraries, which may be automatic, electric, or pneumatically powered horizontal bi-parting sliding doors, provided the integrity of the fire-rated wall is maintained
At least one standard single or double set of out swinging doors in computer area
The ISC requires that a FSL IV facility will be protected by a perimeter security fence with appropriate gates to allow pedestrian and vehicular traffic to enter the facility on a controlled access basis. At sites where this is not possible, refer to the ISC guidance on layered protection, mitigating and/or accepting risk.
Initial control for entry into a facility will be exercised at the fence line or other outermost perimeter. Each fence opening will be protected by armed guards when not closed and locked, or CCTV and barriers arms at vehicle entrances. All persons entering the property on foot must be identified through the display of an IRS photo identification card or as an authorized visitor. Persons in vehicles will be permitted to enter if they display (where feasible) the authorized IRS photo identification card and/or vehicle identification media (stickers, decals, hang tags, etc.). Visitors will be directed to the entrance where they will be screened and appropriately processed.
Primary entry control will be maintained at the building perimeter. All doors will be protected by a guard when not closed, locked, and protected by an entry control and intrusion alarm system. All employees entering the building will be identified by an authorized government identification card, SmartID, or Physical Access Card (PAC) in accordance with IRM 10.2.5, Identification Card. All non-IRS visitors will be escorted by their IRS sponsor, unless they are granted staff like access. All visitors will be screened and packages/briefcases will be examined.
In accordance with ISC standards, utilize a parking pass or other similar system to clearly identify authorized vehicles upon entry and while parked. Passes must be visible, numbered, and have an expiration date. Issuance should be managed by the servicing FMSS Physical Security office. Visitor parking must be located as far from the facility as practical. Proper vehicle identification is required for entering controlled parking. This can be accomplished by guards checking ID cards and media (stickers, decals, hang tags, etc.). Vehicle identification media, when used, will meet the following specifications:
Materials used in stickers will be reflective vinyl
Dimensions - 2 3/4″ X 4 3/4″ (minimum)
All printing (including serial numbers) 1 1/2″ high (minimum)
Style of printing - block letters in upper case
Colors may be used to further identify owners of registered vehicles
Media should be designed so that they cannot be reused when removed
The media will be placed so that they can be readily seen by the guard. Stickers/identifiers may be placed on either rear side windows, front or rear windows, or any other prominent location that is compliant with state and local laws.
The FMSS Physical Security office is responsible for development, implementation, maintenance and control of the vehicle identification system.
Records of all media issued and their disposition (i.e. lost, stolen, destroyed) will be maintained by the FMSS Physical Security Services office for a period of 3 years.
Concurrent with the issuance of a vehicle identification, the employee will be informed of the requirement to remove and return the media or remains to the FMSS Physical Security office prior to selling or trading the vehicle, or if that area on the vehicle where the media is affixed is damaged and replaced. In addition, the FMSS Physical Security office must be informed when the identifier is destroyed, lost or stolen.
The identifier will be removed from vehicles of employees who terminate employment.
Identifiers will be replaced at least every two (2) years. Color scheme and designation should be varied each time the identifiers are changed.
Vehicle passes, logs, written advance notice of visits, etc. can be used to authorize access to vehicles of employees, visitors and cleared contractors who have not been issued a sticker by the guard at the parking gate. IRM 10.2.11.9.2(10) provides the recommended system of doing this.
Temporary vehicle passes may be issued to employees who do not have vehicle identifiers, providing they show an authorized IRS identification card. A log will be maintained by the guard showing all of the following information:
vehicle pass number
name of employee
vehicle license number
date of issue
The temporary pass must display the license plate number, expiration date, and permit number. If an employee does not have a proper IRS identification card, their employment status must be verified by checking with the appropriate IRS supervisor. Temporary vehicle passes for employees may not exceed 30 days. If necessary, the permit may be reissued after the 30 day period.
Visitors can be issued a Visitor Vehicle Pass. Visitors must show a picture ID and must be on the approved access list. The vehicle pass may not be used for in and out access, but rather the visitor must show a picture ID and be checked against the access list each time he/she enters. A Visitor Vehicle Pass is valid for the date of issuance only and must be dated.
Temporary Vehicle Passes may be issued to vendors and others requiring access. These individuals must show a picture ID and must be on the approved access list. The vehicle pass may not be used for in and out access and is valid for the date of issuance only and must be dated. The vehicle pass will be recovered by the guard when individuals exit the facility.
If identification of employee vehicles is going to be made by use of the parking permit (that is cannot be adhered to the vehicle to prevent tampering) in lieu of vehicle identification stickers or windshield decals, these permits will show a serial number and the employee must show IRS identification to guard to gain access.
The FMSS Physical Security office will follow the same procedures for the parking permits as are used for stickers or decals for issuance, records maintenance and recovery.
Each Designated Official (DO), in collaboration with the FMSS Physical Security Section will institute such internal controls beyond the minimum as are necessary to properly protect employees, assets, and preserve the confidentiality of the tax return and related documents.
Control of the internal movement of personnel within a facility is necessary to ensure that only authorized IRS personnel are permitted in sensitive security areas. The identification card has been designed to assist management in maintaining this internal control. Unescorted access is not permitted by contractors (including security guards) to interior space that is utilized for any continuity of government mission function or business function as described in IRM 10.2.11, Basic Security Concepts.
The need to maintain security at all times requires that only authorized visitors be permitted to enter the facility. Granting access to interested non-tax related individuals or groups for purposes of orienting them with operations are not authorized. Official visits by individual tax preparers, tax accountants, news media representatives and other professional tax oriented individuals and groups may be permitted at the discretion of the facility director and in accordance with local FMSS Physical Security procedures.
Security Assurance and Maturity Access Levels are types of security areas, formally referred to by the IRS as Restricted or Secured Areas.
The IRS must make a risk based mitigation and adhere to standards recommended by the National Institute of Standards and Technology (NIST). Per NIST SP 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS), agencies are permitted to incrementally enable Smart-ID access points. The model is identified in terms of maturity levels in NIST SP 800-116.
The designation of Limited Area, formerly called Restricted Area, is a method of controlling the movement of individuals and eliminating unnecessary traffic through sensitive security areas, thereby reducing the opportunity for unauthorized disclosure or theft of tax information.
A SmartID card containing the "R" indicator must be worn at all times by all personnel within each Limited Area as outlined in IRM 10.2.5, Identification Card.
Admittance to a Limited Area is permitted only on a valid business need. Limited Areas include, but are not limited to:
Any space housing Continuity of Operations (COOP)
Computer Media Safe/Vault
Computer Room Command Center
Computer Tape/Media Storage Library
IDF (Intermediate Data Frame)
Micro/Mini Computer Room
Receipt and Control
Remittance Processing (RPS)
Sensitive Compartmented Information Facility (SCIF)
Situation Awareness Management Center (SAMC)
A controlled area is not a Limited Area; however, it requires controlled entry access with one part authentication (access card or manual combination). Only personnel assigned to work in that area and other personnel designated by the responsible BU are authorized unescorted access into a controlled area. All visitors entering a controlled area must be escorted by personnel with authorized unescorted access into a controlled area.
Controlled Areas include, but are not limited to:
Alarm Panel room/closet
Central Security Control Console (CSCC)
Other similar facilities designated for controlled access by the responsible BU
The entire area will adhere to Limited Area security criteria. Keys and lock combinations to cash drawers, cash boxes and the security containers will be strictly issued and controlled as outlined in IRM 10.2.14, Methods Of Providing Protection.
The remittance clerk will:
lock the cash drawers and remove the key when leaving the area.
empty the cash drawers and store cash boxes in an appropriate container at the end of each work day.
The activities performed at Level V facilities are unique and vital to the mission of the IRS. The nature and significance of Level V facility operations require the implementation and maintenance of a sound physical security program.
To provide a minimum acceptable level of protection, ISC FSL criteria must be met as well as all other requirements outlined in this section. The requirements outlined in this section will be implemented and maintained at all Level V facilities.
While some Level IV facilities may have interior space that is designated by IRS as Level V, such as Automated Data Processing (ADP) Computer Rooms, this section applies to facilities and campuses with Level V designation throughout. The five factors quantified to determine the FSL are; mission criticality, symbolism, facility population, facility size, threat to tenant agencies, and includes intangible factors. Additionally, all facilities that house, in addition to IRS mission critical ADP Processing and/or tax processing, at least seven (7) of the following business functions are considered Level V throughout:
Treasury Departmental Office Continuity relocation space
Treasury or IRS Continuity or Business resumption assets
Continuity plans that included relocation of high level government officials, agency heads, and/or senior leadership in the event of a national emergency to ensure Continuity of Government
Conducts government business at a classified, Secret, or Top Secret level with National Security nexus
Campus/Facility serves as a Sensitive Compartmented Information Facility (SCIF) for government operations
Serves Treasury, Treasury Office of Continuity (TOC) or IRS Situation Awareness Management Center /Threat Response Center (SAMC/TRC) functions
Houses sensitive TIGTA assets
Houses and supports sensitive IRS Criminal Investigation Division (CID) assets/operations
Houses IT/research, analysis and statistics assets with Congressional responsibility
Houses Financial Crimes Enforcement Network (FinCEN) sensitive assets and provides logistics and support to the FinCEN mission and continuity functions
Houses U.S. Department of the Treasury, Departmental Office (DO) staff as a permanent POD conducting Treasury emergency/mission critical functions
All facilities designated as Level V are to be protected by Internal Revenue Police Officers (IRPO) and may be augmented by contract security officers.
The facility will be protected by a perimeter security fence which meets the GSA P100 Facility Standards criteria, with appropriate gates to allow pedestrian and vehicular traffic to enter the facility on a controlled access basis. At all times when fence gates are open, uniformed, armed security guards will monitor each opening to ensure against unauthorized entry.
Initial control for entry into a Level V facility will be exercised at the fence line. Each unlocked gate will be protected by a uniformed officer. All persons entering the property on foot must display an IRS photo identification card or be identified as an authorized visitor. Persons in vehicles will be permitted to enter if they display an authorized IRS photo identification card or if the uniformed officer has their name on an access list. Vehicle identification stickers, decals, or cards are not required. Visitors must show photo identification (such as a driver’s license) to verify identity.
Control of the internal movement of personnel is necessary to ensure that only authorized IRS personnel are permitted in sensitive areas. The personnel identification card has been designed to assist management in maintaining this internal control.
The local FMSS Physical Security office, in accordance with FMSS Identity Credentials & Access Management (ICAM) and other applicable Treasury and IRS policies will administer the personnel identification card program which will permit entry only to authorized personnel. This system is also designed to assist management in controlling movement within the facility.
Requests for tours of the facility should be made in writing and sent to the FMSS Physical Security Section Chief. The tour participants must be listed in the request and identities confirmed through the use of a photo ID at the onset of the tour. Tours of the facility (except the computer area) require the approval of the director of the facility.
Tours of the computer area require approval of the Chief of IT Systems Operations Branch in addition to the FMSS Physical Security Section Chief and facility director. A senior official must conduct the tour.
To ensure that a POD is properly protected, careful planning is necessary to ensure that appropriate protective measures are in-place and tailored to the facility's specific mission, threat, and functional requirements. Each POD varies greatly in size and function, so each requires close examination for tailored security countermeasures. The function of the office, the type of records maintained, the equipment in the POD, the size, population, if visitors frequent the facility, etc., are all determining factors to consider when planning security. The need for security guards, alarms and other electronic security countermeasures, limited and other type security areas will be evaluated on a case-by-case basis. The results of the facility RA is the most critical factor in the security evaluation and planning process.
Certain minimum security measures are required to protect currency and other negotiable items received by the teller. These measures include the following:
The teller operation may be located in the same area as other taxpayer assistance operations, however, direct access to the teller area will be physically limited by bank-type counters, counter-high partitions, lockable half-doors, or some similar type of construction that provides equal protection. When this operation is located on the ground floor of a building with windows to the exterior grade level, windows will be alarmed.
The exact construction of the teller area and the type of security container needed will depend on the average daily receipts, the location of the IRS office and other appropriate security considerations. For this reason, FMSS will be consulted before making any changes to the teller area.
The use of appropriate duress alarm systems must be considered for these areas. The alarm will annunciate at the control center (FPO, local police, etc.) or may alarm in the TIGTA or the IRS CID function if that office is located on-site and has a response team available.
Money chests, vaults or cabinets affording adequate security must be available for deposit activities in a designated area of the office.
Each teller will be provided with a separate money bag, cash box, or compartment (depending on the protective facilities used) which opens with a separate key or combination. Each teller may also be furnished with the combination to the safe.
Excess currency will not be kept in the teller area. As often as business permits, currency in excess of the change making fund will be transferred to a security container. It is preferable to have this located in a room away from the teller area. However, if this cannot be accomplished, the FMSS Physical Security staff will be consulted for assistance in determining the most secure alternate location.
Whenever a teller operation area is left unattended, tellers’ cash drawers or boxes must be locked in the safe and all protectable items must be containerized. During a teller’s brief absence, when the area is unattended, that teller’s cash drawer or box must be locked and the key removed.
Cash drawers will be emptied, and cash boxes stored in the security container at the end of each workday.
After the balancing operation has been completed, the cash must be kept in a locked container to wait deposit. The key to that container should be held by the teller’s immediate supervisor.
Keys and lock combinations for cash drawers, cash boxes and the security containers will be protected, controlled and changed.
If it becomes necessary to open a teller’s locked compartment in the absence of the teller, the manager will select two responsible employees to use the duplicate key or combination. They must count the money and documents found, sign the statement and attach it to the receipt that the teller previously signed for the change fund.
The duplicate keys to tellers’ cash containers and the copy of the combination to the safe or vault are not to be in the possession of the same employee.
Managers will make unannounced reviews of the physical and fiscal security of teller operations in accordance with IRM 1.4.6, Managers Security Handbook.
"Received" and "Received with Remittance" stamps will be assigned to specific individuals and a record kept by serial number of each assignment. The number of stamps in each office will be held to a practical minimum. Each individual assigned a stamp should furnish sufficient physical protection to safeguard against unauthorized or indiscriminate use. When a stamp is not in use, it will be stored in a locked container under the exclusive control of the individual to whom the stamp is assigned. Where this is not practical, special care must be exercised to ensure against unauthorized use. The face of each stamp will be inscribed with the following elements:
"Internal Revenue Service"
the Month, Day and Year
the stamp's serial number
Incoming mail, not being distributed or processed, will be stored in a secured area or in locked containers when possible. Mail, incoming and outgoing, will not be left unattended in areas open to the public.
In accordance with ISC guidelines and procedures, mail should be opened in centralized or officially designated mail opening areas. All designated mail rooms and mail opening areas must have Safe/Suspicious Mail Handling and Incident Reporting procedures posted for all mail opening employees and/or contractors to view. At a minimum, the following guidance and procedures will be posted within the mail opening area and employed when handling suspicious mail and packages.
Features of a suspicious package are:
packages with soft spots or lopsided
packages wrapped with string
packages containing distorted handwriting
packages that have leaks, stains, powders, or protruding materials
packages containing no or excess postage
packages containing an odor
Procedures to be followed when handling suspicious letters and packages:
Do not open the letter or package
Do not shake or empty contents of package
Do not carry the package to show it to others
Make a list of all persons who touched the package
Put the package on a stable surface
Do not touch your eyes, nose, or other body parts
Isolate the package and secure the room
Wash your hands with soap and water
Reporting the incident:
Call first responders for your respective office (local guard service)
Report to your manager and call 911
Contact FPS at 1-877-4FPS-411
Contact TIGTA at 1-800-589-3718
Report to SAMC within 30 minutes of incident discovery
Incidents may be reported to SAMC through any of the following methods:
SAMC Web-site link http://gdi.web.irs.gov/archibus/schema/ab-products/gdi/samc/csi_samc_reporter_report_incident.axvw
Telephone: 202-317-6124 or 1-866-216-4809
E-mail at firstname.lastname@example.org
Computer rooms will be slab-to-slab and where possible should be located in a central building location away from the building exterior, parking garages or top floor locations. Computer rooms will be windowless and lockable with controlled access into the area. Computer rooms are secured Limited Areas.
Protection provided to off-site facilities, such as satellite buildings, and/or storage facilities, associated with Computing Centers and/or Campus locations, will depend on the use that is made of the space. The need for security guard service, electronic protective systems, Limited Areas and other type of secured areas will be evaluated on an individual basis.
|The vulnerability assessment considers the potential impact from a successful attack, as well as the vulnerability of the facility/location to attack. A key component of the vulnerability assessment is properly defining the ratings for impact of loss.|
|Devastating||The facility is damaged beyond habitation. Most items/assets are lost, destroyed, or damaged beyond repair restoration.|
|Severe||The facility is partially damaged or contaminated. Some items/assets are damaged beyond repair/restoration, but the facility remains mostly intact.|
|Noticeable||The facility is temporarily closed or unable to operate without an interruption of more than one day. A limited number of items/assets may be damaged, but the majority of the facility is not affected.|
|Minor||The facility experiences no significant impact on operation (disruption to operation is less than four hours) and there is no loss of major assets.|
|Vulnerability is defined to be a combination of the attractiveness of the target and the level of deterrence and/or defense provided by established countermeasures. Target attractiveness is a measure of the asset or facility in the eyes of an aggressor and is influenced by the function and/or symbolic|
|Very High||This is a high profile facility that provides a very attractive target for potential adversaries. The level of deterrence and/or defense provided by the existing countermeasures is inadequate.|
|High||This is a high profile regional facility that provides an attractive target. The level of deterrence and/or defense provided by the existing countermeasures is inadequate.|
|Moderate||This is a moderate profile facility (not well known outside the local area) that provides a potential target. The levels of deterrence and/or defense provided by the existing countermeasures are marginally adequate.|
|Low||This is not a high profile facility and provides a possible target. The level of deterrence and/or defense provided by the existing countermeasures is adequate.|
|Document Destructors and Shredders||x|
|Entry Control Systems||x||x||x||x||x||x|
|ID Media Systems||x||x||x|
|Procedures (e.g., Audit Trail)||x||x||x||x|
|Secured Areas/ Security Rooms||x||x||x|
|Task Separation Compart- mentation||x|
|Note: The functions of each safeguard may vary according to the quality of the safeguard and the nature of the threat. The chart represents generally the functions each safeguard provides. Not included here are other functions such as promoting awareness of security to meet responsibilities to prevent violations or crimes, and investigation and appropriate remedial actions for violations. These are not within the scope of the manual.|
|*Alarms can be arranged to determine the extent of a fire (by zoning) or the nature of unauthorized entry (by duress to an authorized entrant).|
|** Alarm systems can be designed to provide for a response force; by themselves of course, they merely annunciate an unauthorized access. Programmed into an integrated system can be instructions to automatically shut doors, operate cameras, start/stop sprinklers, or perform other actions which go beyond detection and assessment of a threat to intervening or, as in the case of some entry controls, rejecting personnel who attempt an unauthorized access.|